The Management of Industrial Cyber Risks II covers risk accumulation and how to assess and manage cyber risk
Cyber Risk Quantification and the Data Conundrum
Quantifying cyber risk is hard. Cyber risk is dynamic and volatile. Without understanding cyber risk, organization cannot mitigate impact to business.
Critical infrastructure, energy systems and the economy have all become bound to information technology and risk modeling.
It is a mere reality that focused analytics, and the risk quantification emerging from them, are now a cornerstone of society. However, when an antagonist emerges that threatens the fluidity and reliability of risk quantification, it gets expensive. Very expensive.
The need for cyber risk quantification
Cyberthreats, as well as the cybersecurity industry, have grown rapidly hand in hand, especially within the IoT and industrial sector. When you consider that the entire industrial world is dependent on information technology and operational technology solutions, it is not a challenge to understand why. Ransomware targeting critical infrastructure, covert spyware or network failures caused by human error all have a serious impact on an industrial enterprise’s bottom line at various time horizons. This is the definition of cyber risk and defending against it is big business. But what good is a defense without the knowledge of the risk event’s impact? Do we know how cyber risks will affect our operation? How much risk exposure is our business holding at any one time? These questions have not been addressed properly by technology.
If you can’t stop it, manage it
Quantifying cyber risk is hard. Cyber risk is dynamic, volatile, and contrary to other sources of risk, cyber risk is subject to human factors ranging, such as motive . Without understanding cyber risk in terms of probabilities and financial terms, no organization can truly mitigate the impact to their business that emerging cyberthreats can pose to their bottom-line, to their employees and shareholders or even regional laws . Therefore, true cyber risk quantification with real-time evidence-based data is needed. Just as information technology and risk modeling has armed the economy with new measures of efficiency, it should also be used to manage cyber risk.
A lot of data, but not a lot of answers
Many companies invest large amounts of capital in building proprietary databases with information from cyber incidents and reported losses. These databases ingest inputs from network monitoring technology and cybersecurity solutions that identify protections, measure asset vulnerabilities, and produce digital images (or virtual topology) of networks, etc.
Regretfully, combining information about the likelihood of successful attacks and their impact, is the most common approach to address risk most technologies available today are not doing a great job at providing such stakeholders with what they need. This is what we work on at DeNexus. With statistical methods we can build models that help to describe the problem under study, like cyber risk. The questions we work to answer every day in various forms can be distilled into the following two:
- What data is needed to produce a reliable cyber risk model?
- Do we have enough empirical data to estimate a reliable model that provides the full loss distribution for a company?
- Organization characteristics
- Threat intelligence, etc.
- The output (i.e., -the final result of the attack)
Information that is scarce. In industrial organizations, this issue is aggravated due to a lack of metadata about events, particularly about the company's security at the time of the incident. Corporations are not compelled to explain how the incident occurred or how much money was lost as a result of it. They might even be required by law or regulations not to make that information public.
Ask the experts - Experience is also a data source
Despite the rise of Big Data, there still is not enough relevant historical data for cyber risk modeling. So how can we solve that problem? We can use a different data source: data in the form of experience that we can use to seed the models with until enough evidence-based data is available. Expert elicitation is the technique that allows using expert judgment information, a common practice in risk modeling.
Elicitation is a broad field that refers to requesting experts for specific information (facts, data, sources, requirements, and so on) or expert opinions on a variety of topics (preferences, utilities, probabilities, estimates etc.). Expertise enables an expert to evaluate, analyze, and/or synthesize their knowledge in order to make a judgment. It is often used to aid analysis and decision-making in various fields. For example, the intelligence community has developed judgment-support tools to assist intelligence analysts in this type of assessment. These methods for conducting structured analysis, or “structured analytic techniques”
As you can tell, elicitation is nothing new. There are many references of case uses. The key question is: What is the best approach to model expert elicitation data? A successful elicitation method that allows for Bayesian updating of unknown parameters must permit non-statisticians to contribute their expert judgments and mitigate the required elicitation workload to a manageable level. Bayesian decision theory provides a coherent approach to decision making under uncertainty. This methodology is the one adopted by DeNexus.
Combining expert knowledge with innovative analytics
The Denexus’ approach to modeling cyber risk is combining the best of both worlds, expert knowledge and empirical data. Seeding the models based essentially on eliciting probability distributions to represent uncertainty about each unknown parameter. The same models that are prepared to receive empirical data and update our knowledge in a simple and continuous way. As a starting point, Denexus exploits the knowledge available from cybersecurity experts to support cyber risk management by treating the elicited information as data-points.
The Denexus’ elicitation methodology is based on an extensive and comprehensive elicitation process followed by a rigorous data analysis using the Bayesian paradigm to model the data coming from experts. In simple terms, at we are expediting the historical aggregation of data that the cyber risk ‘market’ does not provide due to its’ timely and dynamic nature by combining disparate quantitative data sources with the qualitative expert data provided by each end user. The result is an automated learning platform that values cyber risk exposure against cyber risk mitigation activities for the board and insurance agencies.
In future blogs we will go deeper in our proprietary modeling system. Download the DeRisk Platform Overview eBook to learn more about how DeNexus is solving the Data Conundrum.
 (European Food Security Authority, 2014)
 (SATs; CIA, 2009; Heuer and Pherson, 2014).
 (see for example, French, 2011; Albert et al., 2012; Hartley and French, 2018, for a review on the subject)