Why Cybersecurity Needs Probability — Not PredictionsWhy Cybersecurity Needs Probability — Not Predictions

COMMENTARY

Many cybersecurity leaders kick off each new year with predictions for the year to come. You may have seen a deluge of them over the last month or so: "Cyberattacks will continue to be a problem." "This certain country will ban ransom payments." 

But as a cybersecurity company founder and CEO, as well as a licensed insurance broker, I believe that, instead of predictions, what we really need to protect ourselves is a better understanding of probability. Why? Predictions do not inspire solutions. Probabilities do. 

To understand why probability is so important in cybersecurity — and why it makes non-data-driven predictions highly impractical — let's look at what probability actually is. 

Understanding the Nuances of Probability

Traditional understandings of probability tend to be misguided. Many treat it as simply the frequency of events over many trials (think: flipping a coin). This requires extremely large datasets, and those datasets must be stable and consistent. Fighting threat actors, though, is famously neither a stable nor a consistent endeavor. Cybersecurity is thus inherently dynamic and uncertain; we require a more nuanced paradigm.

Bayesian probability, which views probability as a "degree of belief" based on available data and expert judgment, allows for the flexibility and adaptability needed in cybersecurity. While data may be limited and conditions evolve quickly, we can still use this approach to build risk models for a company's unique threat surface. These risk models combine the aforementioned data-driven probabilities with variables like control maturity, cyber-insurance claims data, and business and industry-specific factors to create accurate, up-to-date risk assessments. This Bayesian probability model is thus what I refer to when I say "probability." 

Learning From Insurance 

We can glean a lot about cyber-risk and probability from what may sound like a surprising source: insurance data. Because my company provides cyber insurance as well as risk management strategies, we have visibility into just how many insurance claims actually become "material" to a company. In other words, we can see not only the number of attacks our clients faced — but also what the real financial impacts were. While we saw the frequency of claims rise by nearly 35% in 2024, these claims actually became material at a lower rate than we saw in 2023. 

What does this mean? At the most granular level, it means that companies in our portfolio aren't losing as much money from cyberattacks as they could have. That's encouraging in itself, but it also suggests a broader, encouraging trend: cybercrime is here to stay, but companies are getting better at withstanding the worst of the effects. And we're not alone in seeing this positive trend: Coveware recently reported a major decline in ransom payment rates, while Palo Alto Networks predicts a shift in the effectiveness of ransomware demands as organizations increasingly invest in not only better security postures, but more cyber resilient architectures overall. 

Whether through risk management strategies, a more cyber-aware and proactive board, investments in cyber insurance and best-in-class security tools, or a combination of these, companies are growing more resilient, even as cyber criminals get smarter and faster. 

Putting Data and AI to Work

These improvements in mitigating damages from cyberattacks over the past year are not happening in isolation. They are a result of a renewed, better focus on putting security and risk data to work. When we have the right data — and the right probability models — we can adopt a far more informed understanding of what's to come in the future, and what the potential impacts are.

For us, that means building a complex model based on the data we have. Our models are constructed as a network of event triggers and input signals; taken together, they inform the probability that losses will occur, the range of losses when they do occur, and the probabilities associated with the size of the losses in the range. We do this according to the kind of perils that can materialize into those losses, including business disruption, data breach, fraud, and extortion. 

The rate at which perils result in losses is influenced by the maturity of the security controls that our customers have. We tune the relationship between these signals, their level, and their output based on our experts' degrees of belief, cyber claims data, and firmographic data. This large network facilitates our probabilistic reasoning — and the results we observe tend to be quite accurate. 

Resisting the FUD Mentality

Fear, uncertainty, and doubt (FUD) often cloud our vision when it comes to cybersecurity decision-making and future projections. That's understandable: Cyberattacks on large organizations have affected many of us directly. Maybe you couldn't get a prescription in time after the Change Healthcare attack. Or perhaps you received a notice that your data had been breached as a result of an attack on AT&T. Even if you haven't been personally affected, an onslaught of doom-and-gloom headlines can make it tempting to look to the future and assume disaster is imminent — or worse yet, that there's nothing we can do about it. 

But when we remove our FUD glasses and look at the cold, hard data, those assumptions become glaringly incorrect. That's why assessing risk with a probabilistic model can give us far better insight into not only what's likely to happen, but what the actual impacts may be. And when we better understand potential impacts, we can conceptualize far more effective solutions. Think: choosing comprehensive security tools that protect whatever a company identifies its "crown jewels" to be; building a full team behind a company's chief information security officer (CISO) and adding new cyber-savvy board members; and even investing in cyber insurance. 

Furthermore, it's probability — not predictions lacking hard data — that helps us quickly make important decisions under pressure and uncertainty. While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of the hard decisions we make. And when we feel more confident in these decisions, we get better solutions that can make us essentially invincible to whatever cybercriminals may throw our way this year.