Cyber risk is an economic concept, not a technical one, and it is important to view it through that lens. Even with an unlimited budget, no security professional could guarantee that their company will not suffer from a cyber event. Since the cyber risk problem cannot be fixed, much the way a natural disaster cannot be avoided, we must take a risk-based approach, and develop risk mitigation and transfer strategies based on robust models for the frequency and severity of events including potentially systemic disaster scenarios.
Technology and the threat landscape change so rapidly that simple models based on past cyber events don’t adequately predict those of the future. This includes both the probability of a cyber event and the type of event that might occur.
Cyber events are often not chance occurrences. Bad actors are deliberate. They will escalate their efforts in direct response to a company’s attempts to mitigate their risk and exposure.
Many cybercriminal groups have sophisticated attack strategies to circumvent standard protections, especially for attractive targets. That’s why cyber risk models must evaluate both the company’s defense and attacker’s offense. The active and intentional nature of events makes game theory and behavioral economics the best lens to model cyber risk.
Why does one company fall victim to a cyber event while another is spared? In many cases, an “unintentional insider” neglects to safeguard company information or uses weak authentication procedures that allow a criminal to infiltrate the system. Or a “hacktivist” group targets an organization because it disagrees with its politics. State actors may even launch an attack motivated by espionage or cyber warfare.
The reasons why an organization becomes a cyber attack casualty are extremely varied. That’s why responses and losses cannot be tied to a simple formula. Instead, risk models must include the dynamic cost benefit analysis that bad actors and companies are continuously calculating when choosing targets and risk mitigation strategies.
If a cybercriminal breaks into a company’s network, he could harm hundreds or even thousands of associated companies and individuals. Additionally, if there are shared paths of aggregation across these companies, a single event can cause a string of related events. Considering this, the insurance industry is working to define the limits of its exposure so it can make responsible capital decisions and protect itself, its policyholders, and the market at large if catastrophic events occur.
Before committing capital, insurers need to understand the organization’s many possible threats and their impact in dollars and probabilities. But traditional cyber risk metrics and assessments do not adequately provide this insight.
Instead, insurers need dynamic analytics that tap into technical and non-technical data sources to continually monitor the cyber risk of a portfolio of companies. This kind of cyber risk model integrates in-depth data analysis and sophisticated economic modeling. It provides an agile platform to make confident business decisions based on probability, impact, severity, and accumulation.