Abstract

Cyber risk affects all organizations. Cyber risk management has generally been based on the heuristics and the availability of protective tools, such as firewalls and passwords. Only recently have there been quantitative analyses of these tools’ costs and benefits. This article presents a probabilistic method based on the existing data in an organization and on their extension to assess the probabilities of new attack scenarios. The objective is to set priorities among risk management measures and to optimize the allocation of limited resources. The model is illustrated first by a statistical analysis of 60 000 incidents, such as lost or stolen laptops, over six years in a specific organization. This analysis is then expanded to the probabilistic domain to cover threats that have not occurred yet. This requires a systematic construction of new attack scenarios and an assessment both of their probability of success and of subsequent losses. The conjunction of statistics and probabilities of more extreme scenarios yields full risk curves. These curves represent the overall cyber risk for the organization and its insurers and unable assessment of the benefits of a spectrum of protective options.