Solving Cyber Risk
One of the greatest risks of failing to address cyber threat is that people will turn away from the very technologies that could produce rapid productivity gains over the next few years, according to a new book Solving cyber risk: protecting your company and society.
Solving Cyber Risk
Looking ahead, there are slim prospects that government action will address the predicament highlighted by Equifax. Legislation and regulation can hardly keep up with constantly and rapidly evolving information and communications technologies and cyber threats. Tailoring them to the unique circumstances and risks facing different industries and individual corporations is challenging. More fundamentally, a governmental solution to the cyber risk gap would require the will to intervene in the marketplace more assertively and to assume greater responsibility for cyber risks. In doing so, governments inevitably risk creating a moral hazard by inducing complacency in the private sector while assuming onerous obligations to defend it. Ultimately, closing the gap thus requires tapping sophisticated market forces and stakeholders.
Additionally, governments can make an important contribution to the private sector through a range of actions: improving information sharing on threats; providing certification and accreditation of a professional cadre to hunt cyber threats; and laying our criteria, standards and incentives for adopting and properly implementing better cybersecurity practices. Through education and training they can also greatly expand the pool of expertise required for each of these functions.
Leave nothing to chance when pursuing a merger, acquisition or divestment. Pre-deal, cyber security due diligence is essential. Without it, a company may unintentionally inherit cyber risks and vulnerabilities.
Organizations commonly hold false confidence in the security of retirement plans. Given the amount of data and money at stake, it is imperative to see the whole cyber picture and understand the organization's fiduciary responsibility.
Internet-enabled theft, fraud and exploitation were responsible for $2.7 billion in financial losses in 2018. For companies that work with suppliers and vendors, business email compromise is a serious risk. Solving the computer crime puzzle is critical. (Sources.)
The cyber threat to the corporation is real and comes from many angles: class actions, regulatory fines and ratings downgrades. Public companies are accountable to timely disclosure of cyber incidents, and disclosure of risk. Solidifying the organization's cyber security posture is essential.
The lack of understanding of the economic impacts of cyber risk compounds the potential impacts of systemic cyber risk and the challenges facing boards and leadership teams in cyber governance and management. A few forward-thinking cyber leaders shared their thoughts on systemic cyber risk with me.
Hummingbirds GuacamoleID product which is described as the first Continuous Video-Based Verification Platform (CVIV) addresses the most common entry point of systemic risk into complex digital systems, the human interface. Their real-time, facial recognition AI product strengthens authentication by making it a real-time, persistent process focused on the ability to constantly verify the identity of the person using a device connected to a complex system. The banking and finance sectors are early adopters of this type of real-time authentication technology to reduce risk related to this common systemic vulnerability.
The LiveAction, ThreatEye NV product utilizes multiple AI-driven approaches for real-time and long-term analysis of network traffic behavior. This allows for the proactive alerting of anomalies related to both pre/post exploit behavior which empowers cyber defenders to take immediate action to stop systemic risk before it spreads, protecting the entire system and the business value that is driven by it.
While these innovative companies are addressing different aspects of systemic cyber risk head-on, one thing was clear from my time at RSA 2022. The vast majority of cyber risk solutions in the market need to catch up to the growing threat of systemic cyber risk.
This will require a deeper understanding and new approaches to cyber risk management. Ones that understand the entire digital system and how the parts of it work together to create business value. Only then can the risks to that value be systemically identified, monitored, detected, and mitigated.
This presents an incredible opportunity to the cyber security industry and whoever can solve the problems of systemic cyber risk governance and management. New solutions are needed that will bring innovative approaches to mitigating the complexities of systemic cyber risk.
Healthcare is one of the top industry sectors targeted by cyber attackers due to the value of sensitive electronic patient records, the potential impact on critical life-saving IT systems and medical devices, and the lack of security around the third-party vendors and suppliers delivering vital services. According to one survey, 55% of healthcare organizations suffered a third-party breach in the past year. However, most healthcare organizations do not have effective measures in place to identify these risks. Only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data.
In response, the Health3PT is collaborating to overcome these challenges and achieve greater efficiencies throughout the ecosystem. The Health3PT will focus first on a series of common practices to effectively manage information security risks associated with vendors and other third-party service providers. These include methodologies and tools that address multiple best practice frameworks, foster standardization and transparent assurances and validation, and address legislative and regulatory requirements.
The Health3PT will publish its first deliverable in Q1 2023: Research on third-party risk metrics to benchmark the state of the industry. In addition, in 2023, the Health3PT will establish working groups and will host industry-wide events including a Summit for vendors, healthcare third-party risk management stakeholders, and assessor organizations.
The Health3PT has overwhelming support from key industry stakeholders and is comprised of security and risk executives from 20 leading healthcare providers, health systems, health payors/insurers, and healthcare service organizations:
Probability- refers to the extent to which something is probable; the likelihood of something happening. It can be either quantified (in which case it is deterministic) or qualified in which case it refers to the belief that something will happen (non-deterministic). Frequentist probability models quantify risk and conditional probability models qualify risk using subjective interpretations. There is an ongoing debate amongst statisticians and probability folks as to which model is more accurate in predicting actions in real life.
The manufacturer states that the Mark Ie MARK has a mean failure rate (MFR) of 1 in 2 million actuations causing a catastrophic failure and total destruction of the well. This means that the valve could fail on the first actuation or never fail as long as it is used, however, given a large enough population of valves tested there will be a regression to the mean in which 1 out of every 2 million actuations will fail causing a catastrophic failure. Using the probabilities of failure and the impact (catastrophic) one can quite easily quantify the risk. This model is deterministic which means that if the model was run an infinite number of times output will always be the same. There is a known probability of failure (1 in 2 million) and a known impact (total loss of X$). You talk to the engineers and then design redundant systems to reduce the likelihood of failure to an acceptable level. The failure is predictable and the controls are easily identified. (it should be noted that this model ONLY accounts for loss of the well and not other impacts.)
Suppose you read an article on quantifying security and decide to hire a company to help you quantify your security risk. The company arrives and does some calculations on the likelihood of a security event occurring such as a disgruntled employee, or competitor attacking your well. They come up with a number to tell you your risk and expected losses. Can you believe their numbers? Within failure analysis it would be believable as it pertains to the failure of the valve as there is a predictable risk that can be evaluated and quantified.
The fundamental failing of existing models of risk within the context of security is that they apply the classic or frequentist view of probability. The frequentist view of probability assigns an objective probability based upon a series of experiments under ideal situations and cannot be used as a predictive mechanism under uncertainty. Even the Department of Homeland security recognizes this when they state that frequentist models do not account for changes in the environment and cannot be applied to security issues, such as adversarial human actors which are considered adaptive threats.
In contrast with objective, frequentist probability models of risk, the incorporation of knowledge and conditional probabilities are fundamental aspects of subjective Bayesian probability theory. This is important to understand as frequentist views of probability measure the objective proportion of outcomes of experiments where subjective probability models express the measure of belief of an outcome. Using the coin flipping example, one could state that they believe, given the weight of the coin, the prevailing wind and other factors, that the probability is 55% landing on heads. After weighing the coin, and obtaining new knowledge, the person may adjust the flipping of the coin probability.
So what is the answer to security risk quantification? That is a great question that lends itself to considerable debate. It is suggested that conditional probability models (Bayesian models, for example) lend themselves to more accurate evaluation of cybersecurity risks than frequentist probability models. Frequentist probability models do not account for the changing environment and variable, unpredictable threats facing organizations today. By applying conditional probability models, it is suggested that companies can gain a more complete, and over time, a more accurate analysis of their cybersecurity risks. 041b061a72