4. Determine your appetite for cyber risk

^{Determine your appetite for cyber risk}

With your cyber risk quantified, you can make more informed decisions about how much risk you’re willing to live with. This is often referred to as you’re your cyber risk tolerance.

Thinking of your cyber risk tolerance in terms of pounds and pennies can really help here – each incident costs some amount of money in terms of lost productivity, revenue, and/or fines.

Going through the cyber quantification process can help remove personal biases. For example, we’ve had situations where leaders have wanted to spend money on end-user awareness and education.

But our modelling has shown that for ransomware, once a broad level of awareness is achieved, there are limited benefits from further expenditure on training.

It’s a different story for email fraud. Here, we’ve found that tailored learning for finance employees yields far greater returns than spending on technical controls, like anti-malware.

You can never remove all risk of a cyberattack. So it’s also important to build in cyber resilience measures. You should put in place plans so that, if an attack is successful, you can react quickly and limit the impact on your organisation.

Ask yourself:

How many incidents can we suffer before our regulators start imposing restrictions?
What can we afford in terms of lost productivity, revenue, fine and remediation costs?
How much financial loss in a year are we prepared to live with?
Can we decompose the impact of an attack into different loss categories – for example, productivity, response, replacement, fines, competitive advantage, reputational damage?