Why Most Cyber Risk Models Fail Before They Begin

“How a lot would it not value?” And “how a lot ought to we spend to cease it?”

danger fashions used at present are nonetheless constructed on guesswork, intestine intuition, and colourful heatmaps, not information.

In truth, PwC’s 2025 Global Digital Trust Insights Survey discovered that solely 15% of organizations are utilizing quantitative danger modeling to a big extent.

This text explores why conventional cyber danger fashions fall quick and the way making use of some mild statistical instruments equivalent to probabilistic modeling affords a greater manner ahead.

The Two Colleges of Cyber Threat Modeling

Data safety professionals primarily use two totally different approaches to modeling danger through the danger evaluation course of: qualitative and quantitative.

Qualitative Threat Modeling

Think about two groups assess the identical danger. One assigns it a rating of 4/5 for probability and 5/5 for influence. The opposite, 3/5 and 4/5. Each plot it on a matrix. However neither can reply the CFO’s query: “How seemingly is that this to really occur, and the way a lot would it not value us?“

A qualitative method assigns subjective danger values and is primarily derived from the instinct of the assessor. A qualitative method usually leads to the classification of the probability and influence of the danger on an ordinal scale, equivalent to 1-5.

The dangers are then plotted in a danger matrix to grasp the place they fall on this ordinal scale.

Typically, the 2 ordinal scales are multiplied collectively to assist prioritize a very powerful dangers primarily based on likelihood and influence. At a look, this appears affordable because the generally used definition for danger in data safety is:

[text{Risk} = text{Likelihood } times text{Impact}]

From a statistical standpoint, nevertheless, qualitative danger modeling has some fairly essential pitfalls.

The primary is using ordinal scales. Whereas assigning numbers to the ordinal scale provides the looks of some mathematical backing to the modeling, this can be a mere phantasm.

Ordinal scales are merely labels — there is no such thing as a outlined distance between them. The space between a danger with an influence of “2” and an influence of “3” shouldn’t be quantifiable. Altering the labels on the ordinal scale to “A”, “B”, “C”, “D”, and “E” makes no distinction.

This in flip means our formulation for danger is flawed when utilizing qualitative modeling. A probability of “B” multiplied by an influence of “C” is unattainable to compute.

The opposite key pitfall is modeling uncertainty. After we mannequin cyber dangers, we’re modeling future occasions that aren’t sure. In truth, there’s a vary of outcomes that might happen.

Distilling cyber dangers into single-point estimates (equivalent to “20/25” or “Excessive”) don’t categorical the essential distinction between “most probably annual lack of $1 Million” and “There’s a 5% likelihood of a $10 Million or extra loss”.

Quantitative Threat Modeling

Think about a crew assessing a danger. They estimate a spread of outcomes, from $100K to $10M. Working a Monte Carlo simulation, they derive a ten% likelihood of exceeding $1M in annual losses and an anticipated lack of $480K. Now when the CFO asks, “How seemingly is that this to occur, and what would it not value?”, the crew can reply with information, not simply instinct.

This method shifts the dialog from obscure danger labels to chances and potential monetary influence, a language executives perceive.

In case you have a background in statistics, one idea particularly ought to stand out right here:

Chance.

Cyber danger modeling is, at its core, an try and quantify the probability of sure occasions occurring and the influence in the event that they do. This opens the door to a wide range of statistical instruments, equivalent to Monte Carlo Simulation, that may mannequin uncertainty much more successfully than ordinal scales ever might.

Quantitative danger modeling makes use of statistical fashions to assign greenback values to loss and mannequin the probability of those loss occasions occurring, capturing the longer term uncertainty.

Whereas qualitative evaluation would possibly often approximate the most probably end result, it fails to seize the complete vary of uncertainty, equivalent to uncommon however impactful occasions, generally known as “lengthy tail danger”.

The loss exceedance curve plots the probability of exceeding a sure annual loss quantity on the y-axis, and the varied loss quantities on the x-axis, leading to a downward sloping line.

Pulling totally different percentiles off the loss exceedance curve, such because the fifth percentile, imply, and ninety fifth percentile can present an thought of the attainable annual losses for a danger with 90% confidence.

Whereas the single-point estimate of Qualitative Analysis might get near the most probably danger (relying on the accuracy of the assessors judgement), quantitative evaluation captures the uncertainty of outcomes, even these which are uncommon however nonetheless attainable (generally known as “lengthy tail danger”).

Wanting Exterior Cyber Threat

To enhance our danger fashions in data safety, we solely must look outwards on the strategies utilized in different domains. Threat modeling has been matured in a wide range of functions, equivalent to finance, insurance coverage, aerospace security, and provide chain administration.

Monetary groups mannequin and handle portfolio danger utilizing related Bayesian statistics. Insurance coverage groups mannequin danger with mature actuarial fashions. The aerospace trade fashions the danger of system failures utilizing probability modeling. And provide chain groups mannequin danger utilizing probabilistic simulations.

The instruments exist. The mathematics is nicely understood. Different industries have paved the way in which. Now it’s cybersecurity’s flip to embrace quantitative danger modeling to drive higher selections.

Key Takeaways