Cyber threats are distinct from other business risks, given the speed and wide-spread nature of their impact, as well as the sheer variety of objectives and modes of attack. Also, considering the rising profile of cyber-attacks, cyber security is no longer perceived as just another technology challenge but is now acknowledged as one of the top five business threats for most enterprises.
As per the Forum’s estimates, if the sophistication of attacks keeps ahead of defensive capabilities, the resultant new cyber regulations and restrictive policies could hurt innovation by approximately USD 3 trillion, by 2020. Consequently, business leaders and policy makers have highlighted the need for a framework that would aid them in making better cyber security decisions.
The Cyber Value-At-Risk (VAR) framework, developed by Wipro and the Forum’s Partnership for Cyber Resilience allows organizations to develop a better appreciation of their threat landscape, the nature of assets that need protection and the quality of their defenses. Cyber risk quantification allows business leaders to apply standard risk management principles to make decisions around mitigating, transferring and managing residual risk. While this frame-work can be applied across all industries, this has specific relevance to sectors that involve sensitive personal data such as financial services, healthcare and retail and those involving critical national infrastructure, including the transportation and energy sectors.
The value-at-risk model (VAR) aims to articulate the aggregate level of risk faced due to cyber threats over a given duration of time and at a particular level of exposure. This frame-work is modelled on more established risk evaluation models in the financial sector and aims to quantify the complexity of the technology landscape and threats through a standardized risk language. Through this framework, an organization can reliably determine and predict the VAR threshold of their cyber exposure. This allows them to determine whether it makes more business sense for them to transfer the risk to an insurance company, take remedial actions to reduce this VAR, or manage the exposure as part of standard business risks.
Elena Kvochko, Manager, Information Technology Industry, Partnering for Cyber Resilience, World Economic Forum, who has worked on the project and the report with Wipro said, “A shared industry framework for cyber risk quantification and measurement will help boost the confidence in and buy-in for organizations’ investments towards cyber risk management. More broadly, the framework can help develop more effective risk transfer markets. The cyber value-at-risk concept, that we have worked on with Wipro and other members of the ‘Partnering for Cyber Resilience’ initiative, suggests that organizations actively consider aspects such as value of their assets, profile of attackers, and the existing security posture, as they build their cyber risk models”.
Commenting on the framework, R Guha, Head, Corporate Business Development, Wipro Limited said, “Our customers are increasingly concerned about the rising sophistication of cyber-attacks and extent of reputational and business risks. Through this frame-work, we have been able to help our customers quantify their threats, prioritize business assets and assist them in directing their investments towards better risk mitigation.”