The World Economic Forum (WEF) proposed framework can be said to be a move in the right direction, albeit it stops short of being readily implementable.
After having a good look at the framework, here are some findings/observations:
1. The framework speaks of cyberrisk measurement akin to a financial risk measurement concept called 'Value at Risk' or VaR. It may take some time for someone not used to financial risk management to grasp the concept of VaR - essentially it’s about probability of a specific amount of loss in a specifictimeframe.
2. But the report clarifies that it does not specify how to compute cyber risk; it says “It is important to note that in this report we specify properties that VaR should have, but not specifically how to compute it.”
3. So essentially, it refers to these three Components of Cyber VaR, but leaves the computation of cyber risk to individual enterprises:
(a) Vulnerabilities: Vulnerabilities in existing systems, effectiveness of patching them, and successful incidents/breaches that have happened
(b) Assets: Tangible (costs of business interruption, regulatory fees etc.) and intangible assets (costs of lost IP, reputation loss etc.)
(c) Profile of attacker: Type of adversaries (nation-state, hacker, amateur etc.), their level of sophistication, and their tactics/motivation
4. Summary assessment:
(a) The framework is not definitive as regards how exactly we would compute cyber risk from the components. However, it points out to some key areas where each of us responsible for cyber risk management in an enterprise/entity may not have not focussed at all or not made much progress:
(i) Vulnerability management: our vulnerability and patch management efforts should be formalized and standardized, and data from them should be incorporated into a cyber-risk dashboard
(ii) Asset mapping: our understanding of IT assets (applications + related infrastructure) and their business aligned criticality should be comprehensively documented through a business aligned Risk assessment
(iii) Attacker profiling: we should deliberate on the specific types of adversaries who would target us their tactics/motivations and their level of sophistication
5. What I was hoping to find is a linkage of these threee (and perhaps other key aspects such as key business risks, existing effective controls) into a dashboard/score card which could be readily used to measure our respective posture and benchmark ourselves against peers in industry/region etc. The framework stops short of any such attempts; but I can understand the wisdom in that.