Consistently Identify Cyber Risks - Squalify's Cyber Risk Taxonomy

Identifying risks is a critical first step in understanding cyber risk. It’s easy to get confused between threats, risks, vulnerabilities, impacts, and people often use the terms interchangeably.

This article introduces the Squalify cyber risk quantification model at a deeper level, describing how the causes, consequences, and costs of cyber incidents are modeled within the Squalify platform. Our approach is based on the risk quantification methodology and experience of our parent company, Munich Re, a globally leading cyber insurance and re-insurance provider. This enables you to consistently define and identify your cyber risks.

Introducing the Squalify Risk Taxonomy

Within the Squalify platform, cyber incidents, their consequences, and associated financial losses are related through the following concepts:

• The Squalify quantification model includes a set of predefined Cyber Threat Scenarios, which articulate the threat agent, their intention, the security property compromised and the asset involved.
• Successful Cyber Threat Scenarios are grouped into Consequences Scenarios. The Squalify quantification model distills the variety of outcomes from cyber incidents into three Consequence Scenarios: Data Privacy Breach, Business Interruption and Financial Theft & Fraud.
• Each Consequence Scenario may result in financial losses. The Squalify Model categorizes these losses into seven Loss Components which group together related expenses that occur from a cyber incident. For example, the Loss Component “Incident Response” includes expenses related to engaging with forensic investigators, crisis management, etc.

The actual values for each individual Loss Component are quantified in terms of Financial Loss Values. The are calculated in the Squalify model by combining scenario details with the maturity of information security controls. This part of the Squalify risk assessment process is described further here.

The relationships between these concepts are summarized in the diagram below, and each is described further in the following sections.

Cyber Threat Scenarios Describe Who Can ttack a Firm and How

The Squalify Model is based on pre-defined Cyber Threat Scenarios. These scenarios combine the broader threat landscape (a threat agent causing a malicious or accidental incident affecting the confidentiality, integrity, or availability of assets) with company-specific risk factors.  

These high-level threat scenarios are designed to strike a balance - being broad enough for the model to encompass all pertinent malicious and accidental cyber incidents yet detailed enough to account for variations in the occurrence and severity of different potential threats.  

Each scenario is defined by a combination of the threat agent (insider or external), the intention (malicious or accidental), the security property compromised (confidentiality, integrity, or availability) and the asset type (information or business process).

The Cyber Threat Scenarios address almost all financial losses that cyber insurance typically covers, and within the model Cyber Threat Scenarios are accompanied by a wealth of historic incident occurrence rate and severity data informed by real life events and Munich Re’s cyber reinsurance experience.

This means that you don’t have to guesstimate how often various threat events may occur and how much they may cost.

By providing pre-defined Cyber Threat Scenarios, the Squalify Model greatly simplifies and expedites analysis by an organization. Organizations are not required to enumerate every possible scenario that could occur, nor do they need to estimate frequencies and severities for these scenarios. This also enables organizations to model unanticipated risks.  

Consequence Scenarios Describe What the Business Impact of an Attack Is

Consequence Scenarios group together the multiple Cyber Threat Scenarios that lead to the same outcome, or consequence. The three Consequence Scenarios modeled by Squalify are Business Interruption, Data Privacy Breach, and Financial Theft & Fraud:

• Business Interruption:  The financial losses incurred by a business due to a cyber incident disrupting its operations.
• Data Privacy Breach: This addresses the costs of responding to a security violation in which sensitive, protected, or confidential personal data is copied, transmitted, viewed, stolen, or used by an unauthorized individual.
• Financial Theft and Fruad: Direct theft of money that a business suffers due to fraudulent cyber-activity.

For instance, the Data Privacy Breach Consequence Scenario includes several Cyber Threat Scenarios, including one involving a malicious attacker and another resulting from accidental actions. Since both Cyber Threat Scenarios may have the same outcome, a breach in data privacy, they are both considered within this Consequence Scenario.

Beyond the three Consequence Scenarios outlined above, there is an additional distinct cyber incident labeled as Ransomware. When examining its consequences, ransomware presents a combination of a Business Interruption and a Data Privacy Breach. This dual impact arises because a Ransomware incident can disrupt organizational business processes and simultaneously lead to data encryption or theft.  

More than one Consequence Scenario can occur in the same incident. A scenario where all three Consequence Scenarios occur in the same incident or within a short timeframe (one modeled year) is called the Worst Case Scenario. The Worst Case Scenario is not associated with probability; is simly when the organization will face the highest realistic potential loss, under the assumption that almost all existing controls fail.

Loss Components Group Together Categories of Expenses from an Incident

A Loss Component represents a specific type of financial loss a business might incur in the event of a cyber incident. A Loss Component groups together related expenses that occur from a cyber incident. For each Loss Component, the Squalify platform provides a structured set of questions to help you estimate what the potential costs are for your scenarios within your organization.  

The Loss Components are derived from the Cambridge Cyber Taxonomy for loss coverages¹. The following 7 selected Loss Components constitute the most significant loss figures and are covered in the Squalify Model:

• Incident response costs: Direct costs incurred to investigate and close the incident to minimize post-incident losses. Applies to all the other categories/events.
• Breach of privacy event: The costs of responding to an event involving the release of information that causes a privacy breach, including notification, compensation, credit-watch services, and other third-party liabilities to affected data subjects, IT forensics, external services, and internal response costs, legal costs.  
• Regulatory and defense coverage: Covers the legal, technical, or forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a cyber incident, and provides coverage for fines, penalties, defense costs, investigations, or other regulatory actions where in violation of privacy law, and other costs of compliance with regulators and industry associations.  
• Data and software loss: The costs of reconstituting data or software that have been deleted or corrupted.
• Cyber extortion: The costs of expert handling for an extortion incident. Combined with the amount of ransom payment.
• Business Interruption: Lost profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber incidents or other non-malicious IT failures.
• Financial Theft and Fraud: The direct financial loss suffered by an  organization arising from the use of computers to commit fraud or theft of money.

The combination of Loss Components that contributes to each Consequence Scenario is shown in the image below:

Final Thoughts

Squalify’s unique cyber risk quantification methodology focuses on the consequences of cyber incidents. Pre-built threat scenarios simplify the threat assessment part of analysing risk, and Squalify’s use of historic insurance industry dataset removes the guesswork from estimating threat likelihoods.

Our top down approach allows you to focus on the business impacts of cyber incidents, which makes it easy to avoid getting bogged down in technical jargon, and provide risk assessments based in the reality of your business.