VIEW 27
The units of cyber risk
We know how to measure Mount Fuji. In three-dimensional space, we have the measurements of height, depth and breadth and we can multiply these three together to calculate the mountain’s volume. We can take rock samples to calculate density which, when combined with volume, will allow us to estimate mass. We can measure the temperature of lava in degrees centigrade and we can use a seismograph to measure geological tremors on a Richter scale. The units of measurement in the physical world are well defined and understood.
What about the cyber realm? As we discussed before (View #26) there are no peacock’s feathers. The industry as a whole is yet to develop standardised, easy, visible markers as to a company’s cyber health. But we can at least advance some ideas as to the dimensionality of cyber risk. This indicates a way to describe the issue even if the gradation markings on the ruler have not yet been formalised.
In our proposed scheme, there are three dimensions: hierarchical, lateral and temporal. Just as three axes define physical space, these three dimensions can describe cyber risk in an analogous way. So, the hierarchical dimension has a vertical connotation, the lateral a horizontal emphasis with the last axis being time related. We put these forward as a coherent way to describe cyber risk; the AXIS cyber axes, if you will.
Hierarchical
This axis focusses on elements of top down control. It is a measure of cyber governance; the degree to which the rules of cyber hygiene are embedded in the corporate culture. What is the company’s patching cadence? Are the password policies implemented well? Is the firewall configuration robust? What level of training and awareness exists at the user level?
Lateral
This axis examines connectivity and risk aggregation issues. Computers and mobile phones are communications devices and the internet connects each device to every other into a large lateral landscape of systemic risk (see View #6). Network topography issues such as node concentration and network segregation are the key metrics to investigate here. Looking beyond the IT infrastructure to the business as a whole, single points of failure in the supply chain should also be evaluated.
Temporal
Time is a crucial factor in assessing cyber risk; the faster the response time the better the damage limitation. There are well known metrics to use here such as MTTD (mean time to detection) and MTTR (mean time to resolve). In a wider business sense, the speed of executive decision making or of corporate communications in managing the news flow are other aspects to evaluate.
