When calculating potential losses from cyber risk, statistical data is just as important as its interpretation. Kaspersky experts comment on a contribution from the Black Hat 2020 conference.
Nobody wants to spend millions to protect a company if the actual damage in the event of an incident would not exceed several thousands. Just as nonsensical are cost savings by saving on every corner when the potential damage from a data leak could amount to hundreds of thousands. But what information should be used to calculate the approximate damage a company would suffer from a cyber incident? And how do you estimate the actual probability of such an incident? At the Black Hat 2020 conference, two researchers, Professor Wade Baker of Virginia Tech and David Seversky, a senior analyst with the Cyentia Institute, presented their views on risk assessment. Your arguments are well worth a closer look.
Any high quality cybersecurity course teaches that risk assessment depends on two main factors: the likelihood of an incident and its potential loss. But where does this data come from and, more importantly, how should it be interpreted? Finally, the estimation of possible losses leads to incorrect conclusions which in turn result in non-optimized protection strategies.
Is the arithmetic mean a useful indicator?
Many companies are conducting studies of potential financial losses due to data breaches. Their “main results” are usually averages of losses for companies of comparable size. The result is mathematically valid and the number can work great in catchy headlines, but can it really be relied on when calculating risk?
If you graph the same data (total losses along the horizontal axis; number of incidents along the vertical axis), it becomes clear that the arithmetic mean is not the correct indicator. In 90% of the incidents, the average losses are below the arithmetic mean.
Loss assessment using various indicators
When talking about the losses that the average company can suffer, then it makes more sense to look at other indicators, in particular the median (the number that divides the sample into two equal parts, so that half of the reported numbers are higher and the Half is lower) and the geometric mean (a proportional average). Most companies suffer just such losses. The arithmetic mean can be a very confusing number due to a small number of incidents with unusually high losses.
Distribution of data breach losses. Source: cyentia.com study “Information Risk Insights Study – IRIS 2020”
Average cost of a data breach
Another example of a questionable “average” results from the method for calculating data breach losses, in which the number of data records affected is multiplied by the average amount of damage resulting from the loss of a data record. Practice has shown that this method underestimates the losses of small incidents and greatly overestimates the losses of large incidents.
An example: Some time ago, a message surfaced on many analytics sites claiming that misconfigured cloud services cost companies nearly $ 5 trillion. If you research where this astronomical amount came from, it becomes clear that the $ 5 trillion figure came from simply multiplying the number of "leaked" records by the average damage from losing a record ($ 150). The latter number comes from the 2019 Ponemon Institute study of the cost of a data breach.
Arithmetic means do not always give clear information about the losses
The story should be viewed with some caveats, however. First of all, the study did not consider all incidents. Second, the arithmetic mean does not give a clear indication of the losses, even if one only looks at the sample used. Only cases were considered, the loss of which would cause less than $ 10.000 and more than 1 cent in damage. In addition, it is clear from the study's methodology that the mean is not valid for incidents involving more than 100.000 records. Therefore, it was fundamentally wrong to multiply the total number of records leaked due to misconfigured cloud services by 150.
If this method is to lead to a real risk assessment, it must include another indicator of the likelihood of losses depending on the extent of the incident.
The domino effect
Another factor that is often overlooked when calculating the damage of an incident is the chain reaction of such modern data breaches, which affects more than just a single company. In many cases, the total damage caused by third party companies (partners, contractors, and suppliers) exceeds the damage to the company from which the data leaked.
The number of such incidents increases from year to year, as the general trend towards "digitization" increases the degree of interdependence of business processes in different companies. According to the results of the study carried out by RiskRecon and Cyentia, 813 incidents of this type caused losses in 5.437 organizations and companies. This means that for every company that has suffered a data breach, an average of more than four companies are affected by the incident.
Practical tips
In summary, sensible experts who assess cyber risks should heed the following advice:
- Don't trust flashy headlines. While many websites contain certain information, they are not necessarily accurate. Always look to the source supporting the claim and analyze the researchers' methodology yourself.
- Only use research that you can understand in terms of content and that are consistent with your risk assessment.
- Remember that an incident in your company could lead to data breaches for other companies. If a leak arises for which your company is responsible, the other parties will likely take legal action against you, increasing your damage from the incident.
- Do not forget the contrary case either. Data breaches at partners, suppliers and contractors, which you cannot influence in any way, can also leak your data.
More on this in the blog at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/