AI makes 3rd Generation Cyber Risk Management a Reality

DeNexus holds the distinction of being the only company to leverage inside-out data to quantify OT cyber risk in monetary terms. Here are milestones into our journey.

Prior to DeNexus, as a CEO at renewable energy companies, I used OT asset inventory and risk assessment tools, and cyber risk scores to understand the risk posture of my organization. This was state-of-the-art back then. It was better than nothing but insufficient to drive meaningful, ROI-based decisions on cyber risk management and cybersecurity investments, capital management, and cyber insurance. 

This is when early Cyber Risk Quantification (CRQ) platforms emerged, relying on company-level data (firmographics) and Excel spreadsheets for basic modeling. They provided an outside view of cyber risk using macro-level information but no inside data specific to the organization beyond revenue and industry. This represented Generation 1 of CRQ with a one-size-fits-all approach, no industry-specific modeling, and focused on IT cyber risks.   

This is when DeNexus and others began to explore the use of inside data. We also made the decision at DeNexus to focus on industrial companies with OT/ICS environments, what is now sometimes referred to as Cyber-Physical Systems (CPS) . It was an obvious decision given my background in energy and a totally underserved need.  

 Cyber-Physical Systems (CPS)

Through this decision, we also initiated our path toward developing industry-specific calculations of cyber loss for other sectors.  That represented Generation 2 of CRQ.    

DeRISK: industry-specific calculations of cyber loss

Many of us trying to get to better solutions for cyber risk management came to realize that CRQ is only the tip of the iceberg. CRQ alone is not the solution. It is not even a product. CRQ is only a feature. A key feature that provides the foundation for several strategic use cases.  

This is why we continued to develop our platform, DeRISKTM, and added a Risk Management component and a Risk Mitigation Project Simulation engine while also rebranding the space to Cyber Risk Quantification and Management (CRQM) whose concept is also more broadly adopted nowadays.  

 We kept adding important features to DeRISK to help clients uncover and qualify hidden parts of cyber risk in industrial environments. We enabled more Inside Telemetry and Outside Data to get a continuous flow of cybersecurity data. We now have integration with key cybersecurity vendors like Claroty, Tenable, Nozomi, and Forescout and are adding more based on customers’ environments.  

DeRISK: qualify hidden parts of cyber risk in industrial environments

All along we explored the intensive use of ML and AI to process more data in an intelligent, productive way. This is why, in 2024, we joined the NVIDIA Inception program, seeking efficient access to more computing resources. For reference, DeRISK runs 50 million simulations each week on each customer’s site. This adds to trillions of calculations in our data lake. 

And this is how the 3rd generation of cyber risk quantification and management was born! 

 3rd generation of cyber risk quantification and management

AI is opening the path to even more use cases:  

  • Mapping Vulnerabilities in Attack Paths to Attack Tactics and Techniques using Inside Telemetry 
  • Automating the identification of Cybersecurity Controls for presence and level of maturity 
  • Attractiveness to cyber attacks 
  • Analytics and insights to inform and simplify incident disclosure 
  • Use of Large Language Model (LLM) querying to rapidly answer risk management questions such as:   

“Give me the vulnerabilities with $1M loss potential at our international facilities” 
“Give me the best 5 controls with $1M CAPEX budget, $100k yearly expenses, and <6 months deployment. Show risk reduction, return on investments, and peers' comparison. Show the residual Value at Risk, and capital needs considering our insurance program.” 

The DeNexus R&D team is working on more use of ML and AI to solve the most difficult problems related to cyber risk management. Our team of AI experts collaborates with research labs at universities to push the boundaries of what we deliver today with DeRISK.  
We are also grateful for our pool of active customers who always bring to us interesting questions that we try to answer with evidence-based, data-driven solutions.  

 Reaching a 3rd generation approach to CRQM satisfies the 5 Ds criteria to achieve a balanced approach between protection, business needs and cybersecurity investments. We call it Cyber Resource Planning, which includes Cyber Risk Assessment and Quantification, ROI-driven Cyber Risk Mitigation, and efficient cost-effective Cyber Risk Transfer. 

Cyber Resource Planning - 5 rules

If you want to learn more, try DeRISK, or simply ask questions, don’t hesitate to contact us. 