cyber resilience framework
Threatonomics

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

Focusing on what you stand to lose drives everything in managing cyber risk.

by Rob Brown , Sr Director of Cyber Resilience
Published

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the world

So, what are we doing wrong?

While controls and audit-based approaches have moved the needle forward, even large corporations struggle to manage the complexities of cyber, especially at a time when highly motivated adversaries, complex digital supply chains, and new advances in AI can challenge even the most well-resourced security program.

If forecasts for cyber risk are accurate, losses will continue to grow as digital transformation initiatives also grow. A grounded approach to security should anticipate and prepare for limiting losses, not trying to stop them completely. This means identifying plausible loss scenarios that could impact the company’s ability to deliver value and then focusing security investments on reducing the probability of these kinds of incidents. This is how organizations identify their tolerance for loss, which is a core foundation of a risk-focused approach. 

A Risk-Focused Approach in Action: MGM and Caesars 

Rather than focusing on the total implementation of a framework or control set, organizations must focus on what is required to continually deliver value to their clients without interruption. This approach is risk-focused rather than controls first and is fundamental to the value-driven risk management strategy that we call Cyber Resilience. 

Cyber Resilience tolerates losses – within limits

This is different from implicit security principles, which seek loss elimination as an end goal. A value-driven risk management strategy requires the CFO, CRO, and CISO to determine what the business can stand to lose. When Caesars Entertainment experienced a data breach in the Fall of 2023, threat actors compromised the personal identifying information of an unknown number of rewards program members. The hackers allegedly demanded a $30 million ransom, of which Caesars purportedly paid half. 

As a counterpart, MGM Resorts was hit with a subsequent data breach and opted not to make a ransom payment. The result was an attack that shut down all of the systems at a dozen of Las Vegas’ most prominent casinos for ten days, with issues including cash-only transactions, downed ATMs and gaming machines, digital key cards not working, and more. To resolve the incident, MGM spent around $10 million on legal and consulting services. However, the impact on their business while the attack persisted led to a $100 million loss in third-quarter revenue.

Both organizations took a risk-focused approach to managing the incident– they looked at their value at risk and leveraged the decision to pay as a business decision that would impact their ability to deliver value. While it is impossible to know what was going through MGM and Caesar’s business leaders’ minds during the incident, they were almost undoubtedly making quick calculations to quantify their value-at-risk, the cost-benefit of paying vs. not paying a ransom, and which scenario fell within their risk tolerance. 

Two Approaches to Risk-Focused Incident Response 

It must be noted that no ransom event is the same: Caesars was notified of ransom demands earlier in the incident cycle than MGM, which most likely influenced MGM’s decision to withhold payment. However, for this exercise, reviewing the fundamental differences between their incident response tactics can teach the general cyber community a lot about calculating, managing, and anticipating losses to their organization’s overall risk surface. 

Caesars opted to pay the ransom after negotiation. They likely calculated the business impact of a downed system and determined that paying a portion of the ransom would lead to the least amount of losses. In this case, they were fortunate; their customer-facing systems were not impacted, and client data was not leaked online

MGM took a different approach and resisted ransom payment. As a result, their third-quarter finances took a considerable blow. However, with a total revenue of $15.38 billion, $100 million in loss is a drop in the bucket. This amount was probably within their loss tolerance, and the choice not to pay the ransom likely stemmed from confidence in their incident response capabilities, an understanding of their value at risk, and a risk-focused approach to loss that anticipated an incident like this. 

Neither reaction– making the ransom payment or resisting– is wrong. Caesars knew that they could reduce business interruption and avoid further losses by making the ransom payment. They calculated the cost of their risk surface and acted to minimize financial loss. MGM did the same; they determined their bottom-line could handle the cost of business interruption and leaned on their investments in cybersecurity to regain operationality. Both organizations determined how much loss they could accept, and proceeded to make decisions based on that calculation. 

A Cyber Resilient Objective 

While calculating how much loss you can accept may feel counterintuitive to the objective of resilience, it is critical for organizations to understand what they can afford to lose. Most cyber incidents cost something, and whether that is paid in the form of incident response, a ransom, business interruption, or reputational damage, the true and probable costs of cyber risk must be anticipated. 

A grounded approach to security should expect and plan for reducing losses, not trying to stop them completely.  This means identifying plausible losses that will severely impact a company’s ability to deliver value to its clients and then focusing on reducing the probability of incidents that can cause them. This focus on being resilient to material losses– instead of any loss– is the core objective of Cyber Resilience.

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

Why your CFO expects your CISO to measure risk buydown

The CISO walks into the CFO’s office with a carefully prepared pitch. “We need a $500,000 EDR solution,” she says, presenting vendor comparisons and threat intelligence reports. The CFO nods politely and asks one question: “What’s the return on that investment?” The meeting goes sideways from there. The CISO talks about improved threat detection and […]

OpenClaw went viral. So did its security vulnerabilities.

Personal AI agents promise to streamline workflows and automate routine tasks, but a series of recent security incidents has exposed a critical vulnerability in how these tools acquire new capabilities. The findings reveal that threat actors are exploiting the same supply chain tactics that have compromised traditional software ecosystems, while platform security failures are exposing […]

Killing legacy systems might be your smartest financial move 

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years. You know these systems are problems. Your […]

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]