Convergent Quantitative Cyber Risk Assessment to Optimize Enterprise Reliability


Mr Cesar HenriOboni, Dr Franco -Oboni

This paper shows a case history of convergent quantitative prioritized risk assessment used as the basis for rational risk based decision making. The goal is to optimize mitigative investments and increase reliability through a mining portfolio, including cyber-risks in the best possible way. Information technology (IT) , Internet of Things (IoT), and spreading connectivity are bringing very significant benefits to mining, but increase the mining industry’s exposure to cyber criminals and possibly terrorists. This phenomenon is general and occurs in every single industrial, infrastructural and service space, not only in cyber risks in mining. During the last decade the techniques and tools of cyber attacks have become more sophisticated, the distinctions between actors and threats have become blurred and attack prospects more worrying. Reportedly at least one major mining company has been the target of a massive hack, but serious infrastructural damages have only seldom been inflicted, and not in mining (as far as we know), but in other industries. Indeed, given the rapid escalation in the number and sophistication of cyber attacks, infrastructural damages are to be expected “any time”. Any infrastructural damage, especially those with environmental consequences or harm to people, will lead to significant crisis potential, reputational damages and legal consequences. Cyber risks in mining companies are a reality that cannot be ignored. The wide spectrum of threats and potential consequences spanning across the various functions of a mining company, from management to production and logistics, show that siloed approaches do not work, integrative one are slightly better and, finally, convergent approaches offer an optimum to increase reliability while mitigating risks. It has been shown that broad spectrum protection investments and particularly poorly prioritized ones are not efficient as oftentimes they are limited in scope by other operational requirements. So it is simply not possible to protect each property from each threat. The cyberdefense must be rooted on intelligence based on convergent prioritized Risk Management and not on standardized audits and practice of indolent regulations, written a priori, or the biased advice of fear monger solutions sellers. Encouraging information reports that, recently and in some cases, two-thirds of the overall capex on the cyber risk mitigation strategies was non-technology driven. The idea that cyber risk is not only an IT issue is finally sinking. This, however, does not necessarily mean the capex is allotted in the most efficient way at all, unless proper prioritization was performed and silo-culture is replaced by a “horizontal” thinking. We note that all of the above does not necessarily mean that cyber risks were integrated in the ERM program. Cyber risks in mining companies are a reality and the deployment of an adequate siloes-busting convergent analysis methodology will eliminate capex squandering and increase overall enterprise reliability. Risk Assessments offers support for operational decisions and protection (mitigation), provided that we want to define the level of acceptable risk reduction /mitigation and that we formulate measurable performance targets to achieve.