The metaphor of a “broken risk assessment calculator” in cybersecurity is an apt one, as it highlights several key deficiencies in the current approach to cybersecurity risk assessment in Canada and abroad. In this article, we analyze some of the limitations of the current approaches, and explore ways you can get a more realistic handle on your cyber risk.
Limitations of Traditional Risk Calculations
Traditional risk assessment methods often rely on simplistic formulas that fail to capture the complex and dynamic nature of cyber threats. The basic formula of
Risk = Threat × Vulnerability × Impact
while providing a starting point, is increasingly inadequate for several reasons:
1. Rapidly Evolving Threat Landscape:
Cyber threats are constantly changing, with new attack vectors and techniques emerging at a rapid pace. The dynamic threat landscape of zero-day vulnerabilities, IoT devices on IT networks, unmanaged BYOD, session token theft, shadow IT, and so forth are changing the “math” on the risk profile at dizzying speed. Integrated supply chains can expose the organizations to inherited risk from third parties. Layer on the advances in AI that are being leveraged by threat actors, organizations can easily find themselves underestimating their exposure to a successful attack. Static risk calculations and old-school cyber risk quantification simply doesn’t keep up with these dynamics, potentially leaving organizations vulnerable to new and unforeseen risk.
2. Difficulty in Quantifying Intangibles:
Hard costs like remediation work, legal fees, and fines can readily be assigned dollar values, even if they are just estimates. However, many cybersecurity risks also involve intangible factors that are challenging to quantify accurately. For example, the reputational damage from a data breach or the long-term impact on customer and investor trust is difficult to express in purely numerical terms.
3. Over-reliance on CVSS Scores:
Many organizations in Canada and the U.S. heavily rely on Common Vulnerability Scoring System (CVSS) scores to help prioritize vulnerabilities. However, CVSS scores don’t account for the specific context of an organization’s environment or the potential business impact of a vulnerability.
4. Over-reliance on Standard Frameworks:
There are plenty of risk measurement standards and approaches to choose from: the NIST CSF (Cybersecurity Framework) and NIST SP 800-30; the ISO/IEC 27001:2022 standard, the 18 CIS Critical Security Controls, OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), and the RMF (Risk Management Framework), for example. But specific threats and risks can vary widely from industry to industry, size and maturity of organization, and so on: just as over-reliance on CVSS scores may not provide a reliable prioritization of vulnerabilities, using an out-of-the-box risk framework without tailoring the assessment to the unique needs and requirements of an organization will lead to an inaccurate picture of risk.

Why does any of this matter?
Without a clear understanding of your organizational risk, you cannot communicate the importance of investment in cybersecurity, you cannot make optimal decisions regarding the cyber budget you do have, and you expose your organization to the potentially devastating cost and operational impacts of a successful cyber attack. Speak to anyone at an organization that has been breached and ask them whether they feel they made an informed business decision to ignore cybersecurity and accept the consequences of the incident. Unless they say “yes,” their risk calculator may be broken.

Emerging Approaches and Solutions
Leading organizations are employing modern ways of visualizing and quantifying risk. This informed approach allows them to address the challenges in cyber risk calculation and place the appropriate priority and urgency on addressing cybersecurity vulnerabilities.
1. Adoption of Probabilistic Models: More advanced risk assessment methodologies, such as the Factor Analysis of Information Risk (FAIR) model, are gaining traction. The FAIR methodology offers a systematic approach to evaluating and quantifying cyber risk by examining the potential impact and likelihood of various threats. The FAIR risk model and others like it use probabilistic modeling combined with quantitative measurements to provide a more nuanced understanding of risk.
2. Integration of Threat Intelligence: Forward-thinking organizations are incorporating real-time threat intelligence into their risk assessments. This allows for a more dynamic and contextual evaluation of potential threats.
3. AI and Machine Learning: Artificial intelligence and machine learning are being leveraged to analyze vast amounts of data and identify patterns that human analysts might miss. Threat feeds, real-time internal telemetry, and historical breach data can be correlated with exploit likelihood, asset criticality, and attacker behaviour to inform the prioritization process.
4. Regulatory and Policy Implications: In Canada and abroad, there’s a growing recognition of the need for more sophisticated cybersecurity risk assessment frameworks. Regulatory bodies are replacing “check-the-box compliance” approaches with more insightful, risk-based methodologies and cybersecurity risk management tools.
5. Independent Risk Assessment: Many organizations partner with third-party experts to explore a more nuanced assessment and quantification of organizational cybersecurity risk.

Next Steps
Many current cyber risk assessment calculators are broken, with CISOs exposing themselves, their organizations, and their customers to heightened risk every day they fail to recognize this truth. Traditional methods are increasingly inadequate, so we must pursue more sophisticated, dynamic, and context-aware approaches to risk assessment. Organizations and policymakers must evolve their risk assessment practices to keep pace with the ever-changing cyber threat landscape. And every organization needs to accept the reality that any digital presence can be a target; that a cyber attack can and will occur at any time.
If you’re concerned about your organization’s perspective on cyber risk, contact ISA Cybersecurity today. With expertise in cyber risk assessment across finance, education, government, healthcare, and more, we can help you better understand, measure, and manage your organizational risk.