Proactive cyber resilience in public sector, enabled through quantitative risk management

Guest blog by Laurie Gibbett, Cyber Risk Quantification Manager at KPMG #techUKCyber2023

Public sector organisations are key to our economy, providing essential services to the population. Given the importance of the sector, they are prime targets for cyber-attacks, due to data-rich environments, critical infrastructure, political and ideological motivations and interconnected systems. The UK Government’s Cyber Security Strategy, focused on building a resilient public sector, highlights the need to proactively manage cyber security risks. Public sector must adapt to the increasing technological advances and way cyber-attacks are evolving. As the cyber landscape continues to evolve in sophistication, and there is never a bottomless pit of cyber budget and resources, eliminating all risk is impossible. However, there are approaches to risk management that can better inform our decision-making on where to invest, that have the most impact on risk reduction.

When we are in a position of making complex decisions about how to mitigate risk, we weigh up the pros and cons of our options and can be easily influenced by factors such as past experiences, bias, emotion, and other people. Qualitative cyber risk management often involves this kind of subjective thinking, such as plotting scenarios on a risk matrix against high, medium, or low, where the thresholds will differ depending on who you ask Qualitative assessments add value because they apply business context however, on its own can create noise when making decisions. For example, after a cyber maturity assessment, there is likely to be a long list of things that could be improved. But how do we identify what actions will truly mitigate risk. This is where the value of quantitative risk management comes into play. Complementing subjective views with quantitative data aids us in taking more of an objective viewpoint on decision-making.

Cyber risk quantification focuses on expressing risk in financial terms and enables the evaluation of expected reduction in risk exposure through cost-benefit analysis. Following a cyber incident there will be an immediate set of impacts such as the interruption of critical business services, leading to negative outcomes on the population. There are various use-cases for adopting cyber risk quantification and when it comes to the UK public sector, I believe the following bring the most value to an organisation’s cyber risk management capability:

Pound with solid fill

Quantify cyber risk exposure at multiple levels i.e., local, regional, and national

The ability to conduct the analysis for individual organisations or departments, and get a holistic view of them all through aggregating up into a central dashboard.

Fork In Road with solid fill

Inform decision-making on capability focus areas mapped to NCSC CAF outcomes and investment strategies

Use threat modelling to map out the steps and techniques taken to carry out a cyber threat scenario. By mapping cyber capability areas to each of the techniques, the analysis helps identify defence strength and, where to invest.

Downward trend graph with solid fill

Measure incremental improvements in risk reduction, mapped to NCSC CAF outcomes

A cost benefit analysis can be conducted to measure the impact of investment decisions on reducing cyber risk exposure. This can be done at an aggregate level e.g., Our £xM total investment delivered £xM in risk reduction. It can also be done at a capability, or initiative level e.g., Investing £xM in B2 Identity and Access Control has delivered £xM in risk reduction, and our £xM investment in D1 Response and Recovery Planning delivered £xM in risk reduction.

In summary, cyber risk quantification supports proactive risk mitigation, and can help strengthen the cyber resilience of the public sector. If you are starting to think about adopting cyber risk quantification, this quick-start guide provides a simple checklist to help you develop a programme plan prior to any solution development or implementation.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more