Cyber Risk Research for Retail and Consumer-facing Companies

Generative AI
May 12, 2022

Nobel prize winner Albert Szent-Györgyi famously said – “Research is like seeing what everyone else has seen and thinking what no one else has thought”.

At Alfahive, we are on a mission to improve the cyber health of our customers so that they can thrive in the digital economy. We built an industry-specific cyber risk quantification (CRQ) platform for retail and consumer-facing companies that enables a holistic view of cyber risk aligned to business strategy. With a consistent language and framework, both executives and the board will be better able to devise risk-intelligent responses – whether that means strengthening your controls, allocating additional resources, or mitigating risk through cyber insurance.

Alfahive evolves the way organizations measure, manage, and communicate to boards and business stakeholders about cyber risk because we clearly show you the potential cost of an event, the likelihood of it happening, and which business operations have the highest risk.

The Alfahive RiskNest platform includes continuously-curated research and cyber-risk scenarios mapped to business functions that can help you predict the likelihood and financial impact of a variety of common risk scenarios such as Ransomware, Data breach, Crypto mining, Bot fraud abuse risk, PII theft and more. We help you understand the financial impact of a cyber-attack, gain insight into the probability of incidents over time and quantify the reduction in expected losses if issues are resolved. We empower you to more effectively steer your cyber investment decisions and inform your budget spend.

The Alfahive RiskNest platform has foundational intelligence powered by Data Science and the Open FAIR™ (Factor Analysis of Information Risk) framework – the most widely used method in cyber risk quantification to evaluate the likelihood of an event (the probability of a successful attack due to a certain threat) based on a combination of information that includes contact frequency, probability of action, threat capacity, resistance strength, primary loss, secondary loss event frequency and secondary loss magnitude. The impact of the set of considered threats is then measured in terms of economic loss, which is estimated. Alfahive improves the quantitative evaluation of the cyber risk of an organization with industry specific research of the attacks and vulnerabilities. As in humans, intelligence works only when you have the memory and data in place. Our platform has the built-in memory of cyber risks uniquely curated for the Retail and consumer-facing industry by our research team. We build, nurture and power this data so that our customers can accelerate their cyber risk journey 10X faster.

Unique Research Methodology

We have developed a unique approach to align the research process to the industry- specific nuances. From data collection techniques and aggregating the data that is specific to the Retail and consumer goods companies – to the sample selection and validation through focus group discussions and field trials – to finally applying our critical thinking and industry knowledge to contextualize it for the retail and consumer industry needs. At every step of the process, we magnify research output with industry wisdom and real-world data.

We believe that each industry faces unique cyber risk challenges. For example – a payment fraud risk (triangulation fraud) is very specific to a particular segment of the Retail Industry. Cyber bot abuse is very specific to the Retail industry that focuses on limited edition sales or promotion-driven high-value items. Third-party supply chain risks are unique to the retail and consumer goods industry.

Our RiskSquad Research team combines industry-specific attack activity and financial loss data with continuously-researched risk scenarios for online channels, stores, supply chain, merchandising, planning, and corporate functions. Each Retail business function has unique risk scenarios to consider. The Retail industry in particular has many routes to market and many cyber risk scenarios that need to be taken into consideration when building a cyber risk management strategy. For example, an online store and brick-and-mortar store have completely different third-party risks.

Online third-party risks

  • Content
  • Product comparisons
  • Recommendation engine
  • Promotions
  • Review
  • shipping and maps

Brick-and-mortar third-party risks

  • Cameras
  • HVAC
  • Supplier merchandisers
  • Fulfilment

When managing cyber risk business context is critical. Having unique research that is aligned to the business function ensures accurate and reliable insights and for measuring cyber risk. We have applied our critical thinking to come up with a novel approach that focuses on the cross-sections of cyber risk and leverages machine learning technology as part of our repeatable process for assessing risks.

For example, a US-based retailer with an annual revenue of $3 Billion that employs 15,000 people across 100 stores and operates an online/eCommerce site with 60% of the business coming from the stores and 40% online.

If Ransomware hits the network of Stores,

  • The typical loss magnitude is $32M to 44.65M
  • Annualized probability of an event – 12.8%,
  • A typical organization has less than 1% chance of loss exceeding $126M amount

Tools and Techniques

In order to better assess the risk posed by cybersecurity incidents, we first explore how often they occur using the historical loss events that affect the retail industry. We then evaluate the number of events expected for a given organization over a period of 12 months. It all starts with the sample selection. We use a unique combination of industry databases to select over 2,000retail companies segmented based on the business type and geography. This data is then merged and filtered through a leading threat aggregation platform with 100+ threat intelligence inputs. It provides us with historical empirical data to model the loss event frequency. This data is enriched with inputs from sources which include: Verizon DBIR, Ponemon, IBM threat intelligence, and Thales.

Finally, our team of Retail subject matter experts contextualize this information with Retail industry wisdom by using leading industry forums like RH-ISAC, OT-ISAC and NRF. We have developed proprietary research BOTs to support the Alfahive Risk Squad research team who curate threat intelligence from global blogs, surveys and whitepapers.

We have developed a model for estimating loss event frequency with industry-specific context to a retail organizations business operations and risk factors.

Alfahive is on a mission to fundamentally change cyber risk management so that omni-channel digital businesses can calculate cyber risk by the financial impact to business functions and KPI’s. A totally new concept that makes it easy for CISOs and business leaders to gain visibility into security investments, drive urgency around risk mitigation, and connect the security big picture to day-to-day operations on an ongoing basis. With Alfahive, stakeholders across the online channels, stores, supply chain, and corporate functions can now collaborate on cyber risk using business language and proactively choose which risks to accept, transfer, or mitigate based on how various risk scenarios impact the bottom line.

In our next blog, we will share how we use a unique industry-specific archetype to calculate the cost of a breach event and make it contextual and real for retail, hospitality and consumer-facing businesses.