Bitsight Financial Quantification uses multiple data sets from real-world cyber events to model financial exposure, analyze its impact across multiple types of business scenarios, and then calculate a range of potential financial losses.
These data sets include:
- Details of your organization’s digital assets and security posture.
- Technographic data.
- Firmographic data.
- Cyber insurance claims data from peer companies who share a similar industry, geography, and size.
- Cyber scenario probability calculations.
The Financial Quantification process goes through the following workflow:
Step 1: Identify Peer Group
A peer group is identified based on events from the past 10 years to determine an entity’s firmographics and select similar cyber incident events from entities that match those firmographics from the loss database. It occurs in two phases:
Phase 1: Peer Group Selection Process
An appropriate entity grouping is established. Filtering does not require a minimum selection of entities at this phase.
|1 – Cohort
This builds on the Sector analysis by further filtering using geographic regions. The industry filter should match the same selection used in the Sector analysis. The geographical filter is based on the following general geographical regions:
|4-Digit NAICS Code||Same Country||Same Revenue Bin|
|2 – Cluster
This builds the Cluster analysis by filtering further by the four-digit NAICS code and the geographical regions are in the same country.
|4-Digit NAICS Code||Same Country||All Sizes|
|3 – Region
Entities are initially filtered based on the same four-digit NAICS industry code and country established in the Cluster grouping. Then, it’s filtered further based on operating revenue bins. It’s currently set at:
|2-Digit NAICS Code||Same Geographic Area||All Sizes|
|4 – Sector
The only filter in the Sector grouping is industry. It should match the two-digit NAICS code.
|2-Digit NAICS Code||All Areas||All Sizes|
|5 – Global
No filters are applied at this level as it sets up all entities as a baseline from which to compare any single entity. As a result, all entities can be compared at this level.
|All||All Areas||All Sizes|
Phase 2: Event Selection Process
A minimum of 10 events are selected. Events correspond to a scenario from the incident data set. See risk by scenarios and damage details.
If phase 2 doesn’t have enough, the Phase 1 events are used.
The Data Theft & Privacy scenario is filtered further by the number of events. The range is used to select loss events that correspond to the loss potentials that an organization may experience.
Step 2: Assess Peer Group Risk
A Level 1 CRQ loss curve is generated to establish a baseline for comparing organizational security performance and control posture.
The events identified in Step 1 are used to generate a series of loss curves for a variety of cyber loss scenarios that entities with similar firmographics could be expected to encounter.
Curves are calculated for all scenarios to make a level 1 CRQ curve.
- The minimum and maximum range and mode values of selected events from the peer group are placed into a Monte Carlo simulation for 100,000 iterations.
- A beta PERT distribution is used to produce the exceedance probability (EP) curve. The output is an EP graph representing the simulation results showing the minimum, maximum, and mean values.
- The values are summed into a loss curve representing the simultaneous occurrence of all scenarios (worst case).
- A weighted average is then calculated with each scenario receiving equal weight.
Step 3: Assess Controls
The following SPM risk vectors are the inputs into the detective/responsive control assessment process and are mapped to the control capability categories and risk formula as shown below. They are used to modify the magnitude of loss identified in the Level 1 Loss Curve.
|SPM Risk Vector||Control Capabilities Category||Risk Formula Modifier|
|Security Incidents||Incident Response and Management||Detect/Respond (Magnitude)|
|Mobile Software||Secure Workstation Configuration||Detect/Respond (Magnitude)|
The following CIS controls (assessed via questionnaire) are mapped to the control capability categories and risk formula as shown below.
|CIS Controls Risk Vector||Control Capabilities Category||Risk Formula Modifier|
|Maintenance, Monitoring, and Analysis of Audit Logs||Logging
Monitoring and Alerting
|Data Recovery Capabilities||BCP and Data Recovery||Detect/Respond (Magnitude)|
|Incident Response and Management||Incident Response and Management||Detect/Respond (Magnitude)|
|Account Monitoring and Control||Logging
Monitoring and Alerting
Following an assessment of each of the signals above, the scores are normalized using a Z-score algorithm to a 1-100 scale and stored as indicator values. Those values are then summed and averaged by their corresponding capability grouping.
Step 4: Assess Entity Risk
The Level 1 CRQ curve is adjusted to reflect the organization’s specific control posture, generating an entity risk curve. It accounts for the basic risk associated with the peer group and the organization’s mitigating controls.
Entity risk curves comes in three levels:
- Level 2 CRQ Curve: control posture is assessed using the results of an outside-in, external assessment of an organization’s IT environment.
- Level 3 CRQ Curve: control posture is assess using a questionnaire.
- Level 2+3 CRQ Curve: control posture is assessed using both methods of assessment.
Step 5: Output
The model outputs a catalog of events and their corresponding financial impact broken down by damage type. Events are rolled up into a dashboard where information on a single organization or a portfolio of organizations can be reviewed. Data is presented from two points of view: single loss cyber exposure and cyber risk by impact scenario.
Single Loss Cyber Exposure
The results of this process are displayed in an EP graph, which shows the probability for exceeding different damage levels from cyber events.
Example: A graph has an X-value of 6M and a Y-value of 60%. It indicates there is a 60% probability that damage from a single cyber event will exceed $6M.
The event catalog reports the following statistics:
- Low Exposure: 99% probability that the company will exceed damage of $XM from a single cyber event.
- Average Exposure: The average cost incurred over a year (including the probability-weighted impact of extreme events). Used in long-term cost forecasting or insurance valuation calculations.
- High Exposure: 1% probability that the company will exceed damage of $XM from a single cyber event. This is used to assess against the organization’s appetite for risk, or to compare against other business risks to identify where additional support may be required.
Cyber Risk by Impact Scenarios
Given a selection of loss amounts taken from peer cohorts, an EP curve is generated for evaluation. Based solely on the loss potential of the peer group, the curve represents the probabilities and possible loss amounts an organization may encounter. This allows for a probabilistic view of their loss potentials across a variety of likely scenarios.