A System to Calculate Cyber-Value-at-Risk

In the face of increasing numbers of cyber-attacks, it is critical for organisations to understand the risk they are exposed to even after deploying security controls. This residual risk forms part of the ongoing operational environment, and must be understood and planned for if resilience is to be achieved. However, there is a lack of rigorous frameworks to help organisations reason about how their use of risk controls can change the nature of the potential losses they face, given an often changing threat landscape. To address this gap, we present a system that calculates Cyber-Value-at-Risk (CVaR) of an organisation. CVaR is a probabilistic density function for losses from cyber-incidents, for any given threats of interest and risk control practice. It can take account of varying effectiveness of controls, the consequences for risk propagation through infrastructures, and the cyber-harms that result. We demonstrate the utility of the system in a real case study by calculating the CVaR of an organisation that experienced a significant cyber-incident. We show that the system is able to produce predictions representative of the actual financial loss. The presented system can be used by insurers offering cyber products to better inform the calculation of insurance premiums, and by organisations to reason about the effects of using particular risk control setups on reducing their exposure to cyber-risk.