Skip to main content

Prioritizing Potentiality Over Probability when Assessing Likelihood of a Cyber Breach

December 18, 2023  | By: Dr. James Norrie

Effective Cyber Risk Management: Understanding the Nuances of Cyber Breach Likelihood

Probability and potentiality are related concepts, but they are often confused especially when trying to predict the likelihood of any individual or organization being breached. Within our Human Defense Platform, we use these terms distinctly to refer to different aspects of risk in two distinct contexts.

Why is this concept so important to cybersecurity and GRC professionals? Because our efforts are designed to prevent a negative. When we succeed, nothing happens. However, others in the organization may not credit that positive outcome to our cumulative effort and investments in education, technologies, and controls. As I explain to my clients: “There is no credit for having no attacks”.

Conversely, if the random negative event of a security breach does occur despite our best efforts to prevent it, there is immediate suspicion about what we contributed to have made it possible. Yet the risk was always present. Restated I might explain it as: “no escape for complete blame from a random event!”.

What a profession we are in, right? In this post, I will explain how distinguishing these two concepts matters as a practitioner – with the hope you can use this new knowledge to discuss this critical issue inside your own organization.

The Significance of Probability vs. Potentiality in Cybersecurity Risk Management

Probability Definition: Probability is a measure of the likelihood or chance that a specific event will occur. It is expressed as a number between 0 and 1 (most often turned into a percentage between 0% and 100%), where 0 indicates the event will not happen and 1 indicates the event will absolutely happen.

Cybersecurity Interpretation: The probability of any organization with any connection to the internet facing a threat, attack, or exploitation intended to breach its human and/or technical defenses is 100%. That is because, over time, with the explosion in the threat landscape and the ease of AI-enabled cybercrime, nobody is too small; too remote; or too invaluable to not attract breach attempts.

Potentiality Definition: Potentiality refers to the inherent possibility for something to happen or develop, measured at any moment or over time. The concept implies certain conditions precedent and/or capabilities exist that may permit something to occur, or not. But it does not guarantee that it will or will not be actualized.

Cybersecurity Interpretation: The potentiality within an organization for an attack to exploit an existing vulnerability at any moment in time varies on a variety of factors that can be measured for their presence or absence (availability), for their strength and consistency (durability) and organizational time and cost required to either promote or demote their risk accordingly (manageability).

Technical Defenses: Managing Probability and Potentiality

Regarding technical defenses and controls, there is more certainty about best practices and how the ROI of various methods compare in reducing the risk of a brute force technical attack succeeding. Those defensive efforts contribute to a dramatic reduction in the potentiality of a technical breach occurring at any point in time. But the probability of an attempt being made to overwhelm those defenses always remains at 100% over time. Breach risk is omnipresent. So we must manage known defenses to maintain the lowest levels of availability of potential technical vulnerabilities while ensuring a high degree or reliability and response around those controls to improve the durability of our defenses if we expect to minimize attack potentiality. When advising clients, we see a high degree of investment certainty around cyber hygiene and perimeter defenses as a result.

Human Factor Defenses: Bridging the Gap in Cybersecurity Investment

Regarding human factor defenses and controls, we note just the opposite. Lots of generic, “check in the box” solutions not directly measuring the presence or absence of various human factors risks; and where internal controls on things like training time and cost actually reduce the durability of even those minimal defenses by, for example, requiring security awareness training only once a year.

When we compare practices and outcomes between technical and human defenses, we should all be mindful of the fact that now more than 80 percent of successful breaches involve a human factor. What that means is that we invest heavily in the management of our technical defenses and technologies because they are more easily visible, accessible, and justified as to their adequacy. Because that is much more difficult to achieve on the human side of the risk equation, we often see clients doing the bare minimum and hoping the potentiality in any risky moment of an attack is in their favor. Recent odds suggest we are losing that bet more often than we are winning it these days.

So why is this so? In our advisory work with clients, we frequently discover that neither the security nor the GRC teams have been persuasive internally in making the case for enhancing the investment of time and resources into managing human factors security risk. Because there is less certainty about how to accomplish the measurement of that risk and the ROI of best practices to mitigate it, often with an accompanying sense of it being inherently unpredictable. So, we avoid this hard discussion altogether, instead over-simplifying a complex problem and doing the minimum to feel effective but with no measurable assurances that we are actually doing our best to mitigate this risk. Given no alternative, many practitioners felt they were doing all they could regardless.

Conclusion: Proving the ROI of Human Factor Risk Management

With the advent of cyberconIQ’s Human Defense Platform, the era of not being able to directly, discretely, and reliably measure human factors risk across your organization is now over. Our platform can succinctly identify human factors risk at both the individual and aggregate level and present clear methods to impact its availability, durability, and manageability. We help you prove and then achieve your lowest level of theoretically possible human risk. Our patented, proprietary and proven methods lower the potentiality of an attack to industry-leading low levels, providing you with reports that can prove the ROI of your investment in controlling human factors risk as adeptly as your technical risk. So why wouldn’t you want to control your #1 most important risk with the world’s number one cyber knowledge engineering platform targeting human risk?

To learn more about our game-changing Human Defense Platform, contact to schedule a 30-minute introductory meeting about our patented, proven platform and its impact.