How likely is a ransomware attack this year on Guy’s Guitars, a small business in Lancaster? Or website hacking on Butlers Cheeses, a medium sized one further south? Or any kind of cyber attack on any small to medium UK company?
To decide how much money and effort to spend on different cyber defences, organisations do risk assessments. For a small or medium sized company, that probably means a ‘system’ risk assessment.
People in the organisation identify kinds of cyber risk relevant to them. Then for each kind of risk, they estimate the possible damage and the probability per year, and multiply them to give an ‘expected loss’ for each risk. They can then focus on the largest expected losses, to get the biggest value for their investment.
Data for the probabilities, though, is hard to find. Existing risk methodologies appear either silent on the subject or assume that it depends only on the ease of exploitation of vulnerabilities—akin to assuming your likelihood of burglary depends only on the quality of your door and window locks! Obviously much will depend on what the organisation does to protect itself, but even so there is a 'background' likelihood for different kinds of attack that doesn’t often seem to be discussed.
Yet the data is available. In the 2023 Hipster project with Dan Prince and Anna Dyson, I used data from the Cyber Telephone Survey and from the Information Commissioner’s Office to produce more accurate figures in the context of the health sector, which we incorporated into a lightweight risk assessment process. The statistics we found are published in the public materials for the workshop, and in a paper we wrote.
In creating the figures, I noted that the differences in probabilities were orders of magnitude, rather than a few percent: a misdirected communication was a hundred times as likely as ‘denial of service malware’. That means that, to be useful, all we need to calculate is the order of magnitude for the risk: 10%, 1% or 0.1% probability in a year, for example.
It also makes this information particularly valuable to an organisation: why spend money addressing an unlikely risk when a different one represents a hundred times the expected loss?
In the calculation, I also observed that the differences between sectors in the probability of a given risk were nowhere near orders of magnitude. So, the probabilities would be similar for SMEs in all sectors; we only need one set of figures.
For a next step, I’m looking to bring the figures up to date and publish them publicly in a simple guide for industry people to reference.
Interested? Drop me a line!
— Charles