Quantifying the risk of a cyber attack: 7 common risk scenarios

Cyber crime is projected to cost $8 trillion per year by 2025. Companies of all sizes now face the possibility of being attacked by the most advanced and well-funded criminals in the world.

Fortunately, business leaders are waking up to this reality, our recent CISO survey found that 78% of CISOs believe that board priorities and attitudes towards cyber security have positively improved. 

However, there is a difference between having a positive attitude towards cyber security and being ready to make the decision to invest in sophisticated defenses. CISOs are having to learn to speak the language of financial risk management and mitigation in order to secure the budget they need.

Calculating the return on investment (ROI) for a proposed cyber security solution will be a key component of a CISOs business case when she requests budget to acquire new solutions.

The simplest way to think about the return on a cybersecurity investment is in terms of the potential losses that it helps you avoid or mitigate. However, this is a difficult task in itself.

Direct costs like damages to equipment or increased insurance premiums are easy enough to calculate, but the wider impact of business disruption and reputational damage are less concrete.

At F-Secure we built an ROI calculator for our own solutions, and in the process came up with seven different risk scenarios that we believe constitute the most common scenarios that most organizations face:

  • Unauthorised access via the supply chain
  • Compliance failure
  • Critical vulnerability in software component
  • Malware outbreak
  • Business disruption caused by ransomware
  • System intrusion
  • Information breach

If a client is considering implementing one of our solutions we can help them to estimate:

  1. Which of these scenarios are relevant to their business
  2. How likely it is that they will occur
  3. How much they are likely to cost if they do occur
  4. How much of that cost would be mitigated by our solutions

This lets us estimate the ROI of our own solutions, using the company’s own financial information plus knowledge of the average cost of attacks gained from years of experience. 

There will always be risks that a model like this does not account for, but we believe our calculator provides CISOs with a relatively easy to use tool that helps them quantify and communicate the risks their business faces as well as the savings they could make by investing in a robust defense.

If you’re interested in learning more about our ROI calculator and seeing examples of how we calculate it for specific companies, download our whitepaper: Quantify and Communicate: The ROI of cyber security.