Currently, significant uncertainty surrounds cyber security investments. Chief Information Security Officers do not have an effective framework to compare investments into various security safeguards, such as encryption technology, data loss prevention (DLP), or two-factor authentication. Further, there are not clear methods to assess the risk reduction associated with security investments, thus leaving organizations prone to purchasing ineffective products from security vendors.
Most cyber risk management is done qualitatively, which prevents the comparison of cyber risk to other types of organizational risk. Our research uses probabilistic risk analysis (PRA) to quantitatively assess cyber risk in organizations (in dollar terms). We outline a portfolio of tools and techniques to assess different cyber risks. For example, we use probabilistic inputs to determine if full disk encryption is cost effective, given the rate of laptop thefts and data disclosures. Our quantitative framework allows explicit trade-offs between high-frequency, low cost incidents and low-frequency, high cost incidents.