How to mitigate ransomware risk through data and risk quantification

Ransomware attacks have, over the past years, been the most frequent cyberattack type and a growing community of adversaries continues to innovate methods for extorting organisations into paying ransom. Yet this risk is still, to many organisations, not well understood. Some refer to the averages reported in the media of the size of ransom and cost of ransomware attacks. But these numbers can be very far from the actual risk of a particular organisation. The nature of the risk, comprising many attack techniques and paths through an organisation’s IT assets affecting a range of systems, data and the processes they support, makes it complex to describe and analyse. By using a risk analysis technique, where the risk scenario is decomposed to account for the contributions to the risk from different attack techniques, the vulnerabilities they exploit and the different forms of impact the attack inflicts on an organisation, it is possible to describe the risk in a more nuanced way unique to an organisation. Having created a model of the risk scenario that accounts for the factors relevant to the target organisation, it is possible to study mitigation options more consistently and simulate effects of implementing potential controls. Collecting data used to estimate the individual contributions to the total risk reduces the uncertainty of the risk measure and enables calculation of mitigation effects. This paper introduces the concept of quantitative risk assessment by highlighting results from quantitative studies of ransomware risk and providing examples of how data can be collected. Common pitfalls when using high-level data are demonstrated by showing examples of insights gained from collecting data about controls effectiveness. Being more effective in mitigating ransomware risk will both benefit the organisation directly and, by making ransomware attacks less profitable, society.