Visualizing Risk (Draft)

An exploration of different approaches to communicating security breach risk informed by prior work.

Questions/TODO

• How should tail risk be visualized?
• How well do quantile dotplots capture tail risk?
• Review Open Group work on cyber risk
  • Calculating Reserves for Cyber Risk: Integrating Cyber Risk with Financial Risk
  • Calculating Reserves for Cyber Risk: An Open FAIR Approach

# no libraries

Background

The Risk Value Analysis found that a firm’s executive is unlikely to invest in reducing the risk of a large security breach, suggesting that security spending should be presented differently:

At the firm level, I think this means that security leaders shouldn’t present security as an investment. As with safety, I think the main argument for better security is a moral or emotional case: we care about security because we care about our customers, partners, and other stakeholders. Also, people are typically loss-averse, so expressing security risk in those terms will better connect with decision makers. Using Tail value at risk or Loss Exceedance Curves express loss in this way - “There’s a 5% chance of cybersecurity losses exceeding $780,000 and a 1% chance of losses exceeding $25,000,000 over the next year.” I also think it means security leaders should be mindful of how they spend their limited funds, by maximizing investments in what works.

This analysis explores different approaches to communicating that risk with the goal of promoting decisions on security spending so that all participants are satisfied with the outcome, informed by prior work on risk communication and risk perception, including the work of Lace Padilla, and Cyentia’s analysis on tail value at risk.