Cyber Risk Measurement: A Summary of HBR

Improve Cyber Risk Measures


This research paper discusses the growing cyber risks faced by organizations due to the increasing number of applications, IoT devices, and complex codebases, and proposes three ways to improve current cyber risk measures.

  1. Bring greater visibility to organizations’ inherent risk levels: Develop dashboards that measure factors such as the number of applications, size and nature of databases, code repositories, regional operations, M&A velocity, and dependencies on key suppliers. This helps in understanding what is being defended and allows for better allocation of resources.
  2. Improve transparency, accuracy, and precision in performing against likely threats: Utilize frameworks like MITRE’s ATT&CK and CISA’s Cybersecurity Performance Goals to test security performance against specific threat techniques. Focus on identity and access defenses, reputational analysis techniques, and securing high-value assets. Evaluate the security processes in place at software providers and adopt frameworks like NIST’s SSDF and SBOM for third-party risk management.
  3. Plan for and measure performance against low probability, high consequence events: Use models like Value at Risk to quantify potential losses but be cautious of overly optimistic risk assessments. Frame preparedness planning around severe but plausible scenarios and maintain offline backups, test recovery processes, and ensure the continuity of critical functions.

By implementing these three improvements and working with allied nations, the paper suggests that organizations can not only manage technology risks but also turn them into opportunities for a more resilient economy.


Harvard Business Review: Cyber Risk Is Growing. Here’s How Companies Can Keep Up

Other Stories

Golden Circle of Simon Sinek
Elon Musk’s Vision for the Future of Transportation and Energy
Steve Jobs’ 2005 Stanford Commencement Address: Stay Hungry. Stay Foolish.

2 Comments Add yours

Leave a Reply