Blog Post
Deciphering the Loss Exceedance Curve in Cyber Risk Quantification
September 24, 2024
TL;DR
- On-demand cyber risk quantification (CRQ) platforms leverage probabilistic statistical models to generate loss exceedance curves (LECs), which illuminate the range and likelihood of potential losses or damages from cyber events.
- The most well-known CRQ loss exceedance curves provide insights into an organization's financial risk exposure, helping chief information security officers (CISOs) and risk managers align cybersecurity strategies with organizational risk appetite.
- The tail end of the LEC, although highlighting the more unlikely loss scenarios, is nevertheless crucial to understand, as it reveals the most severe consequences a business may have and should therefore plan for to remain resilient.
- Beyond the financial insights, CRQ platforms such as Kovrr's similarly provide LECs for outage duration and total number of data records compromised, further aiding CISOs in disaster recovery, business continuity, and data protection planning.
- Kovrr also offers a scenario-specific breakdown of the financial LEC, allowing for more targeted risk management strategies by deconstructing potential losses according to specific, industry-aligned cyber incidents.
- Strategic applications of the various LECs extend much further than the cybersecurity department, helping high-level stakeholders and board members determine capital allocation, budget optimization, and cyber insurance purchasing.
- Using LEC data effectively and regularly rerunning quantifications can help to integrate cyber risk management into the corporate culture and support organizations in maintaining a competitive edge within an increasingly risky marketplace.
On-Demand Cyber Risk Quantification Outputs
On-demand cyber risk quantification (CRQ) models have the power to assess an organization’s unique risk profile and, subsequently, generate data-driven insights that facilitate informed risk management decisions. The basis of these insights is grounded on a probabilistic approach to event forecasting, which involves simulating thousands of potential cyber scenarios a business may experience over a given period, typically the upcoming year.
Then, aggregating and analyzing these Monte Carlo simulated outcomes, CRQ models, such as Kovrr’s, produce the loss exceedance curve, detailing a range of possible loss outcomes and their respective likelihoods. Interpreting these curves, though invaluable for optimal strategization, can be challenging for those unfamiliar with their nuances. Nevertheless, once mastered, organizations gain a clear understanding of their exposure levels due to cyber activities.
What Is a Loss Exceedance Curve?
The loss exceedance curve (LEC) is a graphical representation illustrating the probability that a given financial loss will be exceeded, in the case of Kovrr's CRQ model, within a given year. A data point plotted along this curve represents one of the many cyber loss scenarios paired with its likelihood of occurrence, helping chief information security officers (CISOs) and other cyber risk managers understand and prepare for both common and extreme situations.
For example, in the LEC in Figure 1, the organization Regal Retreats faces a 30% likelihood of experiencing monetary losses that amount to or exceed $9.5 million in the upcoming year. At the same time, they face the minimal likelihood of 5% that these damages will exceed $456 million in the same period. Armed with these insights, CISOs help senior stakeholders realistically gauge their business's overall risk appetite and allocate the necessary budget to ensure cyber risk exposure is mitigated to the appropriate extent.
Interpreting the Tail End of the Loss Exceedance Curve
The tail end of the LEC illuminates those events which have a low probability of occurrence but, should they ensue, result in severe losses. Although these tail scenarios are rare, they can have potentially catastrophic consequences that dramatically disrupt an organization's financial stability and even result in insolvency. As such, stakeholders must plan accordingly or face the potential of insufficient capital reserves or inadequate cyber insurance coverage.
Equally as important is to monitor and re-quantify the relative severity of these tail events over time, as they're likely to shift along with the evolving cyber threat landscape, especially as malicious cyber actors continue to find new tactics for exploiting system weaknesses. By adopting a proactive approach to cyber risk management and incorporating regular analysis of the tail-end loss scenarios, organizations can create a more resilient posture that accounts for the full spectrum of cyber risk.
The Various CRQ Loss Exceedance Curves
Loss exceedance curves can be generated for any statistical modeling scenario, be it related to cyber risk or otherwise. Primarily, organizations utilize the range of financial losses the LEC illuminates to make budgeting and monetary risk appetite decisions. However, there are other contexts in which this valuable curve can provide actionable insights that lead to optimized cyber risk management strategies.
The Outage Duration Exceedance Curve
Within Kovrr's CRQ platform, cyber risk managers have access to three other types of exceedance curves, the first of which highlights the likelihood of a business outage lasting longer than the four preprogrammed thresholds. In Figure 3, for instance, the assessed organization faces a 48.11% likelihood that, should systems go down, they will experience an outage that will last 8 hours or longer. The likelihood of this outage lasting for two days or longer is less likely, however, at 32.15%.
Having access to these probabilities is particularly valuable for organizations investing in disaster recovery and business continuity plans, which, in light of the CrowdStrike July 2024 incident, is especially important. With an understanding of the length of the downtime they're most likely to experience in the event of an outage, CISOs can craft targeted policies to ensure that backup systems are in place and that redundancy measures can be carried out swiftly. This proactive approach not only reinforces resilience but also helps to safeguard customer trust.
The Number of Data Records Compromised Exceedance Curve
Another exceedance curve that CISOs often find particularly useful for strategic planning pertains to the number of data records that would be compromised in the wake of an event, such as a data breach or ransomware attack. These probabilistic results allow organizations to visualize the range of likelihoods of various numbers of data records being compromised. As illustrated in Figure 4, there is a 35.22% likelihood that the evaluated company will have 2,000 or more data records compromised should such an event occur.
As with the financial LEC, the tail-end of the data record compromisation curve highlights those higher impact losses that are, thankfully, less likely to ensue. Still, these insights are necessary for CISOs endeavoring to assess their data exposure and gauge the extent of the potential damage they face in terms other than monetary loss. For instance, knowing that there is an 18.41% probability that over 200,000 (or 5% of their total) data records might prompt a company to optimize data-sharing policies.
Scenario Breakdown Financial Loss Exceedance Curve
The loss exceedance curve displayed in Figure 5 also highlights potential monetary damages but takes the insights to a more granular level by breaking these financial impacts down according to specific loss scenarios. This detailed view equips CISOs and non-technical stakeholders alike with an understanding of not only the overall probability of exceeding certain loss thresholds but also the likelihood of those losses being driven by various types of cyber incidents and related expenses.
For example, as shown in the Business Impact Scenarios LEC, this organization faces an average likelihood that, within the upcoming year, it will suffer nearly $56 thousand of financial damage due to the cost associated with a ransomware and extortion scenario. Business interruptions, on the other hand, have more of an impact on their exposure levels, with losses on average amounting to almost $1 million.
With the comprehensive breakdown, CISOs can make more informed decisions about where to allocate resources and strategically prepare for the types of losses that pose the greatest threat to their financial resilience.
Applying CRQ Loss Curves for Strategic Decision-Making
Each of these loss exceedance curves - financial, outage time, data record compromisation - provides a plethora of actionable insights that extend well beyond the cybersecurity department and can favorably impact decisions around capital allocation, budget optimization, and insurance purchasing. For instance, understanding the organization's likelihood of exceeding a specific financial loss may motivate stakeholders to invest more in the cybersecurity department to mitigate this overall risk level.
The breakdown of the LEC according to specific business impact scenarios similarly allows for more precise strategies and choices, particularly when it comes to obtaining fit-for-purpose cyber insurance policies. The LEC financial loss breakdown provides senior executives, such as the CEO and CFO, with the likelihood of exceeding various limits, equipping them to negotiate for more appropriate deductibles. Likewise, an organization may discover that coverage for a specific scenario is not cost-effective and can instead reinvest that money into another, more likely, loss scenario.
With the Outage Duration and Number of Records Compromised Exceedance Curves, cyber risk managers are not only better prepared to craft cost-effective business continuity plans and backup strategies, but they are also more prepared to comply with cybersecurity regulations that require material disclosures.
According to many of these regulations, such as those set forth by the US SEC, registrants must now disclose "material" or "significant" cyber events within a matter of days. However, defining what constitutes materiality or significance is far from a straightforward process, and what it may be at one organization may vary from the next.
By leveraging the loss exceedance curves, which highlight various operational damages and their likelihoods, defining materiality becomes much simpler. Organizations can clearly choose those thresholds which, to them, would define a material loss (be it financial or otherwise), and thus, adhere to strict reporting rules and remain compliant.
Transforming CRQ LEC Data Into a Competitive Advantage With Kovrr
Learning how to interpret loss exceedance curves generated by probabilistic cyber risk quantification models is critical for cyber risk managers who want to optimize their limited resources and ensure cybersecurity programs are aligned with the organization's broader risk appetite and tolerance levels. These curves offer the data-driven insights necessary for reducing financial loss and operational disruptions in the wake of an event, ultimately helping to bolster resiliency.
Regularly re-quantifying and monitoring the LECs likewise enables businesses to adapt cybersecurity programs along with the evolving risk landscape, safeguarding assets and preserving stakeholder trust over the long term. As cyber risks continue to evolve, it's become all the more paramount to leverage potential loss forecasts to effectively navigate cyber risk management discussions and maintain a competitive advantage in the increasingly competitive market.
To learn more about Kovrr’s CRQ loss exceedance curves and the actionable insights they can provide your organization, contact a CRM expert or schedule a free platform demo today.