A cybersecurity risk quantification and classification framework for informed risk mitigation decisions

Abstract

Data breaches have been causing havoc for many years and continue to rise, demanding a more comprehensive framework to assess their severity. This study proposes a cybersecurity risk quantification and classification framework, addressing a significant research gap in breach severity evaluation. The study has two main objectives: to present a structured model for precise breach severity assessment, and to apply this model to real-world data breaches for practical insights. To achieve these objectives, we utilize a content analysis methodology to gauge severity of data breaches. This is followed by a robust likelihood impact matrix analysis, serving as a decision analytics tool, to effectively quantify potential risks. The integration of these approaches yields a more comprehensive and nuanced evaluation for assessing data breach severity. The proposed framework is then applied to data breaches gathered from Standard & Poor’s (S&P 500) organizations, revealing hacking and loss/theft of portable media as the breach types with the highest impact and probability. Drawing from these insights, our study suggests effective strategies to mitigate data breach risks for organizations. The implications of our research findings offer valuable contributions to both academic research and practical cybersecurity risk management.