The added value of quantifying cyber risk

Track: Research
Technical level
Time: 14:20

Organisations typically perform risk analysis in a qualitative way. There is however great untapped potential in the insights from the quantification of cyber risk, so why is not common yet? It has proven to be challenging to make estimates about cyber risks and to assess the subsequent damage incidents inflict on business processes. Despite the lack of data about the impact of cybersecurity incidents, TNO developed a framework which organisations can use to start quantifying their cyber risk. It contains a structured approach to gather a) information about the impact on processes b) data about threats and c) company specific measures. Organisations using the framework can utilise it to calculate the probability of a cyber threat by a Bayesian Belief Network (BBN). A model is developed by TNO and is comprised of interconnected nodes and assets. The framework was tested with three operators of essential services in the Netherlands. A combination of qualitative and quantitative cyber risk analysis enhances the understanding and effect of cybersecurity measures, such as off-the-shelf tooling, network segmentation and contingency plans.

Speakers in this session