Posts: 12,766
Threads: 8,826
Thanks Received: 8,727 in 6,888 posts
Thanks Given: 9,622
Joined: 12 September 18
21 August 20, 07:02
Quote:
When calculating potential losses from cyberincidents, statistical data is just as important as its interpretations.
No one wants to spend millions of dollars to protect a company if the actual damage in the event of an incident would not exceed several thousand. And it’s just as foolish to cut corners to save $100 on security if the potential damages of a data leak could total hundreds of thousands of dollars. But what information should you use to calculate the approximate damage a company would incur from a cyberincident, and how do you gauge the actual likelihood of such an incident? At the Black Hat 2020 conference, two researchers — Professor Wade Baker of Virginia Tech and David Seversky, a senior analyst at the Cyentia Institute — presented their view of risk assessment. We found their arguments worthy of further discussion.
Any cybersecurity course worth its salt teaches that risk assessment relies on two main factors: an incident’s probability and its potential losses. But where does that data come from, and, more important, how should it be interpreted? After all, assessing possible losses incorrectly leads to incorrect conclusions, which lead to nonoptimal protection strategies.
Is the arithmetic mean indicative?
Many companies conduct studies of financial losses caused by data breach incidents. Their “key findings” are usually averages of losses of companies of comparable size. The result is mathematically valid, and the figure can look great in catchy headlines, but can we really rely on it to calculate risks?
Present that same data in a graph, with losses along the horizontal axis and the number of incidents that caused the losses along the vertical axis, and it becomes obvious that the arithmetic mean is not the right indicator.
Quote:In 90% of incidents, the average losses are less than the arithmetic mean.
If we are talking about the losses that the average business will incur, then it makes more sense to look at other indicators — specifically, the median (the number that divides the sample into two equal parts such that half of the reported figures are higher and half are lower) and the geometric mean (a proportional average). Most companies suffer just such losses. The arithmetic mean can produce a very confusing figure because of a small number of outlying incidents with abnormally large losses.
...
Continue Reading
Common mistakes when assessing cyberrisks
![[Image: black-hat-2020-risk-assessment-featured.jpg]](https://media.kasperskydaily.com/wp-content/uploads/sites/92/2020/08/20100151/black-hat-2020-risk-assessment-featured.jpg)
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
