Public sector organisations are key to our economy, providing essential services to the population. Given the importance of the sector, they are prime targets for cyber-attacks, due to data-rich environments, critical infrastructure, political and ideological motivations and interconnected systems. The UK Government’s Cyber Security Strategy, focused on building a resilient public sector, highlights the need to proactively manage cyber security risks. Public sector must adapt to the increasing technological advances and way cyber-attacks are evolving. As the cyber landscape continues to evolve in sophistication, and there is never a bottomless pit of cyber budget and resources, eliminating all risk is impossible. However, there are approaches to risk management that can better inform our decision-making on where to invest, that have the most impact on risk reduction.

When we are in a position of making complex decisions about how to mitigate risk, we weigh up the pros and cons of our options and can be easily influenced by factors such as past experiences, bias, emotion, and other people. Qualitative cyber risk management often involves this kind of subjective thinking, such as plotting scenarios on a risk matrix against high, medium, or low, where the thresholds will differ depending on who you ask Qualitative assessments add value because they apply business context however, on its own can create noise when making decisions. For example, after a cyber maturity assessment, there is likely to be a long list of things that could be improved. But how do we identify what actions will truly mitigate risk. This is where the value of quantitative risk management comes into play. Complementing subjective views with quantitative data aids us in taking more of an objective viewpoint on decision-making.

Cyber risk quantification focuses on expressing risk in financial terms and enables the evaluation of expected reduction in risk exposure through cost-benefit analysis. Following a cyber incident there will be an immediate set of impacts such as the interruption of critical business services, leading to negative outcomes on the population.

There are various use-cases for adopting cyber risk quantification and when it comes to the UK public sector, I believe the following bring the most value to an organisation’s cyber risk management capability:

• Quantify cyber risk exposure at multiple levels i.e., local, regional, and national

‍

The ability to conduct the analysis for individual organisations or departments, and get a holistic view of them all through aggregating up into a central dashboard.

• Inform decision-making on capability focus areas mapped to NCSC CAF outcomes and investment strategies

‍

Use threat modelling to map out the steps and techniques taken to carry out a cyber threat scenario. By mapping cyber capability areas to each of the techniques, the analysis helps identify defence strength and, where to invest.

• Measure incremental improvements in risk reduction, mapped to NCSC CAF outcomes

‍

A cost benefit analysis can be conducted to measure the impact of investment decisions on reducing cyber risk exposure. This can be done at an aggregate level e.g., Our £xM total investment delivered £xM in risk reduction. It can also be done at a capability, or initiative level e.g., Investing £xM in B2 Identity and Access Control has delivered £xM in risk reduction, and our £xM investment in D1 Response and Recovery Planning delivered £xM in risk reduction.

In summary, cyber risk quantification supports proactive risk mitigation, and can help strengthen the cyber resilience of the public sector. If you are starting to think about adopting cyber risk quantification, reach out to me or the CRI team.

‍

Public sector organisations are key to our economy, providing essential services to the population. Given the importance of the sector, they are prime targets for cyber-attacks, due to data-rich environments, critical infrastructure, political and ideological motivations and interconnected systems. The UK Government’s Cyber Security Strategy, focused on building a resilient public sector, highlights the need to proactively manage cyber security risks. Public sector must adapt to the increasing technological advances and way cyber-attacks are evolving. As the cyber landscape continues to evolve in sophistication, and there is never a bottomless pit of cyber budget and resources, eliminating all risk is impossible. However, there are approaches to risk management that can better inform our decision-making on where to invest, that have the most impact on risk reduction.

When we are in a position of making complex decisions about how to mitigate risk, we weigh up the pros and cons of our options and can be easily influenced by factors such as past experiences, bias, emotion, and other people. Qualitative cyber risk management often involves this kind of subjective thinking, such as plotting scenarios on a risk matrix against high, medium, or low, where the thresholds will differ depending on who you ask Qualitative assessments add value because they apply business context however, on its own can create noise when making decisions. For example, after a cyber maturity assessment, there is likely to be a long list of things that could be improved. But how do we identify what actions will truly mitigate risk. This is where the value of quantitative risk management comes into play. Complementing subjective views with quantitative data aids us in taking more of an objective viewpoint on decision-making.

Cyber risk quantification focuses on expressing risk in financial terms and enables the evaluation of expected reduction in risk exposure through cost-benefit analysis. Following a cyber incident there will be an immediate set of impacts such as the interruption of critical business services, leading to negative outcomes on the population.

There are various use-cases for adopting cyber risk quantification and when it comes to the UK public sector, I believe the following bring the most value to an organisation’s cyber risk management capability:

• Quantify cyber risk exposure at multiple levels i.e., local, regional, and national

‍

The ability to conduct the analysis for individual organisations or departments, and get a holistic view of them all through aggregating up into a central dashboard.

• Inform decision-making on capability focus areas mapped to NCSC CAF outcomes and investment strategies

‍

Use threat modelling to map out the steps and techniques taken to carry out a cyber threat scenario. By mapping cyber capability areas to each of the techniques, the analysis helps identify defence strength and, where to invest.

• Measure incremental improvements in risk reduction, mapped to NCSC CAF outcomes

‍

A cost benefit analysis can be conducted to measure the impact of investment decisions on reducing cyber risk exposure. This can be done at an aggregate level e.g., Our £xM total investment delivered £xM in risk reduction. It can also be done at a capability, or initiative level e.g., Investing £xM in B2 Identity and Access Control has delivered £xM in risk reduction, and our £xM investment in D1 Response and Recovery Planning delivered £xM in risk reduction.

In summary, cyber risk quantification supports proactive risk mitigation, and can help strengthen the cyber resilience of the public sector. If you are starting to think about adopting cyber risk quantification, reach out to me or the CRI team.

‍