(This blog is an interview with Diana Carrera, Risk Modeler and Data Scientist at DeNexus Inc., PhD in Computer Science)
Can you describe one or two projects you are currently working on? What challenges are you addressing?
I am currently involved in projects focused on quantifying cyber risks for various industrial sectors, including airports and data center facilities. Each of these sectors has specific characteristics that influence how they respond to cyber attacks and the damages caused by such incidents, from operational downtime and loss of productivity to human and material damage as well as regulatory penalties. I am working on modeling these specific losses, using data and distributions appropriate for each type of loss and loss event in each industry. Additionally, I am involved in the development of PAMS (Portfolio Accumulation Modeling System) to model the accumulation of losses in a portfolio of risk when several company units are simultaneously affected by a cyber attack. This project is crucial to better serve CISOs, CFOs, board members, executives, and other stakeholders such as insurers and enable them to better understand the cyber risks faced by the entire organization.
How does your work contribute to DeNexus’ goals and the broader field of Cyber Risk Quantification and Management (CRQM)?
My work contributes directly to DeNexus' goals of providing evidence-based quantification and management of cyber risk. By developing models that accurately depict the financial and operational consequences of cyber incidents across various industries, we help companies better understand their vulnerabilities and optimize their cybersecurity investments. This approach not only strengthens the cyber resilience of critical infrastructure companies but also promotes more informed and proactive risk management.
Are there any recent advancements in AI that have significantly impacted your work? How do you incorporate these into your projects?
Advancements in machine learning and simulation techniques have been crucial for overcoming data scarcity challenges in the cyber sector. I use these innovations to create more robust and predictive models to simulate cyber attack scenarios and estimate potential losses more accurately. These AI tools allow us to integrate and analyze large volumes of heterogeneous data and make predictions with high fidelity, which is essential for developing effective risk mitigation strategies.
What does a typical day look like for you at the company? How do you split your time between research, development, and collaboration?
My days at DeNexus are quite dynamic and vary significantly depending on the project phase I am in. Early in the morning, I organize my day and set priorities, as it's impossible to tackle all tasks in a single day. In the initial stages of a project, like the one I'm currently in, my focus is on studying and analyzing independently, which involves delving deep into the subject matter and understanding every detail. During this phase, I spend a lot of time interacting with DeNexus’ Cyber Security experts (SMEs) who help me grasp all relevant aspects of the project. This process requires both intense individual work and numerous meetings to ensure that all concepts are clear.
As the project progresses and problems and solutions are more clearly defined, the number of meetings increases. It's time to coordinate more closely with engineers and the rest of the team to explain development and next steps. Also, one must always be prepared to address issues from previous projects that require unexpected attention, which can make the days quite hectic.
Working remotely definitely has advantages, such as the flexibility to organize my work environment, which makes the days more pleasant and productive. Being able to take short breaks or switch activities when needed helps keep my mind fresh, especially on less productive days or when I feel mental fatigue. This work style not only facilitates time and task management but also makes the work experience more rewarding and personally suited to my pace and lifestyle.
Where do you see the field of CRQM going in the next five years? What role do you hope to play in shaping that future?
In the next five years, I see CRQM evolving towards deeper integration with artificial intelligence to manage risks in real time and with greater precision. I hope to lead efforts to develop models that not only predict risks but also recommend proactive actions to mitigate them before they occur. My goal is to contribute to a shift towards more dynamic and adaptive risk management that better protects companies against emerging cyber threats.