cyber resilience framework

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

Focusing on what you stand to lose drives everything in managing cyber risk.

by Richard Seiersen , Cyber Resilience Strategic Advisor

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the world

So, what are we doing wrong?

While controls and audit-based approaches have moved the needle forward, even large corporations struggle to manage the complexities of cyber, especially at a time when highly motivated adversaries, complex digital supply chains, and new advances in AI can challenge even the most well-resourced security program.

If forecasts for cyber risk are accurate, losses will continue to grow as digital transformation initiatives also grow. A grounded approach to security should anticipate and prepare for limiting losses, not trying to stop them completely. This means identifying plausible loss scenarios that could impact the company’s ability to deliver value and then focusing security investments on reducing the probability of these kinds of incidents. This is how organizations identify their tolerance for loss, which is a core foundation of a risk-focused approach. 

A Risk-Focused Approach in Action: MGM and Caesars 

Rather than focusing on the total implementation of a framework or control set, organizations must focus on what is required to continually deliver value to their clients without interruption. This approach is risk-focused rather than controls first and is fundamental to the value-driven risk management strategy that we call Cyber Resilience. 

Cyber Resilience tolerates losses – within limits

This is different from implicit security principles, which seek loss elimination as an end goal. A value-driven risk management strategy requires the CFO, CRO, and CISO to determine what the business can stand to lose. When Caesars Entertainment experienced a data breach in the Fall of 2023, threat actors compromised the personal identifying information of an unknown number of rewards program members. The hackers allegedly demanded a $30 million ransom, of which Caesars purportedly paid half. 

As a counterpart, MGM Resorts was hit with a subsequent data breach and opted not to make a ransom payment. The result was an attack that shut down all of the systems at a dozen of Las Vegas’ most prominent casinos for ten days, with issues including cash-only transactions, downed ATMs and gaming machines, digital key cards not working, and more. To resolve the incident, MGM spent around $10 million on legal and consulting services. However, the impact on their business while the attack persisted led to a $100 million loss in third-quarter revenue.

Both organizations took a risk-focused approach to managing the incident– they looked at their value at risk and leveraged the decision to pay as a business decision that would impact their ability to deliver value. While it is impossible to know what was going through MGM and Caesar’s business leaders’ minds during the incident, they were almost undoubtedly making quick calculations to quantify their value-at-risk, the cost-benefit of paying vs. not paying a ransom, and which scenario fell within their risk tolerance. 

Two Approaches to Risk-Focused Incident Response 

It must be noted that no ransom event is the same: Caesars was notified of ransom demands earlier in the incident cycle than MGM, which most likely influenced MGM’s decision to withhold payment. However, for this exercise, reviewing the fundamental differences between their incident response tactics can teach the general cyber community a lot about calculating, managing, and anticipating losses to their organization’s overall risk surface. 

Caesars opted to pay the ransom after negotiation. They likely calculated the business impact of a downed system and determined that paying a portion of the ransom would lead to the least amount of losses. In this case, they were fortunate; their customer-facing systems were not impacted, and client data was not leaked online

MGM took a different approach and resisted ransom payment. As a result, their third-quarter finances took a considerable blow. However, with a total revenue of $15.38 billion, $100 million in loss is a drop in the bucket. This amount was probably within their loss tolerance, and the choice not to pay the ransom likely stemmed from confidence in their incident response capabilities, an understanding of their value at risk, and a risk-focused approach to loss that anticipated an incident like this. 

Neither reaction– making the ransom payment or resisting– is wrong. Caesars knew that they could reduce business interruption and avoid further losses by making the ransom payment. They calculated the cost of their risk surface and acted to minimize financial loss. MGM did the same; they determined their bottom-line could handle the cost of business interruption and leaned on their investments in cybersecurity to regain operationality. Both organizations determined how much loss they could accept, and proceeded to make decisions based on that calculation. 

A Cyber Resilient Objective 

While calculating how much loss you can accept may feel counterintuitive to the objective of resilience, it is critical for organizations to understand what they can afford to lose. Most cyber incidents cost something, and whether that is paid in the form of incident response, a ransom, business interruption, or reputational damage, the true and probable costs of cyber risk must be anticipated. 

A grounded approach to security should expect and plan for reducing losses, not trying to stop them completely.  This means identifying plausible losses that will severely impact a company’s ability to deliver value to its clients and then focusing on reducing the probability of incidents that can cause them. This focus on being resilient to material losses– instead of any loss– is the core objective of Cyber Resilience.

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management

Best of Threatonomics Year-End Review

As 2023 comes to an end, we are looking back on our top five most popular blog posts that helped shape our understanding of what it means to be cyber-resilient. 1. Moneyballing Cyber Resilience  Chief Cyber Resilience Officer Richard Seiersen wrote “Moneyballing Cyber Resilience” as a follow-up to  his first webinar, “Superforecasting.” The book, Moneyball, […]

Top Ten Cyber Risk Predictions for 2024

As we move into the next year, it is likely that the cyber landscape will evolve in ways we never saw coming. However, given the data from key trends in 2023 and our expert knowledge in tracking and translating cyber risk into actionable insight, caution around these ten predictions will be beneficial in the new year.