A practical road map for assessing cyber risk

The increase in interconnectivity and developments in technology have caused cyber security to become a universal concern. This paper highlights the dangers of the evolution of cyber risk, the challenges of quantifying the impact of cyber-attacks and the feasibility of the traditional actuarial methodologies for quantifying cyber losses. In this paper, we present a practical roadmap for assessing cyber risk, a roadmap that emphasizes the importance of developing a company and culture-specific risk and resilience model. We develop a structure for a Bayesian network to model the financial loss as a function of the key drivers of risk and resilience. We use qualitative scorecard assessment to determine the level of cyber risk exposure and evaluate the effectiveness of resilience efforts in the organization. We highlight the importance of capitalizing on the knowledge of experts within the organization and discuss methods for aggregating multiple assessments. From an enterprise risk management perspective, impact on value should be the primary concern of managers. This paper uses a value-centric/reputational approach to risk management rather than a regulatory/capital-centric approach to risk.