CISO Success Story: Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula

You wouldn’t expect a professional jazz musician to morph into a cybersecurity policy expert, but that’s the story of Ash Hunt (below), author of a groundbreaking paper on cyber-risk analysis.

Thanks to him, we can score cybersecurity risk by the numbers, not by hunches.

Cyber risk scoring, of course, isn’t new, but assessing risk in a quantifiable, consistent way still needs encouragement. Many enterprises have been slow to comply, and regulatory groups are now taking up the cause. New rules adopted by the Securities and Exchange Commission (SEC), in effect since December, require public companies to disclose their processes for assessing, identifying and managing material risk. This conforms with other regulatory authorities that require risk assessments in certain industries.

Learn how secure or exposed your organization really is—get a comprehensive risk score in just 5 days.

That may be music to Hunt’s ears.

The British polymath picked up the trumpet at age 5, got good enough to play at venues like London’s illustrious 100 Club, and then studied for a degree in classics. His interest turned to cybersecurity policy, and he schooled himself partly by attending talks at the London-based policy institute Chatham House, where he developed contacts that eventually led him to represent the U.N. at a cybersecurity conference. From there he served in confidential positions at the UK Ministry of Defence, before working at the Information Security Forum (ISF) as its quantitative information risk lead. This prepared him to take the job of global CISO at financial services provider Apex Group in 2022.

It’s a great method of stress-testing what controls you should go after before [you] kick off remediation activity.

It was during his ISF years, from 2016 to 2018, that Hunt developed a framework for applying hard numbers to cybersecurity risk analysis. He sees it as a departure from traditional risk management practices that were little better than a finger in the wind.

The need for more mature risk analysis

While quantitative risk analysis has been around for decades in other fields, it was far slower to catch on in the technology world, says Hunt.

The Monte Carlo engine is a giant mathematical calculator that enables us to simulate scenarios thousands of times over within a mathematical model.

“The people operating in those domains didn’t have risk management experience – they had experienced technical analysts and engineers,” he says. He laments a form of cyber risk analysis borne of large consultancies that he calls traffic-light scoring, where people subjectively assign red/green/amber scores to different risks. It’s a common method of assessing cybersecurity risk among companies that do it at all, explains Hunt. “That underpinned all the expenditure on technology and organizations, and still does today,” he says, calling it a pernicious practice.

Instead, he piloted a quantitative cybersecurity risk analysis method based on Monte Carlo modeling, which uses repeated sampling to predict the probability of different outcomes in scenarios where random factors are present – much like the gaming tables of Monte Carlo’s casinos, for which it was named. Originally developed in the 1940s for military research purposes, it is now a common technique in areas ranging from financial portfolio management to predicting the weather.

Using Monte Carlo modeling for cyber risk

“The Monte Carlo engine is a giant mathematical calculator that enables us to simulate scenarios thousands of times over within a mathematical model,” Hunt says.

The ISF’s model uses this statistical modeling method to track cybersecurity risk.

“It’s about understanding what scenarios could impede us from achieving our objectives, working out how often they’re happening, what’s causing them, and what controls we have in place to mitigate the effects of them,” Hunt explains.

[Read also: By benchmarking, you can determine your real-time risk score by comparing your endpoint metrics against those of industry peers]

The framework is broadly structured around a simple equation: The frequency of a security incident multiplied by the loss that they generate equates to the risk. However, in practice there are more variables than those. Loss comprises other data points, including lost productivity, the time and cost necessary to repair or replace compromised systems, and legal or regulatory penalties.

Quantitative risk controls in action

While Hunt can’t reveal the precise savings he’s achieved at Apex Group with this methodology, he says it offers a substantial advantage when investing in cybersecurity technology. When he first started at Apex, he used the framework to calculate loss exposure by analyzing the risk event types across each domain, along with the frequency of events, and the minimum loss exposure for those risks.

You’ll never go backwards [with this model]. It’s a continuous, ever-aggregating return on investment for the end user, which is an extremely attractive proposition.

Hunt fed metrics into the Monte Carlo model covering the business and technical environment through to assets and threat sources, and assessments of existing controls. This enabled Hunt and his team to project a range of loss for risks in that area along with a probability for that loss.

“When we aggregated those across multiple scenarios, it was clear that one particular area was the most significant concern for us, by way of its contribution to loss exposure,” he says. He remains tight-lipped on what area of business operations or technology that was.

[Read also: How much should AI affect your risk assessment? Check out the three biggest GenAI threats (and one ongoing challenge) here]

The output from these calculations gave Apex Group a foundation to plan a set of cybersecurity controls that could reduce the potential loss. Rerunning the Monte Carlo model as if those controls were in place showed the gap between the existing cybersecurity situation and a more enhanced one. Measuring that difference against each proposed cybersecurity investment provided the team with a potential return on investment for that security control.

“It’s a great method of stress-testing what controls you should go after before we kick off remediation activity,” Hunt says.

No metric left behind

This all sounds smart, but what happens when CISOs don’t have the necessary data?

Lacking data shouldn’t be a barrier in quantitative risk analysis, argues Hunt. There is no standard quality threshold in this kind of statistical analysis, he points out; you simply work with the data you have. The entire practice is about modeling uncertainty, and the framework will return a range of potential losses in its results that will gradually become more precise.

“The day that you’ll be the worst at this approach to risk modeling is the day you start,” he says.

The model includes a score describing how confident people should be in its predictions. It continually improves this confidence score using feedback and the addition of more data over time. “You’ll never go backwards. It’s a continuous, ever-aggregating return on investment for the end user, which is an extremely attractive proposition.”

Statistic-driven models always outperform instinct, asserts Hunt. With incumbent security models taking a subjective and broad approach, he says that a quantitative model can only improve performance. The days of security-by-hunch are over. Welcome to the age of hard numbers.

---

TO LEARN MORE

Check out other exclusive interviews with security leaders in our “Success Stories” series.

• CISO Success Story – How LA County Trains (and Retrains) Workers to Fight Phishing
• CISO Success Story – How to Build Trust With the Board? Don’t Talk Cybersecurity (Much)
• CIO Success Story – Looking At the Flip Side of Third-Party Risk
• CISO Success Story – How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring