A major aspect of risk management for businesses and other institutions is the question of how cyber security and other information system resources should be allocated. Many types of businesses or other institutions face markedly different cyber security and information system threats and potential harm, and cyber security as well as risk managers of these institutions must be able to prioritize their cyber security and information systems resources based on what they anticipate to be the most serious and harmful threats to their operations. Improperly prioritizing resources toward fending off lower-priority threats risks wasting those resources and leaving inadequate resources available for dealing with higher-priority threats.
Existing characterizations of the cybersecurity risks faced by a business or other institution are typically drawn from highly subjective sources, such as questionnaires provided to certain people within the business or the intuition of experts.
What models exist are typically based on a standard risk assessment formula, wherein the risk of a particular cyberattack is calculated by multiplying the threat of the attack, the apparent vulnerability of the business to the attack, and the estimated cost of the attack actually occurring. This can be expressed as Risk=Threat×Vulnerability×Cost.
However, many problems exist with both of these approaches. Subjective calculations of risk are fundamentally rooted in opinion, and opinions are seldom calibrated. This tends to be true even when the subjective calculations of risk are incorporated into a weighted model; if the data input into the model is flawed, the data output from the model will likewise be flawed no matter how good the model. Purely subjective calculations of risk can also be hard for others to understand or verify, particularly if they do not have the skills or experience that underlie the subjective calculation. For example, other corporate managers outside of a security field may have a hard time understanding the basis for a subjective calculation of risk, and thus may have a hard time appreciating the need to protect the business in specific ways, or the lack of urgent need to protect it in other ways. Mistakes in subjective models can also propagate forward until the initial subjective inputs are verified by someone of equal skill.
Other problems apart from subjectivity also exist. For example, questionnaires are often not based on proven standards, and have little basis for consistency; this means that, for example, in-house security staff and outside consultants may not be able to use the answers to questionnaires prepared by one another without significant revision, as they may be too different. Expert intuition also tends to lack consistency, and may be too narrowly focused on particular aspects of cybersecurity risk. Other sources, such as vendor assessments, often suffer from the same problems.
The common risk formula expressed above is an improvement over pure subjectivity, but is difficult to use consistently; it is often very difficult to define the volume, ratio, probability, or degree of each of the variables. For example, it can often be difficult or impossible for an organization to determine with certainty the potential cost of a threat exploiting one specific vulnerability on a critical system.