User:V.E Toms/sandbox

Digital Value at Risk (dVaR)
The digital Value at Risk (dVaR) formula measures and quantifies the level of Cyber ​​Security Compliance & Risk of a company, portfolio or position during a specific time frame based on public information. The methodology is based on various internationally accepted (cyber security) risk, control & assurance frameworks. The measurements gives insight in how an entity manages & controls cyber risks (Cyber ​​Governance). Each risk domain has different key indicators producing a rating on each risk domain that in aggregate results in a final score.

dVaR formula
Mitigating cyber risks effectively does not solely depend on the technical environment but also on the organizations risk attitude and control environment. The inherent risk of the company and / or the industry in which it operates also makes it more or less profitable for cyber criminals to target a specific company. In the dVaR formula, these risk factors are integrated in the formula:  dVaR = IR x ICR x DCR x OR 


 * IR - the Inherent Risk is the probability that an entity digitally attacked by cyber criminals, assuming there are no related controls
 * ICR - the Internal Control risk is that risk that a digital vulnerability, either individually or when aggregated with other vulnerabilities, will not be prevented, detected and corrected by the entity
 * DCR - the Detection Control Risk is the risk that the entity will not detect a criminal activity a/o exploit on e.g. a network, system or application
 * OR - the Opportunity Risk is about the possibility for anyone, who has an internet connection, to "hack" a system

Measurement: Risk Domains & Key Controls
The most important indicators for measuring the dVaR of a company are grouped in 6 risk domains:


 * 1) Business Risk & Cyber Dependency
 * 2) Cyber ​​Governance & Culture
 * 3) Internal controls
 * 4) Detection controls
 * 5) Technical Compliancy
 * 6) Trends & Opportunity Attack

Each risk domain has different key indicators that, in combination, result in a final score. The business risk & dependence and indicators category provides insight into the company's cyber dependency (for example how reliant is the ‘online’ manufacturing processes and sales) and also the total investment made in securing these activities. The tests in categories 2, 3 and 4 provides insight into the cyber risk attitude and control environment of a company. The conformity of the technical environment with international Internet and security standards is tested in category 5. The last category is based on recent attack trends and discovered (new) digital vulnerabilities.