AI is poised to enable risk models that answer the big business questions: what could cyber crime cost the organisation, and what is the ROI on cyber security investments?
New AI-enabled cyber risk quantification could help organisations understand the true cost to the business if key operations were impacted by cyber crime, and the costs of defending against these risks.
This is according to Nimrod Partush, VP data science at CYE Israel, who addressed a track sponsored by Atvance at the recent ITWeb Security Summit in Johannesburg.
Speaking on the sidelines of the event, Partush said: “Using AI for organisational cyber risk quantification is not mainstream yet, but we at CYE are achieving promising results in this field. We've developed a robust model to use AI to quantify organisational risk, which can answer those business questions and support CISOs who are asked to put dollar figures to risk and business impact.”
In his talk on AI solutions for assessing organisational risk, Partush said organisational risk frameworks are complex, making it challenging to combine all risk data into actionable insights for risk assessment and mitigation.
“I want to propose a more singular definition for organisational risk: the chance/probability of compromising the integrity or availability of the organisation’s critical assets,” he said.
Organisations have hundreds, if not thousands, of potential vulnerabilities and we need a way to piece all those pieces of the puzzle together for a real measure of risk.
Nimrod Partush.
“What we’ve seen is you can have a lot of vulnerabilities, but if these don’t pose a risk to business critical assets, then they aren’t critical.
“Organisations have hundreds, if not thousands, of potential vulnerabilities and we need a way to piece all those pieces of the puzzle together for a real measure of risk. To connect all of the dots, we can use AI, looking at hundreds of thousands of scenarios where real companies were breached, and create a model that somehow learns and gives us an answer for a specific scenario.
He says CYE uses a Markov chain to assess probabilities and build an entire risk view, with paths to all critical assets and the probability of them being attacked.
"We apply this to all risks, and bind them together to determine the risk and how many attackers would likely be able to compromise the organisation," said Partush. "We can then use this knowledge to optimise mitigation and fix whatever reduces the organisational risk the most."
He said it's important to weight risk according to whatever has the most value to the organisation and what offers the greatest improvement. "You also have to know the entire picture and context in order to apply defences where it’s important. You can apply this framework to any part of the organisation, or extend it across your entire ecosystem,” he concluded.
Share