Throughout the past decade the topic of cybersecurity has gained much attention and importance. Board directors are now feeling the pressure from government regulators, business partners and shareholders. The SEC has made it clear that board directors have a fiduciary responsibility for proper cybersecurity measures. Commissioner Luis A. Aguilar said “there is no substitution for proper preparation, deliberation and engagement on cybersecurity issues.” It is clear that board members should do something about cyber-risks. The question is how can they make the most effective decisions to ensure that cybersecurity risks are within acceptable levels? The problem they are facing is that the cybersecurity reports they receive are full of “technobabble” which is challenging to understand and to apply to their specific business.
The answer to this problem lies in a quantitative approach to measuring and reporting cybersecurity risks. Board directors can make strong statements regarding their oversight of cybersecurity if they are given quantified cyber risk data. Financial organizations and insurers have done this for decades, specifically they have used the “Value at Risk” (VaR) model to measure cyber risks. The World Economic Forum (WEF) describes VaR models as “characterized by generic applicability across industries, scalability, ease of interpretation and ability to support executives’ investment and risk management decisions.” This platform would allow board directors to have the necessary skills, knowledge and judgment to be competent leaders of their organizations’ cyber threats.