If you're a CISO, you've probably wrestled with placing a monetary value on your exposure to cyber-attacks. For example, if your organization was breached thanks to a phishing campaign, how much would it lose in stolen records, device recovery, brand reputation, or even ransom payments?
Your board of directors wants to know. Ditto your CEO, especially before green-lighting extra cybersecurity spending. A couple of years ago, the World Economic Forum's Partnering for Cyber Resilience initiative proposed a model for quantifying the financial impact of cyber-threats. It's called value at risk (VAR) and can be quite useful when applied to phishing.
Here's How It Works
Most breaches begin as phishing attacks. People quibble over the exact stat, but no one doubts that phishing is the #1 attack vector. It's easy enough to fool employees into clicking on an email loaded with malware or a social engineering scam. One example: a crook in Lithuania fleeced Facebook and Google out of $100 million via emails spoofing a legitimate vendor asking for wire transfers.
To understand the risks of similar scenarios, a phishing-specific VAR model looks at three factors:
1. Known (real) phishing threats—map out the type and frequency of phishing attacks your company currently faces.
o Model phishing simulations on active threat intelligence.
o Utilize both internal and external phishing intelligence as source material.
o Harden your users against known industry attacks.
Note: The above graphic represents results of active threat phishing simulations run from March through May 2018. Note the decline in resilience for those simulation models as the chart moves left to right. This indicates lower resilience for the threats listed to the right-hand side of the chart. Were these your company's results, your program would best reduce current risk by focusing on repetition of those lower resilience simulations.
2. Capability to resist attacks—know your ability to recognize and report various attacks.
o Are email and security tools up to date and configured to stop known threats?
o Which phishing attacks and models are still making it past your perimeter? E.g. - BEC
o Measure user resilience (ability to recognize and report known threat models).
3. Value of protected information and assets—understand the value of anything exposed by a phishing-related breach and the costs of recovery.
o What type of data is available on your network and who has access to it?
o Determine the costs of a potential breach by determining the value of intellectual property, reputation damage, price per stolen record, recovery costs (IR, IT hours, etc.).
o When in doubt, utilize available tools for estimation - https://databreachcalculator.mybluemix.net/
These 3 factors can be tied together to provide a visual representation of phishing value at risk. In the chart below the X-axis represents the frequency of known attacks (increasing left to right). The Y-axis represents the capability to recognize and report (measured as the ratio of reported only over those susceptible in simulations) those specific threats. The size of the plot point indicates the value of data potentially exposed as part of your active threat simulations.
