This research paper discusses the growing cyber risks faced by organizations due to the increasing number of applications, IoT devices, and complex codebases, and proposes three ways to improve current cyber risk measures.
- Bring greater visibility to organizations’ inherent risk levels: Develop dashboards that measure factors such as the number of applications, size and nature of databases, code repositories, regional operations, M&A velocity, and dependencies on key suppliers. This helps in understanding what is being defended and allows for better allocation of resources.
- Improve transparency, accuracy, and precision in performing against likely threats: Utilize frameworks like MITRE’s ATT&CK and CISA’s Cybersecurity Performance Goals to test security performance against specific threat techniques. Focus on identity and access defenses, reputational analysis techniques, and securing high-value assets. Evaluate the security processes in place at software providers and adopt frameworks like NIST’s SSDF and SBOM for third-party risk management.
- Plan for and measure performance against low probability, high consequence events: Use models like Value at Risk to quantify potential losses but be cautious of overly optimistic risk assessments. Frame preparedness planning around severe but plausible scenarios and maintain offline backups, test recovery processes, and ensure the continuity of critical functions.
By implementing these three improvements and working with allied nations, the paper suggests that organizations can not only manage technology risks but also turn them into opportunities for a more resilient economy.