Security

How Can States Best Quantify Cybersecurity Risk?

More states are adopting cybersecurity approaches, but Virginia wants to know the estimated costs.

In his role as Senior Business Development Strategist and Public Safety Senior Strategist, Houston Thomas III manages the architect and engineering process for large-scale integration projects involving public safety agencies. He provides subject matter expertise to CDW•G law enforcement customers with respect to digital intelligence and evidence management.

Virginia recently adopted a fresh approach to quantifying cybersecurity risk in the face of limited resources and a surge of ransomware attacks, StateScoop reports.

When developing the new model, the Virginia Information Technology Agency looked to “several leading standards for quantifying risk” and then developed a new way of working with more than 60 fellow state agencies to safeguard IT across the commonwealth.

“Part of our oversight is making sure we’re making good investments and cyber enhancements,” VITA risk management director Jon Smith says. “And for the cyber liability insurance we should be carrying, without a dollar sign, it’s really challenging.”

To that end, the new cybersecurity risk model assigns an exact dollar amount rather than relying on estimates and anecdotal information when safeguarding resources.

Commonwealth Sought a Quantitative Cybersecurity Measure

Some states have adopted a standard developed by the U.S. National Institute of Standards and Technology. It specifies a three-tier structure, ranking the effect of a potential vulnerability as “high,” “medium,” or “low.” VITA did not find this standard “precise enough for effective cybersecurity budgeting,” StateScoop says.

Virginia started instead with the Factor Analysis of Information Risk (FAIR) model, which is an international standard quantitative model for information security and operational risk. “FAIR provides a model for understanding, analyzing and quantifying information risk in financial terms,” the FAIR Institute says.

Calling cybersecurity risk “a business issue, not just a technology issue,” the FAIR Institute notes, “Organizations are increasingly transitioning to risk-based approaches to information security and operational risk, as compliance to regulations alone provide only a minimum layer of security and fail to adequately protect them.”

The commonwealth also turned to “the Center for Internet Security’s list of 20 security controls and resources, Verizon’s annual Data Breach Investigations Report and research from the Ponemon Institute to calculate state records’ risk values,” according to StateScoop.

Slow Speed of Government Creates Limitations

“Across the globe, more and more organizations [including governments] are reaping the benefits of these cyber risk quantification approaches to efficiently limit their cyber risk exposure,” says FICO's Global Cyber Risk Quantification Network in a 2018 report, “Quantifying Systemic Cyber Risk.”

The report observes, “Individual governments have several limitations in effectively governing the cyber commons. The first limitation is that direct control over cyberspace is not economically feasible given its global scale and trans-jurisdictional nature.”

Government also often moves slowly, passing legislation only after several years. While lawmakers are deliberating, the pace of technology continues to accelerate, meaning disruption could change the entire threat landscape before lawmakers have gained a footing in the last one, the report says.

Still, state governments can adopt means to prepare for cyberdefense of any nature. The U.S. Department of Homeland Security Cyber and Infrastructure Security Agency lists cybersecurity resources available to state, local, tribal and territorial governments. A state cybersecurity strategy may include these resources as elements in its overall defense planning.

This article is part of StateTech's CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.