Cyber risk continues to dominate discussions in nearly all forums. The limited and fragmented data on cyber risk presents a significant challenge for companies as they try to understand, mitigate and quantify cyber risks.
A common language is needed that helps different specialists communicate on cyber risk-related incidents in a way that is understood internally, recognised externally and provides information that will help understand the risks and lessons to be learned.
Following on from the cyber resilience paper published in 2014, this CRO Forum concept paper proposes a methodology for a common cyber risk categorisation. This builds on existing cyber incident reporting protocols of the IT and Risk Management communities and aims to improve the understanding of cyber risk as well as to respond to demands for threat information from governments. It incorporates the standards for operational risk management reporting used with ORX, ORIC and schema being developed to support the emergence of cyber insurance as an effective risk mitigation tool.
The aim of this paper is to stimulate a dialogue on the practicalities of a methodology for common cyber risk categorisation; the possibility of creating a common language around cyber risk; and whether the methodology can support the effective collection of useful data to support enhanced cyber risk management and improved cyber resilience.
The CRO Forum welcomes feedback, comments and engagement to explore whether the methodology can be developed to enable easy and cost-effective adoption by companies as part of their frameworks for promoting and enhancing cyber resilience.