Wipro Develops Cyber-Risk ModelPartners with World Economic Forum on Value-at-Risk Model
Bengaluru-based Wipro Ltd, a global IT, consulting and business process services company, has joined with the Geneva-based World Economic Forum to develop a new value-at-risk framework to enable organisations to develop a better appreciation of their threat landscape. This VAR framework is also intended to quantify cyber-risk and create a cyber-resilient environment.
Using a diagnostic toolkit to develop risk-based metrics, the VAR framework is being developed to help organizations quantify, mitigate and manage residual threats. Security practitioners say 80 percent of CISOs currently do not follow any scientific methods to quantify risks. Hence, a well-defined and researched framework is welcome.
R Guha, head of corporate business development at Wipro, acknowledges that customers are concerned about the rising sophistication of cyber-attacks and reputational and business risks.
"The model will help customers quantify their threats, prioritise business assets and help direct their investments toward better risk mitigation," Guha says.
Bengaluru-based Dr. Harsha E., security head of HK Group, welcomes news of the VAR framework.
"There is lot of hesitation among security practitioners to deploy new technologies to handle new threats, and as result, risk is realized only after the breach," he says. "Having a framework to quantify and assess threats and risks will only help the businesses to preempt them and finds ways to mitigate risks."
Need for a Framework
The VAR framework developers believe cyberthreats are distinct from other business risks, given the speed, widespread nature of impact, sheer variety of objectives and modes of attack. Also, cybersecurity is no longer considered just another technology challenge, but acknowledged as one of the top five business threats. As per the Forum's estimates, if the sophistication of attacks bests defensive capabilities, the resultant new cyber regulations and policies could hurt innovation by approximately $3 trillion USD by 2020. Consequently, business leaders and policy makers highlight the need for such a framework.
Wipro quantifies cyber-risk based on the concept of value-at-risk, which measures the potential loss in value of a risky asset or portfolio over a period for a given confidence interval. VAR totals the risk in financial terms, communicating the impact in a language the senior management comprehends and helping them make risk management decisions.
Guha says the assumption is that the approaches and degree of maturity regarding cyber-risk measurement vary across organisations - from an audit-based approach to quantifying cyber-risk in benchmark scores or in dollar terms.
Benchmarking is an effective tool, allowing an organisation to visualise its security posture relative to an ideal or peer group, and to view existing gaps in its cybersecurity. Another approach is using the diagnostic toolkit to assess a company along three key dimensions and provide a score comparable against peer group scores:
- Business Assets - Understanding of "crown-jewel" business processes and data, gaining a common view of their criticality across the organisation and awareness of their presence on the underlying infrastructure;
- Threat Perception - Assessing the effectiveness of the organisation in collecting, analysing and disseminating threat information
- Defence - Evaluating various defences across the processes, defence tools, people and organisational skills, with the assessment done along three themes - proactive defence, attack detection and aspects of response management
According to the developers, while applicable across industries, this framework has specific relevance to sectors that handle sensitive personal data, including financial services, healthcare and retail, as well as those involving critical national infrastructure, including the transportation and energy sectors.
The model VAR framework aims to articulate the aggregate level of cyber-risk faced over a given duration of time at a particular level of exposure. This framework is modeled on more established risk evaluation models in the financial sector and aims to quantify the complexity of the technology landscape and threats through a standardised risk language. An organisation can reliably determine and predict its VAR threshold.
U..S-based Elena Kvochko, a manager for information technology at the World Economic Forum, says, "A shared framework will boost confidence in and buy-in for organisations' investments towards cyber risk management".
Broadly, the framework can help develop more effective risk transfer markets.
Will CISOs Comply?
Security experts recommend that organisations actively consider the value of their assets, profile of attackers, and the existing security posture, as they build their cyber risk models. Such a framework would help them.
Yet, most agree that security practitioners do not follow scientific methods of evaluating risk or threats. It's always been an afterthought.
"Some CISOs drive security audits, gap analysis and technology updates, have dedicated resources for security, conduct awareness program on latest threats etc., to understand threats, which may not really help in measuring risk," Harsha says. However, he adds, "Wipro's VAR model, in carrying out business assets analysis, threat information sharing and perception methods and evaluating defence capabilities through diagnostic tool kit, seems to be a matured way of measuring risks."
Chennai-based V Rajendran, cyberlaw expert and president of the CyberSec Society of India. endorses the view that organisations often use some kind of measurable matrix for risk management before going in for ISO 27001 certifications or at the stage of drafting and implementing of an IT BC-DR Policy or other endeavours. "Gap analysis and benchmarking and relation with the framework (like CoBIT) etc. are also undertaken at this stage," he says.
Rajendran suggests that an effective cyber-risk measurement model can be developed by studying the principles in ISO 27001 and other risk management-related standards, aligned with the organisation's overall goals and corporate policy, and the proposed VAR model seems to be working on similar lines.
Experts say risk elimination is impossible, so organisations should always be prepared for residual risk. And risk tolerance depends on the organisation's culture.
Guha agrees with that assessment, saying it is imperative to bring business-specific nuances into the approaches mentioned.
"Participation from business experts is critical to build a view of the importance of various business assets and potential threats," Guha says. "This would enable delivery of results of the framework that are meaningful and acceptable to senior management."