Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Uncovering the Business Costs of Cyber Risk: Ponemon Study

Study finds organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses, leaving them without the critical information needed to make decisions about resource allocation, technology investments and threat prioritization.

Unlike other business disciplines (CRM, ERP, HR), cybersecurity lacks the kind of clear business metrics which can help executives frame decision-making in a language the c-suite and board easily understand. When we commissioned Ponemon Research to study the effects of cyber risk on business operations, our goal was to explore how four common KPIs associated with cyber exposure translate to specific types of business risk. We wanted to go beyond assessing pure dollar impact, exploring how cyber risk influences business strategy, products, supply chain, revenue streams, operations, business technology, customer experience and regulatory compliance.

What we discovered -- after surveying 2,410 IT and infosec decision-makers in six countries -- is that traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. Organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses. Thus, decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical intelligence. Moreover, organizations are unable to correlate the cyber risk KPIs they are using to the mitigation of a data breach or security exploit.

At a time when boards of directors are taking more interest in cybersecurity than ever before, the study Measuring & Managing the Cyber Risks to Business Operations, conducted by Ponemon Institute on behalf of Tenable, reveals a lack of faith among cybersecurity professionals in the accuracy of their metrics. This makes CISOs and/or other security technology executives reluctant to share critical information about the business costs of cyber risks with their boards.

Exploring common KPIs

For the study, we identified four common KPIs used to measure cyber risk:

  • time to assess;
  • time to remediate;
  • effectiveness of prioritizing cyber risk; and
  • identification of assets vulnerable to cyber risk -- including Operational Technology (OT) and Internet of Things (IoT) devices.

In addition, we explored three KPIs most often used to measure the financial consequences of a cyber attack:

  • loss of revenue;
  • loss of productivity; and
  • drop in stock price.

The vast majority of respondents (91%) admitted they’ve experienced at least one business-disrupting cyber incident in the past 24 months; 60% have experienced two or more incidents in the same time frame. These attacks have resulted in data breaches and/or, significant disruption and downtime to business operations, plants and operational equipment.

The majority of respondents (58%) say traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. When it comes to quantifying the damage cyber events could have on their businesses, only 41% of respondents (988) say their organizations make any attempt to do so. Further, only 30% of respondents say their organizations are able to correlate information from cyber risk KPIs to taking action on reducing the risk of a data breach or security exploit.

Of the 988 respondents who said their organizations attempt to quantify the damage security incidents could have on their businesses:

  • 54% say they quantify what the theft of intellectual property would cost;
  • 43% say they calculate the potential financial loss; and
  • 42% consider the impact of the loss of employee productivity following a data breach or security exploit.

What factors are used to quantify the potential risk of a cyber attack?

quantifying the business risk of a cyber attack

Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.

We asked respondents to rate the accuracy of the information gathered using the above KPIs, measured on a scale of 1 = not accurate to 10 = very accurate. Only 38% of respondents believe their measures are very accurate, while 44% believe their measures are not very accurate.

The report also reveals organizations are not using the KPIs they consider most important to assessing and understanding cyber threats. For example, two thirds of respondents (64%) identified “time to assess” as an important KPI for evaluating cyber risk, yet only 49% of respondents are currently using this metric. We see similar gaps when we look at the three other KPIs discussed in the report (see below).

Gaps in use and importance of KPIs

KPI Used by (% respondents) Considered essential (% respondents)
Time to assess cyber risk 49% 64%
Time to remediate cyber risk 46% 70%
Identifying OT and IoT assets 34% 62%
Prioritization effectiveness 38% 57%

Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.

Measuring cyber risk: Nobody said it was easy

Respondents identified seven key reasons why their organizations continue to face cybersecurity challenges, including:

  • An understaffed IT security function.
  • Lack of resources to manage vulnerabilities.
  • The proliferation of IoT devices in the workplace.
  • The complexity of the IT security infrastructure.
  • Lack of controls over third-party access to sensitive and confidential data.
  • Dependency on manual processes to respond to vulnerabilities.
  • Insufficient visibility into their organization’s attack surface.

While there are no quick-and-easy fixes to any of these issues, we believe focusing on the following five steps will help put your organization on the right path to building a business-first cybersecurity strategy.

  1. Identify and map every asset across any computing environment.
  2. Understand the cyber exposure of all assets, including vulnerabilities, misconfigurations and other security health indicators.
  3. Understand exposures in context, to prioritize remediation based on asset criticality, threat context and vulnerability severity.
  4. Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique.
  5. Measure and benchmark cyber exposure to make better business and technology decisions.

In addition to the above guidance, the report, Measuring & Managing the Cyber Risks to Business Operations, concludes with a five-step process for measuring and managing cyber risk you can put into action in your own organization today.

About this study

The report Measuring & Managing the Cyber Risks to Business Operations is based on a survey of 2,410 IT and IT security decision-makers in the United States, United Kingdom, Germany, Australia, Mexico and Japan. All respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy here.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.