Cyber Risk Economics

Cyber
“Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation”

Cyber Risk
The term “cyber risk” refers to a multitude of different sources of risk affecting the information and technology assets of a firm.
 Examples
 cyber risk are outlined by the National Association of Insurance Commissioners7 and include identity theft, disclosure of sensitive information, and business interruption.

CYRIE
Cyber Risk Economics
Cybersecurity is a multidimensional problem that demands multidisciplinary attention. The Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Cyber Risk Economics (CYRIE) project supports research into the business, legal, technical and behavioral aspects of the economics of cyber-threats, vulnerabilities and controls. CYRIE R&D emphasizes empirically based measurement, modeling and evaluation of:

 Investment into cybersecurity controls (technology, regulatory, and legal) by private-sector, government and private actors;

 Impact of investment on the probability, severity and consequences of actual risks and resulting cost and harm;


 Value of the correlation between business performance measures and evaluations of cybersecurity investments and impacts; and

 Incentives to optimize the investments, impacts and value basis of cyber-risk management.
Motivation

In 2013, then-President Barack Obama signed Executive Order 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive 21, Critical Infrastructure Security and Resilience. Both are aimed at enhancing the capability of owners and operators of the nation’s critical infrastructure to protect against cyberattacks.

Approach

The CYRIE project endeavors to improve the value-based decision-making of those who own, operate, protect and regulate the nation’s vital data assets and critical infrastructure. The project looks beyond the traditional economic-based view of incentives for cybersecurity—a view in which individuals are assumed to be rational actors who know how to maximize their well-being—and considers a broader array of factors that include business, legal and behavior economics. In this way, CYRIE R&D can more effectively address strategy and tactics for optimal cyber-risk avoidance, acceptance, mitigation and transfer.
Purpose
The S&T CYRIE program endeavors to improve value-based decision making by those who own, operate, protect, and regulate the nation’s vital data assets and critical infrastructures. As such the program looks beyond the traditional economics view of incentives for cybersecurity – where individuals are assumed to be rational actors who know how to maximize their well-being – and considers a broader array of factors that include business, legal, technical, and behavioral factors. In this way CYRIE R&D can more effectively address strategy and tactics for cyber risk avoidance, acceptance, mitigation, and transfer.
CYRIE executes its vision along four related dimensions:
 Investment -- How and why cybersecurity investments are made.
 Impact -- What impact those investments have on risk and harm when controls are inadequate to protect against cyber-disruptions, including understanding the impact on information and functions as well as component and systemic consequences.
 Value -- What is the relationship between cybersecurity risk—both the anticipated risk that leads to specific levels and mix of investments in controls and realized risk as measured by incident impact evaluations—and conventional business performance and financial frameworks such as competitive advantage, return on investment and liability.
 Incentives -- What incentives are needed to encourage optimal cyber-risk management. Broad attention to incentives is essential given the shared nature of the cyber environment, the gap between the limited private costs and potentially vast social costs incurred following cybersecurity failures, and the negative externalities that result from this gap.

Resources
Cyber Risk Economics Capability Gaps Research Strategy
Cybersecurity is a multidimensional challenge that demands interdisciplinary attention. The Department of Homeland Security Science and Technology Directorate (DHS S&TS&T

CYBER RISK OF ECONOMICS PROGRAM

 supports research, development, and operationalization of technical and knowledge solutions that improve value-based decision making by those who own, operate, protect, and regulate the nation’s vital data assets and critical infrastructures. The focus extends beyond the traditional economics view of incentives for cybersecurity to consider business, legal, technical, and behavioral factors that impact cyber risk. CYRIE R&D emphasizes the empirically based measurement, modeling and evaluation of cybersecurity investment, impact and incentives. The objective of this research strategy and the CYRIE program is to close the gap between research and practice by apprising the research community of real-world cyber risk economics challenges, and, ultimately, to inform evidence-based policy and actions by industry and government.

The growing challenge of cyber
One place where many of these issues come together is cyber-risk. Cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018, according to the risk perception survey that underpins the Global Risks Report.





Exposure to risks from cyber is growing as firms become more dependent on technology. The explosive growth of interconnected devices expands the size of the surface open to cyberattack for organizations — and the number of interconnected devices in the world is expected to jump from 8.4 billion today to 20 billion in 2020. Increased use of artificial intelligence in business processes also heightens exposure to cyber-risks.






Solution Of Cyber Risk Economics


Cyber Security Economics


NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) Report
 Economic aspect of National Cyber Security Strategies (NCSS) project launched in 2014;
 Goal: evaluate the underpinning economic elements for the drafting and adoption of NCSS worldwide
 Tackled matters of economic cost such as
 measuring cost of cyber insecurity,
 assessing the economic efficiency of a NCSS and
 economic incentives for all stakeholders involved

Report published in 2015
 Digital and knowledge-based economy: 10 % of the GDP in some countries
 Cyberspace accounted for 4% of the world’s GDP in 2010

 Cybercrime - the ‘largest transfer of wealth in human history’
 early estimates of losses were evaluated at $1 trillion every year, roughly 1.4% of the World’s GDP

 The general conclusion: there is not enough data currently to measure such costs unless appropriate identification of the roles and responsibilities are appointed within structures, be it governments or private organizations


RiskLens raises $20.55 million to help companies manage cyber risk


RiskLens (formerly Cxoware), a cyber risk qualification and management software provider, today revealed that it’s raised $20.55 million in series B funding led by Paladin Capital, with participation from Dell Technologies Capital, Osage Venture Partners, F-Prime Capital, and MassMutual Ventures. The fresh capital, which follows on the heels of a $5 million series A raise in July, will be used to expand the company’s sales, marketing, engineering, and professional services departments, according to CEO Nick Sanna.
“RiskLens has forever changed the way large organizations assess, manage and report on cyber risk, by translating the impact of threats and vulnerabilities into the financial language of the business that everyone understands: dollars and cents,” Sanna said. “We are proud to have our existing investors expand their commitment to our success and are thrilled to be joined by F-Prime Capital and MassMutual Investors given their prowess in the financial services and insurance sectors.”
RiskLens — which was founded in 2011 by former Huntington Bank senior vice president and CISO Jack Jones and IT-Lifeline founding CEO Steve Tabacek — offers a suite of software-as-a-service (SaaS) apps aimed at helping executives to quantify and manage cyber risk. Its software models corporate environments, assessing relevant threats before devising risk scenarios, applying data regarding threat activity, and running simulations to identify areas for improvement and generating risk analytics reports that highlight concentrations of risk, loss exposure over time, and other key metrics.
“We’re giving boards of directors, CISOs and cyber risk teams what was once thought impossible — a decision-support platform and a system of record that allows them to make cost-effective decisions regarding the prioritization of security initiatives and the rightsizing of those investments,” Sanna said. “RiskLens is currently the only software platform that can help clients establish quantitative and financially oriented cyber risk management programs.”
RiskLens’ analytics module offers a per-division breakdown of risk appetite and risk components (like assets classes and forms of loss), and enables managers to set control thresholds that trigger notifications when they’re met. Its Cyber Risk Maturity app measures an organization’s ability to manage risk over time, as well as compliance against frameworks like NIST, CSF, FFIEC, and CAT, and its Cyber Risk Triage service offers a templatized workflow, drop-down selections, and predefined ranges for risk factors that help determine which new scenarios deserve an analysis, along with mathematical simulations that automatically build risk profiles.


Executive  Strategic
Cybersecurity is a multidimensional challenge that demands interdisciplinary attention. The Department of Homeland Security Science and Technology Directorate (DHS S&T) Cyber Risk Economics (CYRIE) program supports research, development, and operationalization of technical and knowledge solutions that improve value-based decision making by those who own, operate, protect, and regulate the nation’s vital data assets and critical infrastructures. The focus extends beyond the traditional economics view of incentives for cybersecurity to consider business, legal, technical, and behavioral factors that impact cyber risk. CYRIE R&D emphasizes the empirically based measurement, modeling and evaluation of cybersecurity investment, impact and incentives.


This research strategy is directed at public and industrial researchers and funding organizations for the beneft of cybersecurity stakeholders across industry and government. It frames a series of research opportunities that address capability gaps drawn from a confuence of authoritative documents, scholarly literature review, and a range of recent stakeholder discussions of cyber risk economics. These areas comprise many of the most challenging issues in cybersecurity. The objective of this paper and the CYRIE program is to close the gap between research and practice by apprising the research community of real-world cyber risk economics challenges, and, ultimately, to inform evidence-based policy and actions by industry and government.
The strategy describes 12 research areas organized into 6 themes, as follows:




Economics of cyber security
The economics of cyber security applies principles of economics to the analysis of cyber security problems.15 It is often thought that information security comes down to technical measures, but Anderson and Moore (2006) have characterised the issue as follows: ‘People have realised that security failure is caused at least as often by bad incentives as by bad design’.16 This implies that better incentives are needed in order to increase investments in cyber security rather than focusing merely on technical measures.

In general, work in this field includes descriptions of the market, cost-benefit trade-offs by rational market participants, strategic behaviour analysis, market mechanisms, failures, and the economic impact of regulation by governments. Further efforts are dedicated to analysing the financial gains as motivation for cybercrime, modelling cybercrime and cyber security investment decisions, and the problems rising in the insurance sector. Risk management principles are further explored in order to better understand the economic aspects of cyber security.


The National Association of Corporate Directors’ Cyber Security Handbookidentified five core principles for corporate boards to enhance their cyber-risk management.


1. Understand that cybersecurity is an enterprise-wide risk management issue.
 Thinking of cybersecurity as an IT issue to be addressed simply with technical solutions is an inherently flawed strategy. The single biggest vulnerability in cybersystems is people – insiders. Cybersecurity costs are managed most efficiently when integrated into core business decisions such as product launches, M&A and marketing strategies. Moreover, in an integrated world, organizations must take into account the risk created by their vendors, suppliers and customers as their weaknesses can be exploited to the detriment of the home system.
2. Directors need to understand the legal implications of cyber-risk.
 The legal situation with respect to cybersecurity is unsettled and quickly evolving. There is no one standard that applies, especially for organizations that do business in multiple jurisdictions. It is critical that organizations systematically track the evolving laws and regulations in their markets.

3. Boards need adequate access to cybersecurity expertise.
Although cybersecurity issues are becoming as central to business decisions as legal and financial considerations, most boards lack the needed expertise to evaluate cyber-risk. Many boards are now recruiting cyber professionals for board seats to assist in analysing and judging staff reports. At a minimum, boards should regularly make adequate time for cybersecurity at board meetings as part of the audit or similar committee reports.
4. Directors need to set an expectation that management have an enterprise-wide cyber-riskmanagement framework in place.
 At a base level, each organization ought to have an enterprise-wide cyber-risk team led by a senior official with cross-departmental authority that meets regularly, has a separate budget, creates an organization-wide plan and exercises it.
5. Based on the plan, management needs to have a method to assess the damage of a cyber-event.
They need to identify which risks can be avoided, mitigated, accepted or transferred through insurance. This means they need to identify which data, and how much, the organization is willing to lose or have compromised. Risk mitigation budgets need to then be allocated appropriately between defending against basic and advanced risks.

There are certain mistakes that organizations commonly make for which we offer suggestions to reduce the risk of an attack.

1. Tighten your current security system. ...
2. Use patches. ...
3. Protect outbound data. ...
4. Raise awareness. ...
5. Be smart about passwords. ...
6. Don't ignore physical security. ...
7. Encrypt data. ...
8. Purchase a Cyber Insurance policy.

10 Ways to Prevent Cyber Attacks
Even if you don’t currently have the resources to bring in an outside expert to test your computer systems and make security recommendations, there are simple, economical steps you can take to reduce your risk of falling victim to a costly cyber attack:
1. Train employees in cyber security principles.
2. Install, use and regularly update antivirus and antispyware software on every computer used in your business.
3. Use a firewall for your Internet connection.
4. Download and install software updates for your operating systems and applications as they become available.
5. Make backup copies of important business data and information.
6. Control physical access to your computers and network components.
7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace make sure it is secure and hidden.
8. Require individual user accounts for each employee.
9. Limit employee access to data and information and limit authority to install software.
10. Regularly change passwords.

 CONCLUSION
This research strategy is intended to drive and prioritize research into the business, legal, technical, and behavioral aspects of the economics of cyber threats, vulnerabilities, and implementation of controls. It considers a broad array of research opportunities that will address the Department’s cybersecurity goals as well as some of the most pressing gaps in our understanding and capability to address cyber risk. This includes: the quantifcation of risk; the role of government, law, and insurance; third party risk; organizational behaviors and incentives; data collection and sharing; and threat dynamics. This strategy encourages stakeholders to take a holistic approach to advancements in the area of cyber risk economics, one that incorporates perspectives on managing cyber security from a range of social and behavioral sciences. Such an interdisciplinary approach is essential to improve value-based decision making by those who own, operate, protect, and regulate the nation’s vital data assets, functions, and critical infrastructures. Because risk is dynamic and contextual, the relative capability gaps, challenges and research opportunities are expected to change in kind. This strategy is intended to be updated as necessary to help guide progress.