The business case for dynamic risk assessment
Risk Management is a discipline with an extensive heritage. For example, the insurance industry has been built on, and profits from, disciplined risk management. For every product there is a policy and a detailed assessment as to what the premium should be to cover the risk and for the underwriter to make a profit overall.
Many of the models that are used in insurance are mathematical and require years of claim data to improve accuracy. However, cyberspace is a constantly evolving landscape with changes occurring far more rapidly than in traditional cover areas such as home and contents, car, travel etc. Due to the lack of established data the cyber insurance industry has struggled to develop models to accurately determine what to cover and for how much.
Putting cyber insurance aside (that is a topic for another paper altogether), let us focus on how cyber risk assessments can be performed for the modern organisation given the dynamic nature of cyberspace.