Security Risk Models for Cyber Insurance
eBook - ePub

Security Risk Models for Cyber Insurance

  1. 149 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Security Risk Models for Cyber Insurance

Book details
Book preview
Table of contents
Citations

About This Book

Tackling the cybersecurity challenge is a matter of survival for society at large. Cyber attacks are rapidly increasing in sophistication and magnitude—and in their destructive potential. New threats emerge regularly, the last few years having seen a ransomware boom and distributed denial-of-service attacks leveraging the Internet of Things.

For organisations, the use of cybersecurity risk management is essential in order to manage these threats. Yet current frameworks have drawbacks which can lead to the suboptimal allocation of cybersecurity resources. Cyber insurance has been touted as part of the solution – based on the idea that insurers can incentivize companies to improve their cybersecurity by offering premium discounts – but cyber insurance levels remain limited. This is because companies have difficulty determining which cyber insurance products to purchase, and insurance companies struggle to accurately assess cyber risk and thus develop cyber insurance products.

To deal with these challenges, this volume presents new models for cybersecurity risk management, partly based on the use of cyber insurance. It contains:



  • A set of mathematical models for cybersecurity risk management, including (i) a model to assist companies in determining their optimal budget allocation between security products and cyber insurance and (ii) a model to assist insurers in designing cyber insurance products.



  • The models use adversarial risk analysis to account for the behavior of threat actors (as well as the behavior of companies and insurers).



  • To inform these models, we draw on psychological and behavioural economics studies of decision-making by individuals regarding cybersecurity and cyber insurance.



  • We also draw on organizational decision-making studies involving cybersecurity and cyber insurance.

Its theoretical and methodological findings will appeal to researchers across a wide range of cybersecurity-related disciplines including risk and decision analysis, analytics, technology management, actuarial sciences, behavioural sciences, and economics. The practical findings will help cybersecurity professionals and insurers enhance cybersecurity and cyber insurance, thus benefiting society as a whole.

This book grew out of a two-year European Union-funded project under Horizons 2020, called CYBECO (Supporting Cyber Insurance from a Behavioral Choice Perspective).

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Security Risk Models for Cyber Insurance by David Rios Insua, Caroline Baylon, Jose Vila, David Rios Insua, Caroline Baylon, Jose Vila in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Chapman and Hall/CRC
Year
2020
ISBN
9781000336221
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

1

Introduction

David RĂ­os Insua
ICMAT
Nikos Vasileiadis
TREK
Aitor Couce Vieira
ICMAT
Caroline Baylon
AXA
CONTENTS
1.1Overview
1.2A schematic view of cybersecurity risk management
1.3The current state of the cyber insurance market
1.4The way forward
This chapter begins by presenting the central thesis of this book: In order to tackle the pressing cybersecurity challenge, companies need to employ a reliable Cybersecurity Risk Management (CSRM) methodology. Yet current CSRM approaches have significant shortcomings that can lead to the incorrect prioritisation of cyber risks and of resources. The inclusion of cyber insurance could significantly improve CSRM methods, but the cyber insurance market is currently underdeveloped due to both demand and supply side challenges. To overcome this, this book proposes new models for risk management in cybersecurity, including a main CSRM model for companies and a series of auxiliary models for insurers. The following sections in this chapter introduce fundamental concepts that later parts of the book will build upon, first providing a schematic view of the factors involved in CSRM and then describing the key facets of the cyber insurance market at present.

1.1 Overview

1.1.1 The cyber threat landscape

The threat actors

Cybersecurity is a major global concern, with attacks becoming increasingly ubiquitous, growing in both frequency and size (WEF, 2020). There are a diversity of threat actors whose numbers are steadily rising as well. These include hacktivists, who are closely linked with political or social movements and could involve anyone from hackers taking action to defend free speech to those closely aligned with terrorist organisations. Insiders are another important cyber threat and, indeed, the biggest source of incidents (Cardenas et al., 2009). However, they may be the easiest to handle through a sound cybersecurity program. Cybercriminals are increasing in capability. Many cybercriminal groups have become mature professional organisations, some of them employing dozens of hackers and possessing large financial resources (Cardenas et al., 2008). Well-functioning markets on the “dark web” provide skilled individuals with incentives to steal data or develop new automated attack tools (Herley and FlorĂȘncio, 2010). The ability to purchase such tools has also made it easier for those without advanced technical skills to engage in cybercrime. Perhaps the most formidable threats at present are nation states. Although partially constrained by the possible military, economic, and political repercussions of launching cyber attacks, state actors are increasingly developing offensive programs and stockpiling cyberweapons, which could be released either accidentally or intentionally. This is a particular concern given the increased tensions between global powers at present.

A rise in the number and impact of attacks

As companies, governments, and individuals become ever more connected to the internet, the attack surface is growing and along with it the number and impact of attacks as well. High profile corporate data breaches in recent years include the 2017 breach of Equifax, in which the data of over 140 million customers—including social security and credit card numbers—was stolen. The Yahoo data breach, first reported in 2016 but dating back to 2013, saw the theft of passwords as well as personal data associated with all 3 billion of its user accounts. The 2015 breach of Anthem resulted in the theft of 78.8 million client records containing Personally Identifiable Information (PII). In the 2013 Target data breach, hackers were able to access the Target network through an attack on one of its third party suppliers, an air conditioning company; they made off with the credit card information of 70 million customers and also caused Target major reputational damage (Manworren et al., 2016).
Among a spate of major ransomware attacks, the 2017 WannaCry attack took down the UK National Health Service, Telefonica, and FedEx, as well as others, causing significant disruption and entailing losses estimated to have reached $4 billion (Berr, 2016). Its use of a leaked US National Security Agency exploit made it particularly damaging. Governments have also been hard hit, with a 2018 ransomware attack on the City of Atlanta impacting city services, from utilities to parking, that took months to recover from. Similarly, a 2016 ransomware attack on San Francisco public transit disrupted payment services for the city’s light rail system.
The 2017 NotPetya attack affected thousands of companies including Maersk, DHL, and Saint-Gobain and caused an estimated $10 billion in damages (Greenberg, 2018). Although purporting to be ransomware, many experts believe that NotPetya was in fact a cyberweapon created by Russia and targeted at Ukraine that inadvertently hit a number of unrelated targets. Other high profile attacks attributed to state actors include the 2015 attack on the Ukrainian power grid that left some 230,000 people without power for up to six hours, an attack that Russia is also thought to have instigated. The first known successful attack on a power grid, it illustrates the rise of attacks on cyber-physical systems with real world consequences. An early example was the 2010 Stuxnet attack on an Iranian nuclear facility that damaged one fifth of its nuclear centrifuges, this one widely believed to have been carried out by the US and Israel (Brenner, 2013).
Additionally, distributed denial-of-service (DDoS) attacks are growing more destructive, in large part due to the exponential growth of the Internet of Things (IoT); many IoT devices are rolled out quickly, cheaply, with little thought as to cybersecurity, and therefore can be readily co-opted into botnets. The 2016 Mirai botnet, composed of a host of internet-connected devices from cameras to baby monitors, took down major internet sites including Twitter, Netflix, CNN, and The New York Times by launching an attack on Dyn, which controls much of the internet domain name system.
Finally, new types of attacks are regularly emerging. For example, the rise in value of cryptocurrencies has brought about a growth in cryptojacking attacks that take over computers to secretly mine bitcoin. And as progress is made in AI, cybercriminals are increasingly employing AI-enabled attacks as well.

1.1.2 Cybersecurity risk management

To deal with these challenges, the use of a sound Cybersecurity Risk Management (CSRM) methodology is essential. CSRM techniques rely heavily on risk analysis (Bedford and Cooke, 2001), enabling organisations to assess the risks to their assets as well as what safeguards should be implemented to reduce the likelihood of various threats occurring and their impact if they do. Numerous frameworks have been developed to support cybersecurity risk management, including the international standard ISO 27005 (ISO, 2011), CRAMM in the UK (Central Communication and Telecommunication Agency, 2003), MAGERIT in Spain (Amutio et al., 2012), EBIOS in France (ANSSI, 2010), the NIST Risk Management Framework and others in the US (NIST, 2018; NIST, 2012), and CORAS by an EU-funded project (Lund et al., 2011). Similarly, a number of compliance and control assessment frameworks like ISO 27001 (ISO, 2013), Common Criteria (Common Criteria, 2017), and the Cloud Controls Matrix (Cloud Security Alliance, 2019) offer guidance on the implementation of cybersecurity best practices. The above methodologies and frameworks provide an extensive catalogue of threats, assets, and controls, as well as detailed guidelines for the implementation of countermeasures to protect digital assets. However, much remains to be done regarding risk analysis from a methodological point of view.

Challenges with current risk management approaches in cybersecurity

A detailed study of the main approaches to CSRM reveals that they often rely on risk matrices, which have well-documented shortcomings (Cox, 2008; Thomas et al., 2013). Compared to more stringent methods, the ordinal ratings for likelihood, severity, and risk used in risk matrices are prone to ambiguity and subjective interpretation. They also systematically assign the same rating to threats that are significantly different qualitatively. This can potentially lead to a sub-optimal allocation of cybersecurity resources. Hubbard and Seiersen (2016) and Allodi and Massacci (2017) provide additional critical perspectives on the use of risk matrices in cybersecurity. The problem may be even more significant if we take into account the increasing variety of cybersecurity threats, as well as the growing complexity of the security controls used in cybersecurity risk management.
Moreover, these methodologies typically do not explicitly take into account the intentionality of certain threats, with a few exceptions like the UK’s IS1 (National Technical Authority for Information Assurance, 2012). Yet the vast majority of security companies and industry bodies emphasise the importance of defending against adversarial threats, not just accidental or environmental ones (ISF, 2017). As a consequence, current CSRM approaches may lead companies to incorrectly prioritise cyber risks and the measures they should implement to defend against them.

Cyber insurance as part of an alternative CSRM methodology and obstacles to overcome

In this context, a complementary way of dealing with cyber risks through risk transfer is emerging. This involves the use of cyber insurance products, which have been introduced in recent years by companies like AXA, Generali, or Allianz. Cyber insurance can fulfil a key role in the economics of cybersecurity in several ways. First, by keeping cyber risks manageable for insured companies by transferring the risk to the insurance provider. Second, by providing incentives to improve cybersecurity, requiring companies to implement certain minimum protections, thereby reducing overall risk.
Unfortunately, cyber insurance is still underdeveloped for a variety of reasons. On the demand side, companies often struggle to decide whether or not to buy insurance, and which products to buy. On the supply side, it is difficult for insurance companies to assess the overall risk when it comes to cybersecurity and thus to design their product offerings, partly because of a lack of data. This is discussed further in Section 1.3.

1.1.3 The approach of this book

The growing cyber threat landscape, coupled with the shortcomings of current CSRM frameworks and the unrealised potential of cyber insurance for risk management, underscore the need for new cybersecurity risk management approaches. This book presents findings from the European Union-funded CYBECO (Supporting Cyber Insurance from a Behavioural Choice Perspective) Project, which has developed new models for risk management in cybersecurity. This includes both a model for companies and a series of models for insurers, in order to help further develop both the demand and supply sides of the cyber insurance market. More specifically, the model aimed at companies assists them in determining their optimal cybersecurity resource allocation (including selecting a cyber insurance product) and the models destined for insurers aid them with the design of cyber insurance products (including setting premiums) as well as with estimating risks (such as determining whether or not to issue a policy).
These models take a number of behavioural elements into account. They model the behavioural choices of various cyber threat actors in terms their decisions as to whether or not to attack a company, thus progressing beyond the current CSRM frameworks that do not properly account for adversarial threats. They also consider the behavioural choices of companies and insurers, looking at companies’ cybersecurity resource allocation and risk transfer decisions and insurers’ risk assessment decisions. These models are presented in detail in Chapter 4.
In the next two sections, we provide background information on the key components of the cybersecurity risk management problem and on the current state of the cyber insurance market. This provides import...

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Dedication
  6. Contents
  7. Foreword
  8. Preface
  9. Acknowledgements
  10. List of Figures
  11. List of Tables
  12. Editors
  13. Contributors
  14. Abbreviations
  15. 1 Introduction
  16. 2 The Cyber Insurance Landscape
  17. 3 Behavioural Issues in Cybersecurity
  18. 4 Risk Management Models for Cyber Insurance
  19. 5 A Case Study in Cybersecurity Resource Allocation and Cyber Insurance
  20. 6 Conclusions
  21. Bibliography
  22. Index