Riskope Blog
- LATEST BLOG POST
- Integrated and convergent risk approaches need some discussion. Are they so different? And what about the good old Enterprise Risk…
- Read More
More Info
Cyber security is a relatively new subject in businesses management. It first emerged in the 80ies with password guessing, featured in movies like Wargame with the rudimentary attack sophistication of those times. But Should you listen to your insurer for your business cyber risk management?
The attack sophistication increased gradually. By the end of 2000, elaborate hacking devices (Stuxnet worm) that could only be issued by cooperating military forces were born. To date no state has officially claimed ownership. However anonymous US officials speaking to the Washington Post stated the worm was developed during the Obama administration. This was done to sabotage Iran’s nuclear program.
Insurer are of course also facing challenges in insuring business against cyber threats. They have realized that from an actuarial point of view they face significant challenges in accessing accurate and relevant data.
What an Epiphany! Looking only in the rear mirror while driving is indeed going to complicate the steering of the vehicle! Now, insurers have always worked like that, i.e. using past data (statistics) to evaluate their business opportunities. They have already got their share of misery from climate changes and other events. Incidentally, we discussed this in various posts including one on Force Majeure and Insurance denial .
Cyber threat fast-track evolution is typically an arena where using actuarial data and statistics can only be wrong. It will expose everyone, including the insurers, to enormous overexposures.
Unfortunately insurers have asked hazard specialist (IT people) help in solving their conundrum, a mistake we oftentimes see occurring invarious business spaces.
We can therefore read statements such as „…by measuring defenses rather than incidents using big data, a measurement process evolves that provides real data for risk analysis...“
Obviously. IT people want to measure what they know (and I am not even going to delve into potential conflict of interest since they may also sell the installations etc…), but they often confuse hazard with risks and by managing hazards instead of risks they end-up being ineffective or inefficient i.e. squandering money, not getting results, or lead to insurance denial, like it happens in other areas of industry.
Broad spectrum defense investments and in particular poorly prioritized ones are generally neither effective nor efficient. Businesses and government agencies often focus on the next “silver bullet” product, unaware that most cyber security problems stem from flawed procedures and human error, reportedly said Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products.
So, what lies beyond the ubiquitous check-lists and empty generic advice offered by governments’ agencies and other IT actors?
Below are a few pointers we have gathered by performing cyber risk assessments up to national scale both in the civilian and military arenas.
and how they contribute to its functionality and defense, and not the other way around, is fundamental to ensure robustness and resilience. By the way this should include, of course long chain cascading events and strategic interdependencies.
to then understand and locate potentially exposed digital assets within the system. Quantify the chances of success/failure and the potential consequences,including what-if scenarios.
In reality they say so because they fail to ask the right questions to the right people. In addition they have not developed the right methodologies.
We hope you do not mind if we close this blogpost with a few quotes from a very famous “heretic” from the Renaissance: Galileo Galilei which fit very well with the theme of this post.
BTW Galileo Galilei was the guy who spent his remaining life in house arrest after Inquisition forced him to recant his astronomical theory placing the sun (and not the Earth) in the middle of the system. While in detention, to keep busy during winter, he set the basis of two sciences called today kinematics and strength of materials.
Here we go with the quotes which could have been written yesterday!
In questions of science, the authority of a thousand is not worth the humble reasoning of a single individual.
By denying scientific principles, one may maintain any paradox.
This is a mockup of a real Cyber-defence dashboard built by Riskope using ORE (Optimum Risk Estimates) methodology (©Riskope)
Tagged with: cyber risk management, Cyber threat, Force Majeure, ineffective, inefficient, insurance denial, Stuxnet
Category: Consequences, Mitigations, Optimum Risk Estimates, Probability Impact Graphs, Risk analysis, Risk management, Tolerance/Acceptability
[…] Technology (IT) silo”, but should be treated as an ERM component. As we showed in a previous post IT silo lead to […]