In conjunction with its annual meeting this week, the World Economic Forum released a report
on its current efforts to develop a common framework to model and
quantify the impact and risk of cyber threats. The report highlights
that “even well-guarded [organizations] face the threat of a
cyberattack.”
The report embraces the value-at-risk mathematical function that is widely used by the financial services sector to measure risk in a particular portfolio over a period of time. The value-at-risk function can be used to express the probability that a cyber event will exceed a threshold financial loss over time (e.g., a successful cyberattack will not cause the company to lose more than X dollars with a 95% accuracy).
The report identifies three value-at-risk components:
Organizations that are able to quantify these risks will make better decisions about which threats to address, mitigate or defer. Organizations would also benefit from being able to incorporate these cybersecurity risks into their larger enterprise risk management program and evaluated like other business risks. As in-house counsel works with their business counterparts to help evaluate, measure and respond to their organization’s cyber threats, it is import to evaluate what steps, including the retention of outside counsel, should be used to help preserve the attorney-client privilege for related work papers and the resulting cyber risk assessment.
http://www.jdsupra.com/legalnews/world-economic-forum-releases-framework-00688/
Report:
http://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf
The report embraces the value-at-risk mathematical function that is widely used by the financial services sector to measure risk in a particular portfolio over a period of time. The value-at-risk function can be used to express the probability that a cyber event will exceed a threshold financial loss over time (e.g., a successful cyberattack will not cause the company to lose more than X dollars with a 95% accuracy).
The report identifies three value-at-risk components:
- Vulnerabilities: the vulnerabilities within an organizations and the mitigating controls that are in place;
- Assets: tangible and intangible assets that are under threat; and
- Profile of attacker: the type, tactics and motivation of your attackers.
Organizations that are able to quantify these risks will make better decisions about which threats to address, mitigate or defer. Organizations would also benefit from being able to incorporate these cybersecurity risks into their larger enterprise risk management program and evaluated like other business risks. As in-house counsel works with their business counterparts to help evaluate, measure and respond to their organization’s cyber threats, it is import to evaluate what steps, including the retention of outside counsel, should be used to help preserve the attorney-client privilege for related work papers and the resulting cyber risk assessment.
http://www.jdsupra.com/legalnews/world-economic-forum-releases-framework-00688/
Report:
http://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf