Components and Challenges of Integrated Cyber Risk Management€¦ · Average costs per data set...

Components and Challenges of Integrated Cyber Risk Management

Thomas Kosub © Friedrich-Alexander University

Erlangen-Nürnberg (FAU)

This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes it to be understood that opinions put forward herein are not necessarily those of the Institute and

the Council is not responsible for those opinions.


2015 ASTIN, AFIR/ERM and IACA Colloquia of the International Actuarial Association Sydney, August 25, 2015 Thomas Kosub Friedrich-Alexander University Erlangen-Nürnberg (FAU)

Kosub “Components and Challenges of Integrated Cyber Risk Management” 2015 ASTIN, AFIR/ERM and IACA Colloquia of the International Actuarial Association, Sydney, August 25, 2015

Introduction

• Cyber crime and IT failures are among the “most underestimated business risks for 2013” (Allianz Risk Pulse)

− Recent cyber events increase attention for cyber risks (e.g. Sony Pictures in 2014)

• First hacker insurance was already offered in 1998, still many CIOs and CTOs lack understanding of cyber risks or do not prioritize cyber security

• Risks can be considerable:

− Data breaches may result in substantial losses (e.g., costs for system recovery, monetary fines due to privacy law violation, reputational losses, etc.)

− Average costs per data set amount to approx. 136 USD (Ponemon Institute, 2013) − Total costs of cyber crime approx. 550 million USD for 2009 (World Economic

Forum, 2012)

3

Motivation


Introduction

• Appropriate cyber risk management is of great relevance and partially required by law (e.g., SOX, German Federal Data Protection Act, etc.)

− Cyber risk management as part of a sound and integrated holistic enterprise risk management (ERM)

• Aim of this paper:

− Identify major determinants of an effective cyber risk management

• Toward this end:

− Comprehensive assessment of the literature and relevant frameworks (ISO/IEC 27000 series)

− Outline cyber risk management process step by step − Discuss existing challenges and problems of cyber risk management

4

Aim of paper


Cyber space and cyber risk

• US National Institute of Standards and Technology (NIST) (2013) „Cyber space - a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers”

• Von Solms and van Niekerk (2013)

5

Selected definitions

Information security

Cyber security

Information and communication technology security

Analog and digital information

Things vulnerable through cyber space

(Center for Cyber and Information Security, 2014)


Cyber risk management

6

The risk management process

Risk assessment and valuation

Risk response

Risk control

Risk identification

• Basic risk management with continuous process of risk management steps

• ISO/IEC 27001:2005 Information Security Management System

Plan

Do

Check

Act


Cyber risk management process

• Define and understand firm’s business model, business objectives and assets; determine relevance of IT for business; agree on level of IT security

− Particularly relevant for Internet-specific firms (Hovay and D’Arcy, 2003)

7

Risk identification

Risk identification

• Identify all cyber risks by a top-down or bottom-up approach

− Identification of threats, vulnerabilities and consequences (also relevant for insurance underwriting, e.g., Zurich Cyber & Data Protection)

− Possible risk classification in following categories:

• Actions of people (~91%), failed internal processes (~4%), system and technical failure (~4%) and external events (~1%) (Biener, Eling, and Wirfs, 2015)

• Natural risks, technical risks, and deliberate or accidental acts of human (Posthumus and von Solms, 2004)



8


• Quantify risks (qualitatively or quantitatively) by determining probability of occurrence and estimated impact of cyber risk event (e.g., with a risk matrix)

− Evaluation of tangible and intangible values requires comprehensive knowledge on business data (e.g., web site customer data) (Smith, 2004)

• Aggregate cyber risks in holistic and company-wide risk management by application of interdependencies (correlations) between risks, and determine relevant risks

− Analysis of intra-firm risk correlations and external (global) risk correlations (Böhme and Kataria, 2006)




9

Risk response

Decide adequate solutions for

• Risk avoidance − For example, avoid use of USB flash drives

(Gibson, 2010)

• Risk mitigation − Control objectives and control measures (e.g., ISO/IEC 27001:2013)

• Risk transfer

− Cyber risk insurance advisable for businesses with high internal correlation (otherwise self-insurance) and low global correlation (otherwise insurers demand higher safety loadings and premiums) (Böhme and Kataria, 2006)

• Risk acceptance

− Self insurance; management has to agree on resulting risks (ISO/IEC 27001:2005)

Risk response



10

Risk control

• Monitor and proactively control risks and regularly check adequacy of risk response measures

• Implement regular operational testing of risk exposures and possible vulnerabilities of risk response solutions (e.g., penetration testing, IT Audits)

• If risks exceed agreed risk level, report divergences to management or responsible executives

Risk control



11

Risk culture and risk governance

• Focus on company-wide risk culture, create risk awareness and provide regular trainings and instructions on IT security for all employees

− Apply adequate roles and organizational structures (e.g., COBIT 5 framework)

• Apply risk governance and define a business continuity management plan

● Implementation of business continuity management plans, consisting of the ● continuity of operations plan, ● disaster recovery plan, ● vulnerability- and incident response plan and ● IT contingency plan (Romeike and Hager, 2009)


Challenges for cyber risk management

• Continuous change and digitalization of traditional business models

− For example, increased vulnerability of information privacy (e.g., purchase of insurance via online platform)

• Knowledge and data deficits

− Asset valuation in terms of identifying valuable assets

− Identification and estimation of threats as well as possible losses

− Identify adequate correlation of IT systems (accumulation risks)

− Risk culture is crucial (lack of awareness for cyber risks)

12

Overview of major challenges


Summary

• Cyber risk management is crucial for all businesses, particularly Internet-specific firms

• Risk culture and risk governance is particularly important, as reactions to cyber risk events need to be well prepared

• Firms should apply adequate risk management tools to handle cyber risks, such as risk transfer (via cyber risk insurance) or risk mitigation measures

13

„There are only two types of companies: those that have been hacked, and those that will be.“ (Robert Muller, Director of the FBI, March 2012)

Kosub “Components and Challenges of Integrated Cyber Risk Management” 2015 ASTIN, AFIR/ERM and IACA Colloquia of the International Actuarial Association, Sydney, August 25, 2015 14


2015 ASTIN, AFIR/ERM and IACA Colloquia of the International Actuarial Association Sydney, August 25, 2015

Thomas Kosub Friedrich-Alexander University Erlangen-Nürnberg (FAU)

Thank you very much for your attention!


BACKUP

15


References

Allianz (2013): Allianz Risk Pulse, Focus: Business Risks, http://www.agcs.allianz.com, access 06/18/2013.

Biener, C., Eling, M., and Wirfs, J. H. (2015): Insurability of Cyber Risk: An Empirical Analysis, Geneva Papers on Risk and Insurance, Vol. 40: 131-158.

Böhme, R., and Kataria, G. (2006): Models and Measures for Correlation in Cyber-Insurance, Proc. of Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK, 26. - 28. June 2006.

Center for Cyber and Information Security (2014): Cyber security versus information security. https://ccis.no, access 02//12/2014.

COBIT (2012): COBIT 5. A Business Framework for the Governance and Management of Enterprise IT, http://www.isaca.org, access 07/12/2014.

Gibson, D. (2010): Managing Risk in Information Systems, Jones & Bartlett Learning, Sudbury, MA.

Hovay, A., and D’Arcy, J. (2003): The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms, Risk Management and Insurance Review, Vol. 6(2): 97-121.

National Institute of Standards and Technology (NIST) (2013): Glossary of Key Information Security Terms, http://www.nist.gov, access 07/05/2014.

Ponemon Institute (2013): 2013 Cost of Data Breach Study: Global Analysis, http://www.symantec.com, access 11/04/2013.

Posthumus, S., von Solms, R. (2004): A Framework for the Governance of Information Security, Computers & Security, Vol. 23: 638-646.

Romeike, F., and Hager, P. (2009): Erfolgsfaktor Risiko-Management 2.0, Gabler Verlag, 2nd Edition, Wiesbaden.

Smith, G.S. (2004): Recognizing and Preparing Loss Estimates from Cyber-Attacks, Information Systems Security, Vol. 12(6): 46–58.

Von Solms, R., and van Niekerk, J. (2013): From Information Security to Cyber Security, Computers & Security, Vol. 38: 97-102.

World Economic Forum (2012): Global Risks 2012, Seventh Edition, Insights Report. http://www.weforum.org, access 07/12/2014.

16


Cyber risk growth

• Ponemon Institute 2013 Cost of Data Breach Study Organizational costs of data-breach 5.40 million USD in the US (4.83 million USD in Germany)

• McAfee (2013) estimates costs from global cyber activity between 300 billion up to 1 trillion USD

• Corporate Trust (2012 and 2014) study shows German industrial espionage losses of 4.2 billion Euro (2012) and in 11.8 billion Euro (2014), mainly affecting medium-sized businesses

17

Overview of selected empirical data


Cyber risk incidents

18

Examples

May 2014: Confidential business data is stolen

May 2014: 145 Mio. data sets stolen

Juli 2014: Customers are referred to infected web site

August 2014: Private pictures and data is stolen

January 2014: 70 Mio. customer data sets stolen

August 2014: PC infected with spyware

April 2014: Programming error with SSL-Encryption

„There are only two types of companies: those that have been hacked, and those that will be.“ (Robert Muller, Director of the FBI, March 2012)

Components and Challenges of Integrated Cyber Risk Management€¦ · Average costs per data set...

Documents

Transcript of Components and Challenges of Integrated Cyber Risk Management€¦ · Average costs per data set...