SME Cybersecurity Risk Calculator

The cybersecurity risk calculator asks a series of questions designed to capture the factors that affect the expected losses to your business from cybersecurity incidents. These questions include the size of the business, the IT infrastructure and systems and current cyber defences. The calculator then determines the expect losses from cybersecurity incidents and the return on investment of further defences and mitigations. 

The cybersecurity risk calculator fills the gap between general statistics and advice provided by the government agencies, and commercial risk analysis services provided by cybersecurity consultants.

The cybersecurity risk calculator should take 5 minutes of your time. We believe it will be 5 minutes well spent.

Cybersecurity Risk Calculator FAQ

The cybersecurity probability distributions, cost and prices in the risk calculator have been calibrated for Malaysian SMEs. If you are from another country then you can still use the calculator. In the first screen select the 'No' option for the question 'Do you want to use the predefined parameters for Malaysian companies?' and then adjust the national level parameters as appropriate. The expected cost of defences and mitigations in the return on investment information will be converted from Malaysian Ringgit direct to your own currency on the assumption that the cost of implementing defences / mitigations (for example the price of a firewall) is roughly similar worldwide.

The cybersecurity risk calculator models IT infrastructure and incident types commonly found in small to medium enterprises. The calculator is unlikely to be appropriate for enterprises with less than 5 employees where the IT infrastructure usually consists of a few devices connecting to commercial online portals (SAAS) with local or cloud backup; here it would be more appropriate to look at personal cybersecurity risk models. For large enterprises with sizeable and experienced cybersecurity teams, such as banks, most of the factors and attacks modelled will already be protected against and different set of factors would apply.

In Malaysia the definition of a SME is a business with between 5 and 75 staff and an annual revenue between RM300,000 and RM75,000,000.

The calculator implements a quantitative risk management framework in which cyber attacks and the associated damages are determined using Monte Carlo simulation. 

This involves modifying the sets of probability distributions that model the success rates of cyber attacks, types and magnitude of damage caused and the resulting financial losses based on the answers to the questions in the calculator. The modified probability distributions are used to generate random cyber attacks and determine the losses caused for one financial year. This process is repeated 50,000 times and the attacks and resulting damages analysed statistically to give the expected losses and return-on-investment associated with implementing further defences and mitigations.

Cybersecurity product and service providers can use the calculator with different company profiles to determine where their products and services offer a compelling return-on-investment.

Government agencies can use the calculator to determine the likely effectiveness of cybersecurity policy initiatives just adjusting the underlying probability distributions and running the simulator against a range of different company profiles.

© Copyright 2024 Asia Pacific University of Technology & Innovation (APU) - All Rights Reserved