Blog Post
New Feature: Custom Damage Types
December 6, 2022
Introducing Custom Damage Types
Custom Damage Types provide users with the ability to add specific types of damages that will be taken into consideration as part of the modeling process when quantifying financial exposure. This means, organizations now have a unified view of costs that consider company specific data alongside out of the box modeled costs.
Users will need to provide a range of possible costs and create a scenario that triggers assigned costs. This feature is a breakthrough for providing your team with extensive flexibility in the modeling process by allowing users to integrate organization specific data related to costs of incidents into the quantification process to better inform the model
How Do Custom Damage Types Add Perspective?
Most models in the cyber financial quantification space are probabilistic and use parametrization to predict future events. Creating suitable parametrization for a model that later accurately quantifies risk requires high-quality data, visibility into the likelihoods and impacts of cyber risks, and an understanding of the costs of events. Our partnerships with insurance and reinsurance companies provide a high-quality and unbiased view of the actual prices and frequency of events that hit companies worldwide.
High-quality and unbiased data is one of Kovrr's main differentiators. When we first built our product, initial users were okay with not needing to know about the specific cyber threats to their company to get accurate insurance-validated financial risk quantification.
And this almost plug-and-play approach shortened the time it took them to quantify their enterprise risk by 10X. In return, users couldn’t change model weight and data this way, impacting the modeled costs. But as we met more CISOs, specifically those with risk and quantification backgrounds, we understood that this approach would soon need to change.
Most of our customers are experienced CISOs, with experience with models such as FAIR that require them to input every variable in the model process, making our “all included” platform not their norm. After endless calls with prospects and clients - we saw that the signal from the market was very clear.
Kovrr users showed us that the cyber risk quantification landscape needs a middle ground; On one hand, there is a real need for unbiased, high-quality data for users with low visibility into the costs of events and threat intelligence data. However, on the other side of the spectrum, advanced users can add data about costs that just can't be harvested in traditional ways.
How Can I Leverage Custom Damage Types?
No one outside of an organization can truly understand the impact of a company's IP being stolen - this is very company-specific. Only a few published events similar to this that apply to modeling a type of company can be found. Therefore this was not modeled by the Kovrr's CRQ platform. Still, the option of IP data being leaked is a legitimate threat to company revenue and can incur significant PR costs. Many of our customers requested to make this possibility part of our model.
To serve this need, we needed to get this data directly from our users and ask users to estimate the impact of a specific event happening to the company - this marked a paradigm shift in Kovrr’s product. Kovrr’s product is based on data-driven decision-making, and allowing users to contribute data would add a subjective aspect to the product. Still, the market, our CISO advisory board, and validations clearly showed that introducing custom cost is a correct and necessary step.
Users can now overlay their own costs of specific companies’ threats over our modeling results for a unified view of risk. We’ve combined the best of both worlds in cyber risk quantification that incorporates data-driven threat intelligence with an organization’s internal cyber knowledge.