Justin Theriot, Senior Data Scientist at RiskLens, presented a research paper on Estimating Financial Losses from a Data Breach at SIRAcon 2021, the leading conference for the cyber risk analyst community – important recognition for the cutting-edge work on cyber risk metrics by the RiskLens data science team.
Data scientists at RiskLens take in risk data from respected sources like the Verizon Data Breach Investigations Report (DBIR) and Advisen, combine it with proprietary data gathered from RiskLens client engagements, then scrub and curate the data to create libraries for the RiskLens platform with the most accurate data available anywhere for cyber and technology risk. The platform automates risk analysis using Factor Analysis of Information Risk (FAIR™), the standard for quantitative cyber risk analysis.
Data Science for FAIR Risk Analysis
Risk analysis conducted on the RiskLens platform always begins with the client’s available in-house data – for instance on frequency of cyber attacks, or costs of response – but many clients have incomplete data.
That’s where RiskLens data science steps in, to support risk analysis with the most complete inputs for all the factors that go into FAIR to produce its accurate results. The RiskLens platform makes data available on a just-in-time basis with handy Data Helpers that plug into analyses.
Learn FAIR risk analysis from the leader - train with the RiskLens Academy
The research paper for SIRAcon is a good look into the rigor and granularity of the RiskLens approach to data. As Justin writes, previous studies in the field failed to make distinctions among forms of loss (for instance, primary response costs vs. secondary costs such as legal fines) or used methods that had difficulty producing results useful for business decision making.
“Through our research, we have found that events do not fit neatly into a single scenario, often making comparisons between events difficult,” he writes. “Yet, the decisions we made throughout the process have enabled us to design a robust model capturing those nuances.” The FAIR approach decomposes risk into factors that can be quantified, with the results run through Monte Carlo simulations to show ranges of probable outcomes in dollar terms.
The paper demonstrates the use of FAIR analysis running on Advisen’s cyber event loss data. The data scientists reviewed numerous data breach events, providing an in-depth analysis on 10 of those events, comparing the losses as reckoned by FAIR on the RiskLens platform with the losses reported in public filings.
The result: “We have shown through data processing and our methodology that we can provide a model to predict losses” [across various parameters] to an acceptable level of accuracy [and] better capture the nuances of losses.”
“Overall, we have provided a multi-faceted model enabling the cyber community to better understand the what, where, and why of financial losses incurred after a data breach.”
Distribution of Advisen loss data after RiskLens processing
Detailed Looks at Data Breach Costs in the RiskLens Study
The study turned up some cause and effect relations within the breach cost data that will be of interest to risk managers. For instance,
>>For every 10% increase in number of records in a database, primary response costs rise 5.4%
>>Companies based in the US will have legal fines and judgments that are five times higher than non-US-based companies. However, foreign companies are twice as likely to face F&J as compared to their US counterparts.
>>Some sectors do way worse than others when it comes to fines and judgments and other secondary response costs: The information industry came in at 2.5 times higher than the baseline for all companies, the public sector 3 times higher, but the hospitality/accommodations industry showed half the costs from the baseline.
Read a synopsis of the research paper: