cyber resilience framework
Threatonomics

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

Focusing on what you stand to lose drives everything in managing cyber risk.

by Rob Brown , Sr Director of Cyber Resilience
Published

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the world

So, what are we doing wrong?

While controls and audit-based approaches have moved the needle forward, even large corporations struggle to manage the complexities of cyber, especially at a time when highly motivated adversaries, complex digital supply chains, and new advances in AI can challenge even the most well-resourced security program.

If forecasts for cyber risk are accurate, losses will continue to grow as digital transformation initiatives also grow. A grounded approach to security should anticipate and prepare for limiting losses, not trying to stop them completely. This means identifying plausible loss scenarios that could impact the company’s ability to deliver value and then focusing security investments on reducing the probability of these kinds of incidents. This is how organizations identify their tolerance for loss, which is a core foundation of a risk-focused approach. 

A Risk-Focused Approach in Action: MGM and Caesars 

Rather than focusing on the total implementation of a framework or control set, organizations must focus on what is required to continually deliver value to their clients without interruption. This approach is risk-focused rather than controls first and is fundamental to the value-driven risk management strategy that we call Cyber Resilience. 

Cyber Resilience tolerates losses – within limits

This is different from implicit security principles, which seek loss elimination as an end goal. A value-driven risk management strategy requires the CFO, CRO, and CISO to determine what the business can stand to lose. When Caesars Entertainment experienced a data breach in the Fall of 2023, threat actors compromised the personal identifying information of an unknown number of rewards program members. The hackers allegedly demanded a $30 million ransom, of which Caesars purportedly paid half. 

As a counterpart, MGM Resorts was hit with a subsequent data breach and opted not to make a ransom payment. The result was an attack that shut down all of the systems at a dozen of Las Vegas’ most prominent casinos for ten days, with issues including cash-only transactions, downed ATMs and gaming machines, digital key cards not working, and more. To resolve the incident, MGM spent around $10 million on legal and consulting services. However, the impact on their business while the attack persisted led to a $100 million loss in third-quarter revenue.

Both organizations took a risk-focused approach to managing the incident– they looked at their value at risk and leveraged the decision to pay as a business decision that would impact their ability to deliver value. While it is impossible to know what was going through MGM and Caesar’s business leaders’ minds during the incident, they were almost undoubtedly making quick calculations to quantify their value-at-risk, the cost-benefit of paying vs. not paying a ransom, and which scenario fell within their risk tolerance. 

Two Approaches to Risk-Focused Incident Response 

It must be noted that no ransom event is the same: Caesars was notified of ransom demands earlier in the incident cycle than MGM, which most likely influenced MGM’s decision to withhold payment. However, for this exercise, reviewing the fundamental differences between their incident response tactics can teach the general cyber community a lot about calculating, managing, and anticipating losses to their organization’s overall risk surface. 

Caesars opted to pay the ransom after negotiation. They likely calculated the business impact of a downed system and determined that paying a portion of the ransom would lead to the least amount of losses. In this case, they were fortunate; their customer-facing systems were not impacted, and client data was not leaked online

MGM took a different approach and resisted ransom payment. As a result, their third-quarter finances took a considerable blow. However, with a total revenue of $15.38 billion, $100 million in loss is a drop in the bucket. This amount was probably within their loss tolerance, and the choice not to pay the ransom likely stemmed from confidence in their incident response capabilities, an understanding of their value at risk, and a risk-focused approach to loss that anticipated an incident like this. 

Neither reaction– making the ransom payment or resisting– is wrong. Caesars knew that they could reduce business interruption and avoid further losses by making the ransom payment. They calculated the cost of their risk surface and acted to minimize financial loss. MGM did the same; they determined their bottom-line could handle the cost of business interruption and leaned on their investments in cybersecurity to regain operationality. Both organizations determined how much loss they could accept, and proceeded to make decisions based on that calculation. 

A Cyber Resilient Objective 

While calculating how much loss you can accept may feel counterintuitive to the objective of resilience, it is critical for organizations to understand what they can afford to lose. Most cyber incidents cost something, and whether that is paid in the form of incident response, a ransom, business interruption, or reputational damage, the true and probable costs of cyber risk must be anticipated. 

A grounded approach to security should expect and plan for reducing losses, not trying to stop them completely.  This means identifying plausible losses that will severely impact a company’s ability to deliver value to its clients and then focusing on reducing the probability of incidents that can cause them. This focus on being resilient to material losses– instead of any loss– is the core objective of Cyber Resilience.

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers. Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the […]