Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Uncovering the Business Costs of Cyber Risk: Ponemon Study

Study finds organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses, leaving them without the critical information needed to make decisions about resource allocation, technology investments and threat prioritization.

Unlike other business disciplines (CRM, ERP, HR), cybersecurity lacks the kind of clear business metrics which can help executives frame decision-making in a language the c-suite and board easily understand. When we commissioned Ponemon Research to study the effects of cyber risk on business operations, our goal was to explore how four common KPIs associated with cyber exposure translate to specific types of business risk. We wanted to go beyond assessing pure dollar impact, exploring how cyber risk influences business strategy, products, supply chain, revenue streams, operations, business technology, customer experience and regulatory compliance.

What we discovered -- after surveying 2,410 IT and infosec decision-makers in six countries -- is that traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. Organizations are not accurately measuring the business costs of cyber risk, and are unable to quantify the damage cyber attacks could have on their businesses. Thus, decisions about the allocation of resources, investments in technologies and the prioritization of threats are being made without critical intelligence. Moreover, organizations are unable to correlate the cyber risk KPIs they are using to the mitigation of a data breach or security exploit.

At a time when boards of directors are taking more interest in cybersecurity than ever before, the study Measuring & Managing the Cyber Risks to Business Operations, conducted by Ponemon Institute on behalf of Tenable, reveals a lack of faith among cybersecurity professionals in the accuracy of their metrics. This makes CISOs and/or other security technology executives reluctant to share critical information about the business costs of cyber risks with their boards.

Exploring common KPIs

For the study, we identified four common KPIs used to measure cyber risk:

  • time to assess;
  • time to remediate;
  • effectiveness of prioritizing cyber risk; and
  • identification of assets vulnerable to cyber risk -- including Operational Technology (OT) and Internet of Things (IoT) devices.

In addition, we explored three KPIs most often used to measure the financial consequences of a cyber attack:

  • loss of revenue;
  • loss of productivity; and
  • drop in stock price.

The vast majority of respondents (91%) admitted they’ve experienced at least one business-disrupting cyber incident in the past 24 months; 60% have experienced two or more incidents in the same time frame. These attacks have resulted in data breaches and/or, significant disruption and downtime to business operations, plants and operational equipment.

The majority of respondents (58%) say traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. When it comes to quantifying the damage cyber events could have on their businesses, only 41% of respondents (988) say their organizations make any attempt to do so. Further, only 30% of respondents say their organizations are able to correlate information from cyber risk KPIs to taking action on reducing the risk of a data breach or security exploit.

Of the 988 respondents who said their organizations attempt to quantify the damage security incidents could have on their businesses:

  • 54% say they quantify what the theft of intellectual property would cost;
  • 43% say they calculate the potential financial loss; and
  • 42% consider the impact of the loss of employee productivity following a data breach or security exploit.

What factors are used to quantify the potential risk of a cyber attack?

quantifying the business risk of a cyber attack

Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.

We asked respondents to rate the accuracy of the information gathered using the above KPIs, measured on a scale of 1 = not accurate to 10 = very accurate. Only 38% of respondents believe their measures are very accurate, while 44% believe their measures are not very accurate.

The report also reveals organizations are not using the KPIs they consider most important to assessing and understanding cyber threats. For example, two thirds of respondents (64%) identified “time to assess” as an important KPI for evaluating cyber risk, yet only 49% of respondents are currently using this metric. We see similar gaps when we look at the three other KPIs discussed in the report (see below).

Gaps in use and importance of KPIs

KPI Used by (% respondents) Considered essential (% respondents)
Time to assess cyber risk 49% 64%
Time to remediate cyber risk 46% 70%
Identifying OT and IoT assets 34% 62%
Prioritization effectiveness 38% 57%

Source: Measuring & Managing the Cyber Risks to Business Operations, Ponemon Institute & Tenable, December 2018.

Measuring cyber risk: Nobody said it was easy

Respondents identified seven key reasons why their organizations continue to face cybersecurity challenges, including:

  • An understaffed IT security function.
  • Lack of resources to manage vulnerabilities.
  • The proliferation of IoT devices in the workplace.
  • The complexity of the IT security infrastructure.
  • Lack of controls over third-party access to sensitive and confidential data.
  • Dependency on manual processes to respond to vulnerabilities.
  • Insufficient visibility into their organization’s attack surface.

While there are no quick-and-easy fixes to any of these issues, we believe focusing on the following five steps will help put your organization on the right path to building a business-first cybersecurity strategy.

  1. Identify and map every asset across any computing environment.
  2. Understand the cyber exposure of all assets, including vulnerabilities, misconfigurations and other security health indicators.
  3. Understand exposures in context, to prioritize remediation based on asset criticality, threat context and vulnerability severity.
  4. Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique.
  5. Measure and benchmark cyber exposure to make better business and technology decisions.

In addition to the above guidance, the report, Measuring & Managing the Cyber Risks to Business Operations, concludes with a five-step process for measuring and managing cyber risk you can put into action in your own organization today.

About this study

The report Measuring & Managing the Cyber Risks to Business Operations is based on a survey of 2,410 IT and IT security decision-makers in the United States, United Kingdom, Germany, Australia, Mexico and Japan. All respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy here.


無料でお試し 今すぐ購入

Tenable.io を試す

60 日間無料

最新のクラウドベースの脆弱性管理プラットフォームに完全にアクセスし、比類のない正確さですべての資産を表示および追跡することができます。 今すぐご登録ください。60秒以内の最初のスキャンを実行できます。

Tenable.io を購入

最新のクラウドベースの脆弱性管理プラットフォームに完全にアクセスし、比類のない正確さですべての資産を表示および追跡できます。 年間サブスクリプションを今日お求めください。

65 資産



無料でお試し 今すぐ購入

Nessus Professionalを無料で試す


Nessus®は、今日の市場で最も包括的な脆弱性スキャナです。Nessus Professional は脆弱性のスキャンプロセスを自動化し、コンプライアンスサイクルの時間を短縮化するため、ITチームに専念できます。

Nessus Professional を購入する

Nessus®は、今日の市場で最も包括的な脆弱性スキャナです。Nessus Professional は脆弱性のスキャンプロセスを自動化し、コンプライアンスサイクルの時間を短縮化するため、ITチームに専念できます。


無料でお試し 今すぐ購入

Tenable.io Web Application Scanningをお試しください

60 日間無料

Tenable.ioプラットフォームの一部として、最新のアプリケーション用に設計された最新のWebアプリケーションスキャンサービスに完全にアクセスできます。手作業による手間や重大なWebアプリケーションの中断をせずに、脆弱性のオンラインポートフォリオを安全に高精度で安全にスキャンします。 今すぐお申し込み、60秒以内の最初のスキャンを実行します。

Tenable.io Web Application Scanningを購入する

最新のクラウドベースの脆弱性管理プラットフォームに完全にアクセスし、比類のない正確さですべての資産を表示および追跡できます。 年間サブスクリプションを今日お求めください。




無料でお試しください セールスにご連絡ください

Tenable.io Container Securityを試す

60 日間無料

脆弱性管理プラットフォームに統合された唯一のコンテナセキュリティ製品への完全なアクセスをお楽しみください。コンテナイメージの脆弱性、マルウェア、ポリシー違反を監視する。DevOpsプラクティスをサポートし、セキュリティを強化し、エンタープライズポリシーコンプライアンスをサポートするために、継続的な統合と継続的な展開(CI / CD)システムを統合する

Tenable.io Container Securityを購入する

Tenable.ioのContainer Securityは、ビルドプロセスと統合することにより、コンテナイメージのセキュリティ(脆弱性、マルウェア、ポリシー違反など)を可視化し、シームレスかつ安全なDevOpsプロセスを実現します。

Industrial Securityについて