To FICO or Not to FICO: Choosing the Right Model for Cyber Assessment
Financial institutions require a way to evaluate the creditworthiness of individuals. Credit scoring solutions evolved in response to this need, and the best known is the FICO score. According to its website, “90 of the top 100 largest U.S. financial institutions use FICO Scores to make consumer credit decisions.”
You’re familiar with how your score is calculated. Evidence of past behavior is used to make credit-granting decisions by predicting how likely you are to pay off financial obligations in a timely fashion. FICO draws data, including payment history and use of available credit, from the three main credit bureaus, and calculates scores using FICO’s proprietary algorithms.
The impact and frequency of cyber breaches has risen to the point that cyberattacks have become the top source of risk for most companies. It is clear that these companies need a reliable way to measure cyber risk. Cyber risk assessments are useful to companies evaluating the organization as a potential vendor, to insurers wanting to price and sell cyber insurance to them, and to the organizations themselves who want to understand how vulnerable they are.
A number of software vendors have devised unique versions of a cyber risk score modeled after the FICO score, which is an attractive model to emulate since it’s well understood by everyone. The challenge is that, in this case, data about cyber risk behavior from three trusted sources doesn’t exist, so choosing and using the right data is critical.
Most vendors gather threat data from a variety of external sources to create their version of a score. Using proprietary methods to gather the data and proprietary algorithms to analyze it, they calculate and present a score that they submit is a good predictor. Not surprisingly, the score is often set within a range of 250-900 similar to FICO. The idea is that users of the scores, most often insurers, will get some idea of the relative risk represented by each company and be able to make decisions based on the score.
About 18 months ago, Cybernance set out to solve the cyber risk liability problem that directors and executives faced. At first, we thought that FICO-like scoring was the right path: it would yield easy to understand results, and scores could be clearly communicated to non-technical board members and senior management. The deeper into our analysis we drove, however, we began to identify shortcomings of FICO emulation:
- Relying upon external data doesn’t enforce the internal discipline needed to make real progress in mitigating risk. Leading cybersecurity experts point out that implementing a few rudimentary controls dramatically reduces cyber risk, yet a high percentage of organizations haven’t taken those steps. Deliberately implementing and monitoring internal controls leads to a rapid increase in cyber resilience and mitigation of cyber risk.
- Lack of insight into internal cyber risk mitigation processes greatly restricts the ability to suggest and prioritize risk-mitigating actions. Imagine how accurate FICO could be if, rather than relying on credit history, they had unlimited access to a consumer’s detailed financials (e.g., financial account statements) and could ask questions of their financial advisor. The same is true in cybersecurity: an understanding of existing internal controls can enable a meaningful list of prioritized actions to guide ongoing improvements.
- Proprietary scoring creates dependence upon one company. Astute organizations are loath to stake their future upon the brilliance of a single company’s developers. It’s more rational to stand on the shoulders of giants by leveraging the breakthrough thinking embodied in rapidly evolving, public domain standards like the NIST Cybersecurity Framework, and others.
- External data is strong on technology management but weak on understanding internal culture and external influence. Great advances continue to be made in cybersecurity technology, and technology is a critical element in increasing cyber maturity. Most publicized breaches, however, did not result from failures in technology. Instead, human errors were the cause, stemming from lack of a strong risk culture and failures to manage risks in dealing with vendors and partners.
- Directors are capable of understanding more than a simple score. Directors can oversee cyber risk internal actions and movement toward organizational maturity just as effectively as they deal with financial risk. While providing them with technical information about cyber security technology measures isn’t helpful, sharing how the organization is progressing toward cyber maturity is. They can engage in cyber risk management in the same way they engage in financial risk management. Encouraging creation of a strong risk culture and management of partner and vendor relationships are two key areas that leverage their knowledge of general risk principle and their ability to provide active oversight.
What do we propose in lieu of a FICO-inspired score?
- Contrast how your organization is progressing against recognized national standards rather than proprietary checklists.
- Measure risk management, risk culture, and risk influence, not just technology implementation.
- Base cyber risk measurement and analysis on factors that can be managed by the organization, i.e. internal controls (we track about 400), rather than against external threats that can’t be controlled.
- Communicate progress in ways that can be understood by all stakeholders across the organization, including the board and the C suite.