Cyber Risk Quantification: Computing Asset Value

Don’t have time to read? Start listening to this blog post now:

If you have not yet read the intro to this blog series on Security Risk Management (“Intro To Measuring, Assessing And Mitigating Security Risk”), please start there.

Computing the value of your assets is essentially you asking the question “How much could I lose if those assets are compromised?” There is no standard for identifying loss exposures (another way of saying asset value). However, there are a number of industry options to leverage including a Business Impact Analysis (BIA) or the FAIR taxonomy.

A BIA and FAIR taxonomy both provide value in determining the financial value of assets. The BIA is a systematic process to determine and evaluate critical business operations. The Factor Analysis of Information Risk (FAIR) is a taxonomy around information risk.

Yet neither BIA nor FAIR answer the fundamental question, “What is the value of my assets?” To put it another way, if hackers crushed your business and everyone sued you, what would that look like? We believe the answer to that question will help determine the value of your assets.

A taxonomy we use at Nehemiah Security to determine the loss exposure for an organization is built around first and third party losses. First party losses are those a company faces directly while third party losses are those that a company faces due to customers, vendors/suppliers or other entities. I will use Equifax as an example to illustrate:
The recent Equifax breach affected 143 million people, revealing Social Security numbers, driver’s license data, birth dates, and more. Equifax will be facing both first and third party losses to the tune of millions of dollars. Just a quick snapshot of the total loss exposure Equifax faced could look like this:

First Party Loss Exposure Third Party Loss Exposure
Revenue*1 $3,144,900,000 Credit Monitoring*4 $60,000,000
Business Interruption*2 $78,622,500 Legal Costs*5 $75,000,000
Remediation & Recovery*3 $10,000,000 SLA/Contract Violations*6 $25,000,000
 Total (rounded) $3,250,000,000   $160,000,000

The numbers in the table above are estimates but you can see that the total loss exposure can be as high as $3.4 billion dollars.  Notes from the table above include:

*1 – taken from the Equifax 2016 Annual report

*2 – estimate based on a 2.5% reduction in performance (ie a move to manual process, backlogs, etc)

*3 – Various estimates put the average cost for remediation around $4 million for a mid-size breach

*4 – Home Depot paid out $19.5 million for a breach of 53 million customers (3 times smaller than Equifax)

*5 – legal costs are estimates

*6 – various third party vendors can now sue for breach of contract or clawbacks of payments

Now before you throw the flag, Equifax’s loss is highly unlikely to reach  be that high. Companies don’t lose 100% of their business from a single cyberattack. And the stock losses won’t be that high either – take a look at the analysis done by Arlan McMillan below which shows that after an attack, a company’s stock price tends to rebound.

This simple analysis shows that computing the total loss exposure for an organization is possible if you have the right taxonomy for capturing the data.

Stay tuned for the next post in this series which will discuss building your test range!