Developing a Framework and Methodology for Assessing Cyber Risk

Developing a Framework and Methodology for Assessing Cyber Risk.jpg

By Sean Martin, host of At The Edge

This is an interview with Howard A. Miller, CRM, CIC, is SVP, Director Tech Secure® Division, LBW Insurance discussing “Developing a Framework and Methodology for Assessing Cyber Risk for Business Leaders “, (Journal of Applied Business and Economics, volume 20 (3), 2018).

How did you come up with the idea for the research paper?

After I completed my certified risk manager designation in 2012 it was not completely clear how to apply the objectives. I look at risk management holistically, so it applies to any industry and should be able to scale to any-sized organization. Since that time, I’ve better analyzed core components of what I was taught. I essentially internalized and analyzed information which led to a cohesive system geared toward business leadership.

Technology risk has been the area of most interest to me, so the framework needed to be able to encompass cyber risk. As the Pepperdine Cyber Risk Professional certificate program was being developed, I proposed the approach so executives and board members could gain a baseline understanding of risk, utilize the framework and put cyber risk into context. It led to creating a portion of the online course material, teaching and the publishing of the paper.

How does this apply to companies, boards or CEOs?

For me, nothing gets done without leadership. Successful companies are driven by sales; companies’ employees are inherently biased. This can mask the fact that failure to manage risk can destroy all future objectives.

Understanding a framework for risk management puts insurance and risk control into context and facilitates a common language for communicating on risk management objectives. As companies grow, the organizations and their information can get more siloed. With a finite amount of resources, a system is needed to look at both opportunity with downside risk to avoid competing interest and an overly narrow focus.

This approach benefits the company and provides executive leadership with a way to spot problems before they take down the organization.

What is the main problem?

Growth rate and regulatory compliance are hard to regulate. The problem is that the first-party perspective of an organization cannot self-diagnose its risks accurately. To compound this problem, internal resources may not be inclined to report bad news. Whistle blowers could be fabricating information or trying to legally extort money from the company through litigation.

If the risk is high, reporting the problem could be delayed by the belief that the company could survive longer if the information remains hidden. Failure to address risk management can create liability for the board and executives due to negligence and compliance failure. The speed of growth can increase or decrease risk. The ultimate objective is to achieve a sustainable growth rate.

What are the solutions?

The solution requires a third-party, non-biased opinion and a report on the state of the company’s risk. This report includes data visualization appropriate for an executive audience. It then could be compared at two different points to show progress. This third-party approach based on analyzed impact scores is proactive. The documentation of the risk management framework supports regulatory and industry compliance.

What is the Impact Score?

There are two key objectives of the paper. The first is to prioritize risk. If you don’t know what you are up against, you can’t do anything to protect yourself. All risk comes down to how often a given scenario will occur and if does how bad will it be (frequency and severity). Having a scoring system allows risk scenarios to be prioritized so that leadership can direct resources towards the second objective: protect the organization. Scores are tied to financial impact and internal priorities.

The scoring model also contains certain weighting factors applicable to risk assessment on a broad scale including cyber risk. One example is velocity. Due to weather modeling, the state of Hawaii was preparing for Hurricane Lane. Being able to perceive an event before the impact can allow for measures to be taken to minimize loss.

According to an IBM study, “The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)”. In this case the perception of the impact is as much as one year after the event allowing potentially terabytes of data to go out the back door before ever being discovered and mitigated. If risk is more likely to happen than not, it is wise to prepare.

What similarities or differences does this system have to other leading risk management systems?

The similarities are based on existing knowledge of risk management principles. One area of differentiation I am proud of is the risk taxonomy. The classification of the components of the framework was critical in being able to view risk information in a hierarchal manner so you have more detail. Additionally, the differences have to do with the risk impact scoring model and automation that’s being developed around the visualization of risk and prioritizing risk objectives.

It’s important to take complex ideas and explain them in an understandable manner. This drive to refine the risk management framework led to innovation in creating an understandable way for leadership grasp risk management and apply it to cyber risk. With this knowledge, better communication of risk management objectives and increasing the likelihood that opportunities will achieve success.

Can you talk about the ongoing development with Pepperdine CyRP?

I am building on the risk calculator concept. I had the privilege of working with Pepperdine’s graduating Master of Science in Applied Analytics class on moving the concept forward. The results were very interesting and several concepts deserve further development. I wanted to utilize visual analysis of risk in conversations with boards, executives and in teaching. I would direct executives and board members to the Cyber Risk Professional Certificate where you can get a in depth experience of this topic, the article along with the well-rounded program put together by the incredible advisory board and staff at Pepperdine.

What is the vision for this system?

It's big. We are living in a time of accelerated risk. The idea is: the use of an automated system evolving to meet emerging risk. Also, I see in my future focusing on using the framework as an integral piece for managing cyber risk within the context of an enterprise approach that is ultimately about corporate growth and sustainability.

A message from Howard:
“I’d like to say Thank you and give special thanks to Dr. Charla Griffy-Brown”

Howard Miller.png

About Howard Miller

Howard A. Miller, CRM, CIC, is SVP, Director Tech Secure® Division, LBW Insurance. He is a highly motivated and creative expert in insurance, insurance consulting and risk management and a licensed agent since 1997 in property and casualty insurance. Howard provides complete insurance programs and advisory consulting with a specialty focus on technology errors & omissions, cyber liability and technology risk for a range of other industries including financial services, professional services, non-profit and others.

Howard has been successful in the cybercrime insurance product development, speaking and educational presentations. Recently published article in July 2018 in the Journal of Applied Business and Economics (ISSN# 1499-691X) volume 20 (3), 2018 “Developing a Framework and Methodology for Assessing Cyber Risk for Business Leaders” co-authored with Dr. Charla Griffy-Brown. Board member for the non-profit Secure The Village (information security educational outreach) and Pepperdine Graziadio Business School Cyber Risk Professional Certificate advisory board.

Find Howard on LinkedIn.