Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

Financial Quantification Methodology

Avatar
Jessica
Follow
Publication Date: October 17, 2022

Bitsight Financial Quantification uses multiple data sets from real-world cyber events to model financial exposure, analyze its impact across multiple types of business scenarios, and then calculate a range of potential financial losses.

These data sets include:

  • Details of your organization’s digital assets and security posture.
  • Technographic data.
  • Firmographic data.
  • Cyber insurance claims data from peer companies who share a similar industry, geography, and size.
  • Cyber scenario probability calculations.

Process Workflow

The Financial Quantification process goes through the following workflow:

  1. Identify a peer group
  2. Assess peer group risk
  3. Assess controls
  4. Assess entity risk
  5. The output

Step 1: Identify Peer Group

A peer group is identified based on events from the past 10 years to determine an entity’s firmographics and select similar cyber incident events from entities that match those firmographics from the loss database. It occurs in two phases:

Phase 1: Peer Group Selection Process

An appropriate entity grouping is established. Filtering does not require a minimum selection of entities at this phase.

Group Level Industry Geography Size
1 – Cohort

This builds on the Sector analysis by further filtering using geographic regions. The industry filter should match the same selection used in the Sector analysis. The geographical filter is based on the following general geographical regions:

  • North America
  • South America
  • Central and Latin America
  • Europe, Middle East, and Africa
  • Asia Pacific
 4-Digit NAICS Code Same Country Same Revenue Bin
2 – Cluster

This builds the Cluster analysis by filtering further by the four-digit NAICS code and the geographical regions are in the same country.

 4-Digit NAICS Code Same Country All Sizes
3 – Region

Entities are initially filtered based on the same four-digit NAICS industry code and country established in the Cluster grouping. Then, it’s filtered further based on operating revenue bins. It’s currently set at:

  • Very large – Over $130M USD
  • Large – $13M USD
  • Medium – $1.3M USD
  • Small – Less than $1.3M USD
 2-Digit NAICS Code Same Geographic Area All Sizes
4 – Sector

The only filter in the Sector grouping is industry. It should match the two-digit NAICS code.

 2-Digit NAICS Code All Areas All Sizes
5 – Global

No filters are applied at this level as it sets up all entities as a baseline from which to compare any single entity. As a result, all entities can be compared at this level.

 All All Areas All Sizes

Phase 2: Event Selection Process

A minimum of 10 events are selected. Events correspond to a scenario from the incident data set. See risk by scenarios and damage details.

If phase 2 doesn’t have enough, the Phase 1 events are used.

The Data Theft & Privacy scenario is filtered further by the number of events. The range is used to select loss events that correspond to the loss potentials that an organization may experience.

Step 2: Assess Peer Group Risk

A Level 1 CRQ loss curve is generated to establish a baseline for comparing organizational security performance and control posture.

The events identified in Step 1 are used to generate a series of loss curves for a variety of cyber loss scenarios that entities with similar firmographics could be expected to encounter.

Curve Calculation

Curves are calculated for all scenarios to make a level 1 CRQ curve.

  1. The minimum and maximum range and mode values of selected events from the peer group are placed into a Monte Carlo simulation for 100,000 iterations.
  2. A beta PERT distribution is used to produce the exceedance probability (EP) curve. The output is an EP graph representing the simulation results showing the minimum, maximum, and mean values.
  3. The values are summed into a loss curve representing the simultaneous occurrence of all scenarios (worst case).
  4. A weighted average is then calculated with each scenario receiving equal weight.

Step 3: Assess Controls

The following SPM risk vectors are the inputs into the detective/responsive control assessment process and are mapped to the control capability categories and risk formula as shown below. They are used to modify the magnitude of loss identified in the Level 1 Loss Curve.

Table 1: Detective/Responsive Risk Vector Mapping to Control Categories and Risk Equation
SPM Risk Vector Control Capabilities Category Risk Formula Modifier
Security Incidents Incident Response and Management Detect/Respond (Magnitude)
Mobile Software Secure Workstation Configuration Detect/Respond (Magnitude)

The following CIS controls (assessed via questionnaire) are mapped to the control capability categories and risk formula as shown below.

Table 2: Detective/Responsive CIS Controls Mapping to Control Categories and Risk Equation
CIS Controls Risk Vector Control Capabilities Category Risk Formula Modifier
Maintenance, Monitoring, and Analysis of Audit Logs Logging
Monitoring and Alerting		 Detect/Respond (Magnitude)
Data Recovery Capabilities BCP and Data Recovery Detect/Respond (Magnitude)
Incident Response and Management Incident Response and Management Detect/Respond (Magnitude)
Account Monitoring and Control Logging
Monitoring and Alerting		 Detect/Respond (Magnitude)

Following an assessment of each of the signals above, the scores are normalized using a Z-score algorithm to a 1-100 scale and stored as indicator values. Those values are then summed and averaged by their corresponding capability grouping.

Step 4: Assess Entity Risk

The Level 1 CRQ curve is adjusted to reflect the organization’s specific control posture, generating an entity risk curve. It accounts for the basic risk associated with the peer group and the organization’s mitigating controls.

Entity risk curves comes in three levels:

  • Level 2 CRQ Curve: control posture is assessed using the results of an outside-in, external assessment of an organization’s IT environment.
  • Level 3 CRQ Curve: control posture is assess using a questionnaire.
  • Level 2+3 CRQ Curve: control posture is assessed using both methods of assessment.

Step 5: Output

The model outputs a catalog of events and their corresponding financial impact broken down by damage type. Events are rolled up into a dashboard where information on a single organization or a portfolio of organizations can be reviewed. Data is presented from two points of view: single loss cyber exposure and cyber risk by impact scenario.

Single Loss Cyber Exposure

The results of this process are displayed in an EP graph, which shows the probability for exceeding different damage levels from cyber events.

Example: A graph has an X-value of 6M and a Y-value of 60%. It indicates there is a 60% probability that damage from a single cyber event will exceed $6M.

The event catalog reports the following statistics:

  • Low Exposure: 99% probability that the company will exceed damage of $XM from a single cyber event.
  • Average Exposure: The average cost incurred over a year (including the probability-weighted impact of extreme events). Used in long-term cost forecasting or insurance valuation calculations.
  • High Exposure: 1% probability that the company will exceed damage of $XM from a single cyber event. This is used to assess against the organization’s appetite for risk, or to compare against other business risks to identify where additional support may be required.

Cyber Risk by Impact Scenarios

Given a selection of loss amounts taken from peer cohorts, an EP curve is generated for evaluation. Based solely on the loss potential of the peer group, the curve represents the probabilities and possible loss amounts an organization may encounter. This allows for a probabilistic view of their loss potentials across a variety of likely scenarios.

Related articles