Cyber Risk Models: Bottom-Up vs. Top-Down
Cyber risk models typically adopt one of two distinct methodological approaches: top-down or bottom-up cyber risk quantification. Each serves a specific purpose in cyber risk management and produces different cyber-related output metrics. Depending on the individual need and use of the results, the choice is made between a top-down or a bottom-up cyber risk model. While the bottom-up approach emphasizes cyber security risk from a more technical view, the top-down approach looks at the enterprise wide cyber risk, focusing on strategic decision-making from a financial standpoint.
Top-Down Cyber Risk Quantification
The top-down approach takes a high-level organizational perspective, assessing the financial impact of cyber scenarios based on the unique business model of a company. Thereby, the top-down approach views the company’s cyber risk profile within the overall cyber threat landscape. The focus is on enabling strategic decision-making in a fast-paced cyber threat landscape and aiding with the need for timely results. Data required by top-down models encompasses financial data, such as turnover, profits or costs of production, which determine how much a cyber incident will cost for the company and identify, where the major cyber risks lie in the company. In addition, Information Security information determines how likely the cyber scenario will occur, based on how well the company protects itself against the cyber scenario.
The top-down approach to cyber risk quantification often relies on probablistic simulations, such as Monte Carlo simulations, to generate predictive risk assessments. The key output metrics include modeled loss figures, commonly referred to as value-at-risk (VaR) numbers. For example, this approach can estimate the 2% financial loss-at-risk of €50 million resulting from a cyber incident.
This strategic top-down method is particularly useful for decision-making at the C-level and other management tiers, helping organizations effectively manage cyber risk. It supports a range of use cases, such as securing approval for information security budgets by demonstrating the return on security investments or determining strategic risk appetite for cyber risk transfer. It enables a holistic corporate cyber risk overview that ensures decision-making on enterprise level.
Bottom-Up Cyber Risk Quantification
The bottom-up approach provides a granular assessment of vulnerabilities and risks, often quantifying multiple granular threat sequences, aiding the operational level of the organization. It identifies a multitude of cyber scenarios for an organization, individually addressing specific vulnerabilities, attack vectors, assets, and impact score. Thereby, the data collection for bottom-up requires an extensive amount of time, firstly to conduct a granular Information Security Assessment on asset level and secondly to individually estimate the frequency and impact of all individual cyber scenarios, based on the involved assets. It can determine, what will a particular cyber scenario cost, if a certain asset fails.
The bottom-up approach is useful for testing mitigation efforts on operational level, evaluating the effectiveness of new technologies, and assessing risk of assets. While it provides a detailed view of an organization's assets and Information Security standards for operational practitioners, quantifying cyber risk bottom-up and aggregating cyber risk at the enterprise level remains a challenge. This is majorly due to the fact, that the more narrowly defined cyber scenarios are, the higher the risk of overlapping scenarios and double-counting financial impacts at the enterprise level. Hence, the technical assessment enables a thorough view of the Information Security status, but lacks in effectiveness for cyber risk quantification.
Final Thoughts
By combining a detailed bottom-up technical assessments with top-down quantification, organizations can achieve a more holistic and accurate understanding of their overall cyber risk. Both top-down and bottom-up approaches are useful in effective cyber risk quantification. While top-down provides a strategic, financial view and is more targeted at cyber risk quantification, bottom-up offers detailed technical insights into assets. Each has its strengths and limitations, but combining the strengths ensures a more accurate and holistic assessment of cyber risk.
