One of the biggest security questions facing companies is, "What is my exposure and what costs will I incur from an attack?". With that information you can easily calculate your potential annual loss and enable you to:
The CyVaR technology 6-step process was developed to help organizations quantify their monetary Value-at-Risk resulting from cyber threats using a method that is based on mature computational techniques used in the financial industry.
Step 1. Profile & Value Enterprise – Facilitates the creation of an individual profile unique to your business, your networks, and your threats through ingestion of your company financials and cyber infrastructure.
Step 2. Assess Defensive Posture – Measure the defensive posture of applications and/or processes which enables CyVaR to see where attacks are likely to penetrate and how. Frameworks such as NIST 800-53, ISO- 27001 and the Critical Security Controls are used to measure defenses.
Step 3. Simulate Cyber Attacks – CyVaR identifies exposures and meaningful gaps through a combination of known attack sequences that represents, or is a simulation of, an actual attack against an organization's assets.
Step 4. Compute Value-at-Risk – The CyVaR algorithm simulates technical loss on a network due to cyber attacks by running up to one million cyber attack simulations to calculate your potential losses.
Step 5. Simulate Risk Mitigation Options – Once CyVaR finishes calculating Value-at-Risk, it focuses on simulating mitigations to identify options with the greatest impact on reducing risk.
Step 6. Results Reported – Results are analyzed, correlated with financial data, and presented along with mitigation recommendations, giving the business the ability to better manage security investments, manage legal risk, and quantify how much cyber insurance may be needed.
Operationalizing both the asset valuation and the defensive posture (controls) analysis process, CyVaR also sets the stage for continued evaluation of the security investment process for an organization. As business requirements, technology infrastructure, control implementations, and the threat climate changes, CyVaR can maintain the balance between investment and security risk management.
With CyVaR, every member of your executive team, including members of your Board, are enabled to discuss the reality of cyber risk on a level playing field–giving those that speak in financial terms and those in security terms, the ability to understand the true risk to their company's bottom line. CyberPoint's technology translates the cyber risk assessed by the Chief Information Security Officer into the resulting financial risk the CFO and Board Members need to understand the ROI of security investments, and identify the best policies and coverage offered by their Insurance Providers to make up the difference. The knowledge gained from CyVaR gives them all the ability to make the right decisions to ultimately secure the value of their business.
"While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice."
– Privacy Advisor, May 2014
If you like CyVaR and think others would too, we'd appreciate it if you would spread the word!