Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Uncovering the Business Costs of Cyber Risk: Ponemon Study

Study finds organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses, leaving them without the critical information needed to make decisions about resource allocation, technology investments and threat prioritization.

Unlike other business disciplines (CRM, ERP, HR), cybersecurity lacks the kind of clear business metrics which can help executives frame decision-making in a language the c-suite and board easily understand. When we commissioned Ponemon Research to study the effects of cyber risk on business operations, our goal was to explore how four common KPIs associated with cyber exposure translate to specific types of business risk. We wanted to go beyond assessing pure dollar impact, exploring how cyber risk influences business strategy, products, supply chain, revenue streams, operations, business technology, customer experience and regulatory compliance.

What we discovered -- after surveying 2,410 IT and infosec decision-makers in six countries -- is that traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. Organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses. Thus, decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical intelligence. Moreover, organizations are unable to correlate the cyber risk KPIs they are using to the mitigation of a data breach or security exploit.

At a time when boards of directors are taking more interest in cybersecurity than ever before, the study Measuring & Managing the Cyber Risks to Business Operations, conducted by Ponemon Institute on behalf of Tenable, reveals a lack of faith among cybersecurity professionals in the accuracy of their metrics. This makes CISOs and/or other security technology executives reluctant to share critical information about the business costs of cyber risks with their boards.

Exploring common KPIs

For the study, we identified four common KPIs used to measure cyber risk:

  • time to assess;
  • time to remediate;
  • effectiveness of prioritizing cyber risk; and
  • identification of assets vulnerable to cyber risk -- including Operational Technology (OT) and Internet of Things (IoT) devices.

In addition, we explored three KPIs most often used to measure the financial consequences of a cyber attack:

  • loss of revenue;
  • loss of productivity; and
  • drop in stock price.

The vast majority of respondents (91%) admitted they’ve experienced at least one business-disrupting cyber incident in the past 24 months; 60% have experienced two or more incidents in the same time frame. These attacks have resulted in data breaches and/or, significant disruption and downtime to business operations, plants and operational equipment.

The majority of respondents (58%) say traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. When it comes to quantifying the damage cyber events could have on their businesses, only 41% of respondents (988) say their organizations make any attempt to do so. Further, only 30% of respondents say their organizations are able to correlate information from cyber risk KPIs to taking action on reducing the risk of a data breach or security exploit.

Of the 988 respondents who said their organizations attempt to quantify the damage security incidents could have on their businesses:

  • 54% say they quantify what the theft of intellectual property would cost;
  • 43% say they calculate the potential financial loss; and
  • 42% consider the impact of the loss of employee productivity following a data breach or security exploit.

What factors are used to quantify the potential risk of a cyber attack?

quantifying the business risk of a cyber attack

Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.

We asked respondents to rate the accuracy of the information gathered using the above KPIs, measured on a scale of 1 = not accurate to 10 = very accurate. Only 38% of respondents believe their measures are very accurate, while 44% believe their measures are not very accurate.

The report also reveals organizations are not using the KPIs they consider most important to assessing and understanding cyber threats. For example, two thirds of respondents (64%) identified “time to assess” as an important KPI for evaluating cyber risk, yet only 49% of respondents are currently using this metric. We see similar gaps when we look at the three other KPIs discussed in the report (see below).

Gaps in use and importance of KPIs

KPI Used by (% respondents) Considered essential (% respondents)
Time to assess cyber risk 49% 64%
Time to remediate cyber risk 46% 70%
Identifying OT and IoT assets 34% 62%
Prioritization effectiveness 38% 57%

Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.

Measuring cyber risk: Nobody said it was easy

Respondents identified seven key reasons why their organizations continue to face cybersecurity challenges, including:

  • An understaffed IT security function.
  • Lack of resources to manage vulnerabilities.
  • The proliferation of IoT devices in the workplace.
  • The complexity of the IT security infrastructure.
  • Lack of controls over third-party access to sensitive and confidential data.
  • Dependency on manual processes to respond to vulnerabilities.
  • Insufficient visibility into their organization’s attack surface.

While there are no quick-and-easy fixes to any of these issues, we believe focusing on the following five steps will help put your organization on the right path to building a business-first cybersecurity strategy.

  1. Identify and map every asset across any computing environment.
  2. Understand the cyber exposure of all assets, including vulnerabilities, misconfigurations and other security health indicators.
  3. Understand exposures in context, to prioritize remediation based on asset criticality, threat context and vulnerability severity.
  4. Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique.
  5. Measure and benchmark cyber exposure to make better business and technology decisions.

In addition to the above guidance, the report, Measuring & Managing the Cyber Risks to Business Operations, concludes with a five-step process for measuring and managing cyber risk you can put into action in your own organization today.

About this study

The report Measuring & Managing the Cyber Risks to Business Operations is based on a survey of 2,410 IT and IT security decision-makers in the United States, United Kingdom, Germany, Australia, Mexico and Japan. All respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy here.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training