Communicating Cyber Risks to the Board: The Value of a Comparative Metric for Investment Decision-making

  • Financial Services,  
  • Threat Beta,  

Cybersecurity risk oversight is a major – and ever-increasing –experience for boards of directors, and one that should be front and center on their agendas to address. Properly assessing what level of risk is acceptable to their core business entity is central to this, and poses challenges. In recent years, boards have often underestimated cybersecurity risks, resulting in large breaches with significant costs. Looking ahead, it is helpful to examine the reasons for this underestimation, and to identify steps to improve cyber risk assessment for boards of directors.

Why Boards Underestimate Cyber Risk

Experience at Cybeta™ indicates that two key factors are at play. First, there remains a lack of cybersecurity expertise at board level. Many recent drivers of cyber risk have outpaced board members’ levels of understanding, because technology and cybersecurity expertise is usually outside of their core fields of expertise.

And second, cybersecurity professionals have done a poor job of communicating risk to the board. In this complex and fast-moving environment, it is all too easy for cyber experts to rely on technical jargon that confuses people without a background in cybersecurity. Instead, there is a need for a widely accepted and understood metric to evaluate cyber risk at the board level and beyond.

Threat Beta™ Provides the Right Information about Cyber Risk

To meet this need, we created Threat Beta, a comparative metric derived using proprietary methods, and including three primary analytic modules:

  1. Threat Surface: How extensive is your company’s presence on the internet
  2. Weighted Vulnerability Record: How does your company’s vulnerability compare with that of your competitors, and with all companies? How do your technologies compare with theirs, and with the state of the art?
  3. Attack Likelihood: Based on advanced indications and warnings on emerging cyber-attacks, what is your company’s chance of falling victim?

These three elements are all considered and then augmented with deep and dark web content to create a Threat Beta score, which is straightforward to communicate to board members.

Threat Beta Provides Offensive Threat Capabilities

This augmentation with deep and dark web content ensures that Threat Beta takes full account of global activity against technologies by malevolent actors, quantifying their offensive threat capability, rather than simply focusing on your company’s defensive security set-up.

Updates to the Threat Beta risk score, based on the global threat landscape, can be derived on a weekly basis to see how the core cyber risk to the company is evolving. Board members can request more detailed analytical briefings from their cyber teams, and everyone can see the underlying drivers of Threat Beta score trends – which may be increasing due to no fault of the company – helping inform appropriate investment decision-making to mediate cyber risks.