Risk tolerance: closing the gap between security and business

David Meese at Resilience outlines the different ways that organisations can establish and communicate risk tolerance

 

According to the Government’s recent Cyber Security Breaches Survey 2024, half of businesses report having experienced some form of cyber-attack or breach in the last 12 months. As a result, businesses are now undertaking more cyber-security risk assessments, with a third of businesses deploying security monitoring tools. Establishing cyber-risk tolerance is one of the fundamental elements of implementing a successful cyber-resilience strategy. 

 

Companies need to use data-driven insights to establish their cyber-risk tolerance and guide their risk management strategies. This enables them to assess the degree to which their business is protected against a hack and is fundamental for companies to quantify how much cyber-risk they can absorb. In business terms, this means assessing the potential financial losses from a cyber-attack that firms can take while maintaining daily operations.

 

Quantifying cyber-risk financially helps determine the appropriate level of investment in security controls, as well as more effectively developing comprehensive risk management strategies, including resource allocation, prioritisation, and response planning. 

 

Quantifying cyber-risk ensures that organisations can align their cyber-resilience efforts with overall business objectives and are effectively communicated across all levels of leadership. This allows businesses to build a cyber-defence budget that can be justified even if the worst happens and the risk is realised.

 

Defining cyber-risk tolerance

Cyber-risk tolerance helps organisations to delineate the boundaries within which they are comfortable operating concerning cyber-security risks. Modelling actuarial data and claims data can be helpful for companies to assess their value at risk and establish explicit tolerance levels. 

 

A firm’s value at risk, or maximum plausible loss, serves as the starting point in determining risk tolerance and appetite. It represents the maximum loss a company is willing to accept and plan for, balancing the probability of occurrence with the overall impact. This concept is crucial in guiding decisions on investments in cyber-security controls and insurance coverage. 

 

Once value at risk is established, organisations can work to determine the threshold beyond which risks become untenable. This quantification can take the form of specific numerical values, such as the maximum allowable loss or the frequency of security incidents. For this task, many organisations leverage risk assessment methodologies, such as Bayesian Network modelling and expert elicitation.

 

By setting explicit tolerance levels with objective metrics, organisations can assess their exposure to cyber-risks more accurately and make data-driven decisions regarding risk management strategies without compromising their overarching objectives.

 

The gap between C-suite and cyber-professionals

Once risk tolerance has been accurately established through quantitative metrics, organisations must translate it into financial terms. 

 

To ensure a shared cyber-security objective across firms, collaboration across the C-suite is vital. CISOs must speak the language of financial leaders, such as CFOs, to communicate security objectives in a business framework, translating the importance of cyber-security risk appetite and tolerance to everyday business terms.

 

By doing so, decision-makers can better understand the financial ramifications of cyber-attacks and ensure a collaborative approach across the entire organisation. This empowers C-suite leaders to make more informed decisions about their risk mitigation strategies.

 

However, translating cyber-risk into business terms isn’t without its challenges. Many organisations struggle with the concept that cyber-risk is business risk, viewing it as an insurmountable task requiring extensive data and sophisticated models. Instead, the issue is a reliance on qualitative assessments of risk, which do not help define cyber-risk in quantitative, business terms. 

 

A comprehensive tool that accurately understands and addresses these pain points makes a huge difference in simplifying this task. For instance, the Resilience Solution translates and transfers cyber-risk through risk quantification software, integrated simulations and modelling, as well as providing cyber-insurance to ensure businesses can manage their cyber-risk.

 

 Such solutions offer an easier, more effective way of looking at cyber-risk for businesses while being validated through insurance underwriting.  The business value is breaking it down to be understandable for the financial leaders who oversee cyber-insurance and security spend in enterprises today.

 

Strategies to mitigate cyber-risk

Proactive measures are imperative to mitigate risk and safeguard organisations’ assets. Thorough risk assessments enable firms to understand the probability of losses when exceeding tolerance limits and help them make more informed decisions regarding risk mitigation strategies, whether through diversification of supply chains or the implementation of robust security protocols.

 

Strengthening their defences helps minimise the likelihood of breaches and mitigate the potential impact of cyber-incidents, which often happen without much warning. 

 

However, what happens when a business does approach its tolerance limits, despite investing in capabilities to detect risks as soon as possible? Having made themselves as cyber-resilient as their budget allows, they must accept that the probability of material losses still remains.

 

Given this, organisations may opt to transfer this cyber-risk through insurance policies, thereby mitigating their financial exposure. It is critical to ensure that insurance coverage aligns with the organisation’s risk appetite and tolerance levels while offering adequate protection against probable losses. 

 

Cyber-attacks are only likely to increase, and businesses need to act to not only counter these attacks but also have a clear action plan to minimise damage and enhance their cyber-resilience.

 

Ultimately, understanding cyber-risk tolerance enables these organisations to navigate the evolving cyber-security landscape confidently and clearly and ensure the continuity of their operations in a world increasingly under threat.

 

---

 

David Meese is Director of Security and Risk Services at Resilience 

 

Main image courtesy of iStockPhoto.com and William_Potter