10.1.1 Impact of Security on Cyber Loss Likelihood

Everyone who attends a major information security convention is confronted with a bewildering range of vendors offering products to enhance cyber security. How can you choose between security products? How can you evaluate the effectiveness of the protection they promise? How can you integrate a suite of solutions and components into an integrated information security solution?

It is not our intention in this chapter to provide a buyers' guide to products, or to recommend one set of solutions over another. There is no universal answer to the security solution for all companies. Each company has different needs, and the solutions, components, and strategies that work best are unique to each organization.

Instead we believe this is best evaluated within the framework of solving cyber risk. We have set out the principle that risk is assessed by evaluating the likelihood of losses of different levels of severity occurring within a given time period. We have proposed that this is built up from considering a wide range of scenarios of different cyber loss processes, including those described in Chapter 2 and adding others that might be important for your organization. Each scenario is evaluated for the loss that would occur, and the likelihood of it happening in the next year. Ranking scenarios from the highest loss downwards and summing ...