Today, mitigating cyber risks have many challenges. The two major challenges are a lack of understanding of the entire dimension of the risk and lack of appreciation of the entire scope by individual stakeholders coming from one discipline, such as computer science or law. The solution lies in coordinated efforts. A beginning can be made through understanding of the risk through a multidisciplinary approach.
Cyber security is anything but new to the readers of CIO&Leader. It has existed for long as a major agenda item for the CIOs and later, the specialized managers called the Chief Information Security Officers (CISOs).
While the CIOs and CISOs have long fought the cyber security battle, it is only recently that the top management and board have become willing partners, with clear expectation that it is the CIOs and CISOs who would manage the challenge.
A research published in September 2018 by insurance broking and risk management company, Marsh and IT major, Microsoft said that as much as 77% of respondents from more than USD 5 billion plus companies (all CXOs) said IT department is the primary owner and decision maker for cyber risk management in their organization. For companies between USD 1 billion and USD 5 billion in revenue, that number was significantly more at 83%.
Unlike in many other new tech intervention areas like digitalization and data, the non-tech business executives are not invading the cyber security arena. It is because of the highly specialized nature of the area—within IT, it is the only area professionals look upon for growth as specialists—and not because it is any less important thrust area.
The above-mentioned research, titled Marsh-Microsoft Cyber Perception Survey, finds that nearly two-thirds of survey respondents see cyber risk being among their organization’s top five risk management priorities. That is roughly double the percentage who rated cyber that high in a survey Marsh conducted in 2016. From the companies that the research covered, 56% ranked cyber security risks among their top five risks and a small but significant number—6% of all companies—ranked it as the biggest risk!
No wonder, they have started quantifying the financial cost of major cyber incidents. From among the USD 1 billion dollar-plus companies, as many as 42% estimate the worst potential value of financial loss in case of an incident to be more than USD 50 million, out of which two-third estimate the loss to be more than USD 100 million.
A new Aon report puts a number to the magnitude of the aggregate losses. It estimates annual global cyber losses are expected to hit USD 6 trillion by 2021, with cybersecurity spending projected to exceed a total of USD 1 trillion for the five years leading up to 2021.
The report, Prepare for the unexpected: Safeguarding value in the era of cyber risk, notes that while the immediate costs of a cyberattack can be significant, damages to a business’s reputation could cost just as much or even more in the long term.
According to a research published in June this year by ESI ThoughtLab, on an average, annual losses from cyberattacks grew to USD 4.7 million last year—with more than one in 10 companies losing more than USD 10 million. That amount equates to an average of 0.114% of revenue across all firms surveyed.
Cyber Risk: Beyond Corporates
While businesses are increasingly seeing cyber risk as a major risk, its impact is now seen beyond the profit and loss statements of corporations.
The annual Global Risk Report (GRR) of Geneva-based global think tank, the World Economic Forum (WEF), based on its Global Risk Perception Survey, is arguably the most important current risk assessment statement at a global level. This report hugely influences the risk planning strategy of global businesses, financial institutions and world governments.
In this year’s GRR, two cyber security risks—data fraud/theft and cyberattacks—were identified as two of the five most likely risks for 2019, next only to extreme weather events, future of climate change mitigation & adaptation and natural disaster—and ahead of such risks as man-made environmental disasters, large-scale involuntary migration, biodiversity loss and ecosystem collapse, water crisis and asset bubbles in a major economy.
The WEF GRR also ranks the risks in terms of impact. Cyberattacks were ranked as the seventh most impactful risk, along with such risks as weapons of mass destruction, extreme weather events, future of climate change mitigation & adaptation, and natural disasters.
According to the GRR 2019, a large majority of respondents expected increased risks in 2019 of cyber attacks leading to theft of money and data (82%) and disruption of operations (80%). Around two-thirds of respondents expect the risks associated with fake news and identity theft to increase in 2019, while three-fifths said the same about loss of privacy to companies and governments.
The 2019 report is not an isolated example of a GRR counting cyber risks among the top global risks. The likelihood of cyber risks has consistently gone up in the WEF annual surveys. In 2015, data fraud ranked as the 9th most likely global risk in the year’s GRR. It has consistently risen as a risk to rank as the 4th most likely this year. Similarly, just three years back—in 2016, cyberattacks were seen as the 11th most likely risk, which is today ranked as the fifth most likely. In short, the high likelihood factors associated with cyber risks are not an accidental one-off phenomenon; its rise as a global risk has been gradual and consistent.
Towards a multi-disciplinary approach
So far, the cyber risk agenda has been tackled at two levels.
At technical level, it has been handled by the information security professionals including but not restricted to enterprise information security professionals. There has been important collaborative efforts and research initiated by technical bodies, such as ISSA (Information Systems Security Association), Information Security Forum, Internet Security Alliance, ISACA (Information Systems Audit and Control Association), ISRA (Information Security Research Association) and CSA (Cloud Security Alliance). They have largely focused on technical aspects and the direct impact of cyber security threats and breaches.
At the national level, the national Computer Emergency Response Teams (CERTs) have collaborated with the large corporates to fight cyber risks to some extent.
But by and large, managing cyber risk has remained restricted to technology professionals and some risk professionals, rarely, if at all, going beyond these two sets of professionals.
But the growing magnitude of the risk—evident from WEF’s ranking of the risk among the top five—has made businesses and policymakers take it far more seriously. And when there is a new risk, can insurers be far behind?
Global insurers have also thrown their lot behind research, strategy and mitigation of cyber risk. Academicians have begun to explore this as a serious subject for understanding various dimensions of the issue.
Certain concrete steps in recent times make one hopeful that the global community now means action.
A Research Agenda
Workshop on the Economics of Information Security (WEIS), a leading forum for interdisciplinary scholarship on information security and privacy, in its 2019 edition, held in June, looked at cyber risk and cyber insurance in a comprehensive manner to understand the avenues and thrust of future research on cyber risk.
Prior workshops of WEIS have explored the role of incentives between attackers and defenders of information systems, identified market failures surrounding Internet security, quantified risks of personal data disclosure, examined decision-making surrounding information security, and assessed investments in cyber-defense.
But this is the first time that they have tried to take a complete view of cyber risk.
In a collaborative paper, titled A Research Agenda for Cyber Risk and Cyber Insurance, as many as 19 leading experts from the area—among them academicians, insurers, industry associations and financiers—presented a research agenda for cyber risk and cyber insurance, taking into account the multi-disciplinary nature of cyber risk. They proposed what they called ‘a cyber risk unified concept model’ that:
- identifies where each of the disciplines can add value
- outlines collaboration opportunities across the major research questions
- presents major research questions into manageable projects and tactical questions that need to be addressed.
More than a definite authoritative framework for addressing cyber risk, this is presented by the experts as a beginning point for further research and collaboration. Researchers can take up their own research questions in their discipline but can look to the unified concept model to find effective collaboration opportunities with other disciplines.
While the group has dealt with individual disciplines and the questions therein, the major contribution seems to be in identifying and recognizing the multidisciplinary nature of cyber risk and presenting a unifying model for researchers to collaborate in future.
Today, not only is the research fragmented, every discipline believes that they have the ability to comprehensively address the ‘cyber risk’—indicating a classic case of blind-men-and-elephant interpretation of this complex and serious risk.
“This is a function of the relatively narrow view each field has regarding the definition of the cyber risk problem set. For example, our statistician colleagues defined cyber risk as the study of modeling the likelihood of an attack, while political scientists defined it as the study of international security in the context of digital threats,” the group writes in the introduction to the agenda.
Explaining the basic premise of their work, the experts say that while each discipline’s views are valid, they must be contextualized in a bigger vision so that cyber risk can be systematically addressed as a research area unto its own right.
“The goal of this agenda is not to define cyber risk but aims to illustrate the need for a broad definition and multi-disciplinary, collaborative approach to address cyber risk as a research field,” the experts clarify.
The most important contribution of the agenda is defining a unified concept model that defines six broad questions on cyber risk and maps them into eight identified disciplines that can contribute to the research of cyber risk.
These big questions are nothing but a variation of the standard five risk management process steps:
- Identify the risk
- Analyze the risk
- Evaluate or rank the risk
- Treat the risk
- Monitor and review the risk
The derived big questions are:
- What constitutes cyber risk?
- How should we measure cyber risks?
- Are there cyber risks that can be avoided?
- What are the opportunities to reduce cyber risk?
- How can cyber risk be best transferred to other parties?
- How can residual cyber risk be managed and monitored?
For each listed question, it identifies the relevant disciplines in whose scope the question falls and who can get involved in exploring answers to that question.
The disciplines are:
- Data Science
- Behavioral Science
- Computer Science
- Management Science
- Political Science
The Cyber Risk Unified Concept Model
The Questions & Approaches
What constitutes cyber risk?
The definition of cyber risk varies depending on what is at stake, the nature of threat and who is defining it. While some use the term as a synonym for an intentional cyberattack, many would also use it for any loss due to unintentional damages, such as downtime, accidental data loss, etc. In the WEF’s list, for example, there are four risks that relate to technology—the breakdown of critical information infrastructure, adverse consequences of technological advancements, cyberattacks and data theft/fraud. Most cyber security professionals would consider only the last two as part of their addressable domain whereas the first two, especially the adverse consequences of technological advancements, are increasingly becoming huge risks.
From cyber insurance point of view, the nature of the risk creates multiple problems. Unlike say a car accident or an earthquake, a cyberattack can last for a much longer period, its assessment can also take much longer. For example, a small data loss to attackers could be far more dangerous if that data is used in a manner that would harm the business; a bigger loss, where the data is not used by anyone to create any harm to the business, is much less damaging. The challenge often is that, it is not known till it actually happens or even later.
The agenda lists two tactical questions:
- What are the different types of cyber events (distinguished by actor, impact, target precision and intent)?
- What are relevant trends with respect to the different types of cyber events?
How should we measure cyber risks and its associated direct and indirect costs?
While most research focus on the direct costs – loss of money, loss of business due to downtime, regulatory fines or loss of business due to customers turning away – or at best reputational loss to organizations, many indirect costs such as the loss of convenience or loss due to non-deployment of advanced technologies due to security concerns are not measured. That is because traditionally, security and not risk has been the point of reference.
Notes the agenda, “Current models fail to capture the considerable interdependencies across digitally enabled systems and their respective industries. The failure or compromise of a single digital system could cause cascading failures and exponential repercussions. This complicates the calculus of an organization’s cyber risk. It is unclear where the line should be drawn about where one organization’s cyber risk ends and another’s begins.“
The agenda lists a number of tactical questions:
- What type of forward-looking accumulating scenarios are conceivable (e.g. (i) one attacker exploits common hardware vulnerabilities, common software vulnerabilities, common procedural design flaws, common human behaviors; (ii) one successful attack on a single company has a ripple effect on many companies, industries; (iii) orchestrated multiple attacks (similar to 9/11);?
- How likely are the accumulation scenarios? What is the severity?
- What are potential interconnections (within/across entities; within/across industries)
- What economic theories can be transferred to analyze cyber risks and which ones are not transferrable?
- What data is needed to reliably assess the performance of a cyber economic model? For example, independent realizations of risk realizations on networks (i.e., many independent networks of comparable type).
- How can cyber risk across interdependent industries be normalized such that we can compare risks across industry?
- How can digital interdependencies be measured?
- How and to what extent, if any, can cyber events be accurately modeled and ultimately predicted considering past attacks are not necessarily indicative of future ones?
- Under what circumstances, if any, are degrees of modeling and prediction possible?
Can cyber risks be avoided?
The Holy Grail of the corporate information security departments—as opposed to risk functions—is avoiding cyber risks, in whatever narrow way they define it. While traditionally ‘securing’ the system approach has been used along with just avoiding use of digital interconnecting technology wherever possible—like defense and nuclear establishments—increasingly the approach is shifting to building security at the time of system design, popularly called ‘security first’.
The avoidance of using digital interconnected technologies is not really possible in most areas where external users, such as consumers and partners use the system.
The agenda lists four tactical questions:
- What is the utility curve for digital assets when compared with their security tradeoffs?
- What stakeholders need to be involved in decisions regarding averting cyber risk?
- What new security-by-design principles can be employed?
- How can accumulation risk be averted?
What are the opportunities to reduce cyber risk?
Risk mitigation is not always a black-and-white proposition. As organizations realize that they cannot avoid all the risks all the time, they prioritize risks based on multiple considerations: Cost of failure, tradeoffs with other attributes, such as customer convenience and technology usage, privacy of individuals’ requirements for which are becoming stringent through new regulations as well as availability of resources.
With digitalization, almost everything from a manufacturing plant to transportation systems, are vulnerable to threats. That has given rise to protection of critical infrastructure, which is being done at organizational level as well as at national level. In fact, the approach that an organization, an industry or a nation takes has huge implications for cyber insurance.
Needless to say, all security certifications, accreditations and governance today are but a manifestation of this risk reduction strategy.
The agenda lists a number of tactical questions:
- How can specific risk related to confidentiality, integrity and availability be reduced? How can the "right" human behavior be achieved?
- Which mitigation efforts make sense based on a cost/benefit analysis?
- Who should be responsible for mitigation?
- Which industries care most about preserving: A) Confidentiality, B) Possession or Control, C) Integrity, D) Authenticity, E) Availability, and F) Utility?
- Which industries have a good cyber hygiene? Who is this related to (or caused by) the type of business, market structure, and the regulatory environment? How can this be assessed and monitored?
- What are approaches to determining prioritized assets?
- What data should be used to prioritize assets?
- How do risk assessment tools account for prioritized assets?
- How are shared assets or third-party assets accounted for in prioritizing risk?
- How should cyber policy be enforced?
- Should insurers take on the role of a cyber security standard enforcer?
- Should hardware and software producers be made liable for the cyber risk of their products?
- Should providers of cyber security services be held liable for the quality of their services?
- What other cyber risk practices should be mandatory?
- What would cyber data collection standards look like that can facilitate risk analysis for various purposes (operational risk, insurance underwriting, evaluating impact of cyber hygiene, etc.)?
- What disclosure considerations should be taken into account when sharing anonymized cyber event data?
- Can we build “best practices” to handle companies’ cyber risk?
- What would be the role of compliance and regulation, should there be a chance for global alliance?
- What are capital requirements to finance cyber risk?
- What are response and recovery plans?
- What kind of scenario training can be conducted to manage cyber loss events?
- What factors need to be considered for enumerating long-term cyber event consequences?
How can cyber risk be best transferred to other parties?
A major problematic aspect of cyber risk is accountability and responsibility.
“After each cyber event, fingers are pointed within an organization. More often than not, the CISO and/or the CIO take the blame for a cyber event. However, other times a system admin is blamed. In rare cases, where a major cybersecurity breach occurs, the CEO or the board of directors are held responsible for a breach. Ownership of cyber risk within an organization is generally unclear – even if there is a CISO or CIO that is supposed to manage information security. Because cyber risk is a key part of an organization’s overall business risk, cyber responsibility should be distributed across the organization. On a micro level, questions about the role of a CISO, where a CISO should sit in an organization and the extent of responsibility a CISO has is important to understanding an organization’s cyber risk,” explains the agenda document.
But there is also opportunity to transfer cyber risk beyond organizational boundaries – that is to insurers. “Today there are clear gaps in understanding how to accurately price the forward-looking cyber risk for a specific organization,” says the agenda.
There are even bigger gaps in understanding how cyber risks can accumulate across sectors and interdependent assets. This has inhibited the insurance industry from assuming more of this risk. As insurers and reinsurers become more confident in the extent of these risks, insurance can become a greater force in helping organizations transfer cyber risk, the agenda notes.
The agenda presents six tactical questions in this area:
- How and when should cyber risk be transferred to insurance, capital markets or governments?
- Which risk transfer efforts make sense based on a cost/benefit analysis?
- Should cyber exposures be covered by specific cyber insurance policies?
- Where in an organization should cyber risk responsibility, accountability and liability fall?
- How should an act of war be defined for cyber?
- What if there is a string of attacks that together constitute cyberwar, but separately just seem like one-off attacks?
- How and to what extent is it feasible for insurers to provide insurance coverage for certain cyberwar scenarios?
How can residual cyber risk be managed and monitored?
One of the small but crucial questions is how the residual cyber risks can be managed. Regardless of all prevention measures, organization will still experience cyber events. Responding to residual cyber risk is as important as preventing the risk.
Very often the definition of ‘response’ by security practitioners include the technical response, isolating other components in the system and at best reporting it to authorities concerned.
But they do not address areas like employee, customer and investor anxiety, long-term reputational loss and the like. They require different types of communication in the aftermath of the event, analysis and modification in security policies, etc. Many organizations discuss the issue in an almost white paper-like manner in their quarterly and annual communication with investors as well as with the customers, especially where it concerns customers’ data, such as in B2C companies, outsourcing firms, consulting and law firms.
“One major residual risk issue organizations are struggling with is, understanding how reputational damages manifest over time after a cyber event. While the stock price implications of a cyber event have been documented thoroughly, reputational damages long-term are less understood which can have indirect impacts on business performance,” the agenda notes.
Executives need a clearer understanding of how much residual risk will cost and how to account for this in fiscal planning. Each of these areas can be unpacked yielding many interesting projects that can span across disciplines, the agenda notes.
The related tactical questions that the agenda lists are:
- What are capital requirements to handle residual risk?
- What are potential recovery plans?
- What kind of scenario training can be conducted to manage residual risk?
- What factors need to be considered for enumerating long-term cyber event consequences?
In conclusion, one message comes loud and clear. Effective cyber risk management is beyond the capability and scope of any one discipline. While law, IT, data science and management science have taken the lead, the approach is quite uncoordinated. Other disciplines need better tune-in.