Data and platform security touches all of us almost every day; whether it be password management and data encryption all the way to the more publicised cyber security topics of ransomware and anti-virus software. One way or another some form of cyber security is now a natural part of our everyday lives. Being aware of where your personal or corporate data is located, who has access to it (and why !) should be something we all take accountability and responsibility for.

My introduction to this domain came about in ernest when I first started using AWS in 2014. I needed to improve my understanding the tools and processes that are available in the cloud to protect and monitor applications and the data they contain. This was one of the key motivational drivers behind why I became an ISC² CCSP. As it turned out I learnt far more during these studies than I expected; including things like the minimum effective height for raised-floor installations (that would be 24 inches)^(a) and the different types of smoke detectors in data centres (photoelectric vs. ionization).^(a)

Being able to apply current best practices around data and platform security remains a particular interest for me and is a domain that presents new learning opportunities almost every day.

One key area of the cyber security domain is that of quantifying and managing cyber risk. This essential part helps stakeholders make their informed decisions around the possible impact of a cyber event and the options available to mitigate this risk. What would be the best way to express a cyber risk metric so that it can be measured over time and yet also used as the basis for risk based decisions being made by ultimate stakeholders (eg a board of directors) ?

• “We calculate that there is a Low chance that we will experience a data loss higher than $750,000”
• “The likelihood that we will experience a data loss resulting in an impact greater than $750,000 is between 0% and 20%.”

Whilst the first option is perhaps easier (and maybe quicker) to determine, the second would be of better help senior stakeholders to assist in their decision making about whether to invest money on mitigating or transfering the risk.

Working with tools and processes that take a quantitative approach to cyber risk management is an area that has interested me for a while.

One of the accepted actions that could be taken after quantifying cyber risk is to “transfer” the risk. In exchange for a premium, the risk is transferred to an entity willing to bear the costs resulting from a cyber event occurring. The Insurance, Re-insurance and ILS (Insurance Linked Securities) domains specialise in this risk transfer process and although you might intuititively think the risks associated with your cyber insurance remain with the insurer from whom you purchased the policy; chances are that some portion of it has been passed on to other entities (up to an including fund investors in the case of ILS).

Central to this whole risk transfer process is being able to price the cyber risk in question. That's a particular area where quantitative risk assessments can significantly help.