A cyber incident may be defined as a circumstance which leads to one or more technical failures of one or more information systems resulting in a loss of confidentiality, integrity, and/or availability to critical information. A cause of a cyber incident may be environmental, local situational (e.g., local situations that might impact people's ability to get to work), hostile, incidental, and/or accidental.
In existing cyber risk methods to, a vulnerability of the one or more information systems is determined by a subjective assessment by practitioners of the cyber defense systems. Use of subjective assessment may skew results of identical systems based on the individuals providing input.
Existing cyber risk methods depend on probabilistic distribution models to determine the likelihood of a circumstance (e.g., an event) that may cause a cyber incident. For example, existing cyber risk methods may rely upon probabilistic, stochastic measures, informed by aggregating answers to myriad questions about cyber infrastructure components, including questions about their usage and maintenance. The probabilistic distribution models (e.g., such as the Monte Carlo method) may be dependent on large pools of actuarial data to establish probability with accuracy and precision. Available actuarial data for cyber incidents may be limited compared to other uses of these models. Probabilistic distribution models based on event frequency, may minimize the impact of one or more most significant events (e.g., because the low frequency artificially degrades their significance in the modeling). Thus, such probabilistic distributions may not accurately characterize the risk associated with low probability but highly damaging events.
Existing cyber risk methods to assess vulnerabilities use generic, industry cyber defense systems as a factor in determining the impact of a cyber incident. Using generic, industry cyber defense systems may dilute the value of information to individual enterprises as all information systems and cyber defense systems are unique.