In conjunction with its annual meeting this week, the World Economic Forum released a report on its current efforts to develop a common framework to model and quantify the impact and risk of cyber threats.  The report highlights that “even well-guarded [organizations] face the threat of a cyberattack.”

The report embraces the value-at-risk mathematical function that is widely used by the financial services sector to measure risk in a particular portfolio over a period of time.  The value-at-risk function can be used to express the probability that a cyber event will exceed a threshold financial loss over time (e.g., a successful cyberattack will not cause the company to lose more than X dollars with a 95% accuracy).

The report identifies three value-at-risk components:

  1. Vulnerabilities: the vulnerabilities within an organizations and the mitigating controls that are in place;
  2. Assets: tangible and intangible assets that are under threat; and
  3. Profile of attacker: the type, tactics and motivation of your attackers.

The impact of these variables will vary by industry and based on the maturity of an organization’s security program.  Importantly, the report recognizes that there are number of significant limitations that inhibit organizations from quantifying their cyber risks using this proposed method.  First, there is often a lack of historical data which is needed to more accurately estimate the probability of a successful cyber attack.  While organizations can rely on their own limited experience, there are regulatory and structural impediments that prevent the sharing and compilation of cyber threat information within an organization’s own sector, among different sectors or between the private sector and the government.  Second, there is a dearth of standardized maturity frameworks that would allow an organization to consistently measure the effectiveness of their security controls.

Organizations that are able to quantify these risks will make better decisions about which threats to address, mitigate or defer.  Organizations would also benefit from being able to incorporate these cybersecurity risks into their larger enterprise risk management program and evaluated like other business risks.  As in-house counsel works with their business counterparts to help evaluate, measure and respond to their organization’s cyber threats, it is import to evaluate what steps, including the retention of outside counsel, should be used to help preserve the attorney-client privilege for related work papers and the resulting cyber risk assessment.

A full copy of the World Economic Forum report is available here.