From qualitative to quantifiable: Transforming cyber risk management for critical infrastructure

Around the world, attacks against critical infrastructure have become increasingly common. More and more, these aggressions are carried out via mice and keyboards rather than bombs and missiles, such as with the 2021 ransomware attack on Colonial Pipeline. From a military strategy perspective, it’s easy to understand why, as cyberattacks against infrastructure can be executed remotely, cheaply, and with comparatively little risk, while having a debilitating effect across entire regions.

Just as the threats against infrastructure have evolved, so too must the strategies to defend them. Traditional approaches to cyber risk management (CRM) are ill-suited to address today’s rapidly evolving security challenges, which is why the sector must embrace a consequence-driven framework that emphasizes viewing cyber risks in the context of the potential impact on critical processes and assets. 

How traditional approaches to CRM fall short 

Traditional CRM frameworks were developed to address the challenges of a very different era. Historically, they were driven by qualitative methodologies that assign subjective scores to variables related to the likelihood and impact of an event, typically on a scale of 1 (low) to 5 (very high). While such approaches may provide a surface-level sense of risk categorization, they lack the precision needed to guide critical decisions in today’s high-stakes environment.

For example, a risk score of “25” might indicate a significant threat, but it fails to convey the financial impact the organization could face if the risk materializes. Is this risk likely to cost $500,000, $5 million, or more? Without this clarity, decision-makers are left to make investment choices based on abstract scores rather than concrete financial implications.

This lack of specificity is particularly problematic for critical infrastructure organizations, such as those in energy, rail, and transit, which are prime targets for cyber attackers because disruptions in their operations have the potential to impact entire nations. Qualitative methods fail to fully articulate the diverse impacts of such risks, from operational downtime and financial losses to reputational harm and safety concerns.

Without a true quantitative lens, infrastructure organizations cannot accurately measure the real-world implications of the risks they face, nor can they align their cybersecurity strategies with enterprise risk tolerances, which are often stated in financial terms. This is why organizations are increasingly turning to cyber risk quantification (CRQ) to guide their cyber investments.

CRQ: Cyber risk decision-making made easy

CRQ addresses the shortcomings of traditional qualitative methods by applying objective, organizationally specific variables — often stated in financial terms — to the risk analysis process. By characterizing the impact of cyber risks as potential loss, similar to how other enterprise risks are framed, organizations can more effectively prioritize these risks for mitigation. 

Cybersecurity assessments — such as framework assessments, penetration tests, and audits — can produce a long list of findings for security teams to address. Quantifying the surfaced security gaps as potential losses can provide clear guidance to risk prioritization and investment decisions. For example, failing to monitor and control the use of privileged accounts may result in hackers obtaining and using these credentials for future attacks. Using CRQ, a potential future loss of $25 million attributed to this weakness could be compared to the projected cost of $10 million for implementing and maintaining a privileged account management technology — in effect, establishing an effective loss avoidance of $2.50 for each $1 spent. Likewise, CRQ can be a useful way to evaluate the criticality of cyber risks in an organization’s risk register, providing a consistent means to identify and prioritize risks that require attention.

Cyber risk quantification overcomes the shortcomings of evaluating cybersecurity investment decisions using traditional return-on-investment methods such as internal rate of return (IRR) or net present value (NPV). These techniques work well for capital investment decisions, but fall short when examining cybersecurity investments that typically focus on preventing loss rather than generating positive cash flows to the organization. As a result, instead of viewing cybersecurity investments as sunk costs, decision-makers can position these investments as vital for minimizing operational disruptions that could result from cyber events and incidents. 

TSA’s new incident disclosure requirements: a good fit for CRQ

Last November, the Transportation Security Administration (TSA) proposed new regulations that would require pipeline and rail owner/operators to establish and maintain a comprehensive CRM program. Implicit in this new rule is an obligation to report cybersecurity incidents, including the potential operational impact of such incidents. Ostensibly, the TSA’s proposed reporting requirement will push organizations to improve their incident management processes by establishing reliable and consistent methods for determining when an incident requires disclosure — a process that likely involves characterizing the incident in terms of impact and loss, for which CRQ is well-suited. 

One way to integrate CRQ into the incident management process is to create incident playbooks that characterize response activities for specific threat scenarios, such as ransomware. In these playbooks, the organization can pre-determine areas of impact that could be realized by the organization — such as financial loss, reputational damage, or fines and legal penalties — and quantify them in advance. Thus, when a playbook is implemented, the organization already has an idea of the range of potential losses that an incident could trigger, making the disclosure decision less subjective. 

By having baseline impact loss valuations, decisions about investments in improved controls and countermeasures post-incident are able to be evaluated relative to the amount of potential loss avoidance they can generate in the future. In this way, CRQ fortifies incident management by taking some of the financial guess-work out of the process, and in the end, helps organizations meet an increasing regulatory and compliance burden. 

CRQ as a strategic imperative

Traditional qualitative methods no longer suffice in a world where the stakes are higher, the threats more complex, and the attackers more resourceful. CRQ offers a transformative solution by providing the data-driven clarity needed to navigate this evolving landscape. By quantifying risks with objective metrics, organizations can align their cybersecurity investments with enterprise priorities, ensure compliance with regulatory mandates like the TSA’s new disclosure requirements, and, most importantly, build a robust, proactive, and informed cybersecurity posture that establishes equilibrium between key organizational priorities — minimizing threat and impact at the most efficient cost. 

Richard Caralli is a senior cybersecurity advisor at Axio, a cyber risk management company, and a former technical director of the risk and resilience program at Carnegie Mellon’s Software Engineering Institute CERT Program.