2.1 CYBER LOSS PROCESSES

Organizations suffer losses from a cyber attack, or failure of their information technology (IT) systems, in a number of different ways. Loss might be the disruption to business operations, or costs that the organization might incur as a result of the cyber event. ‘Risk’ is defined as the likelihood of loss. Assessing cyber risk entails estimating the likelihood of an organization experiencing different levels and types of loss.

These can be broken down into a number of key loss processes, for example:

• Data exfiltration
• Contagious malware attacks
• Denial of service attacks
• Financial transaction theft
• Failures of counterparties or suppliers

This is not an exhaustive list of loss processes. In the next chapter, ‘Cyber Enters the Physical World’, we consider losses from cyber attacks on physical control systems. There are many other ways that losses could occur, including human error, accidents, and mechanical failures; network failures and disruption to communication protocols; insider threats and malicious acts of sabotage; and others. However, the key loss processes described here are estimated to account for around 90% of the economic losses that businesses suffer as a result of cyber attacks and technology failures.¹ Each of them is a distinctively different loss process with its own implications for cyber risk management and mitigation. We describe each of them in turn.

2.2 DATA EXFILTRATION

The highest-profile ...