what do we know what can we
play

What do we know? What can we measure? Martin Eling OECD Expert - PowerPoint PPT Presentation

Apr 05, 2024 •438 likes •579 views

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

  1. Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

  2. Management Summary • Research Approach:  Overview of the main research topics in the fields of cyber risk and cyber risk insurance (based on a dataset of 211 papers)  We also illustrate future research directions (from a practical and academic point of view) • Results:  Significant difficulties in insuring cyber risk, especially due to a lack of data and modelling approaches, the risk of change and risk accumulation  We also discuss various ways to overcome these insurability limitations (mandatory reporting requirements, pooling of data, public – private partnerships) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 2

  3. Motivating Example: p2.gg/fup • How likely do you consider a several days lasting internet failure throughout Switzerland over the next five years? 0% 20% 40% 60% 80% 100% A few benchmarks for Switzerland: - Cyber insurance experts: 42% Board members of SME’s : 38% - Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 3

  4. Research Approach: Three clusters and ten key questions Summary of Existing Knowledge on Cyber Risk and Cyber Insurance 1. What is cyber risk? Definition and categorisation 2. What are the costs and detrimental effects caused by cyber risk? The good news  3. Where do we find data on cyber risk? The bad news  4. How can we model cyber risks? 5. Micro perspective: How should cyber risk management be organised? 6. Macro perspective: Is cyber risk a threat to the global economy and society? 7. Cyber insurance market: What is the status quo and what are the insurability challenges? The consequences Derivation of Potential Future Research Derivation of Potential Future Work (Academic Perspective) (Practical Perspective) 10.What are future research directions in the 8. What should the insurance industry do to area of cyber risk and cyber insurance? prevent cyber risks and to support cyber insurance? 9. What should the government do to prevent cyber risks and to support cyber insurance? Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 4

  5. Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services What is cyber risk? Causes Operational Information and Extreme technology (OT) Risk of communication events Change technology (ICT) • Natural • Business disasters interruption Cyber Risk • Criminality • Infrastructure • Compromise of Characteristics breakdown • War • Confidentiality • Physical • Terrorism • Availability damage to Data • Accidental • Integrity Modelling humans and Uncertainty uncertainty properties Interdependencies Source: Advisen Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 5

  6. High costs and manifold detrimental effects of cyber risk … on companies …113 b USD (stock prices, ratings) (Symantec, 2013) …445 b USD … on individuals (McAfee, 2014) (erosion of privacy) … up to 1’000 b USD … on economic growth (Kshetri, 2010) (costs and benefits of ICT) …estimates vary substantially … major part of the and might be biased effects are indirect (Anderson et al., 2013) (reputational, loss of trust, …) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 6

  7. The good news Where do we find data on cyber risk? Hackmageddon: Cyber Attacks Timeline Ponemon: Cost of Data Breach Studies NetDiligence: Cyber Claims Aggregated Data McAfee: Global Cost of Cybercrime SAS OpRisk Data (Biener, Eling, Wirfs, 2015) Raw Data DataLossDB (Risk Based Security) Chronology of Data Breaches (PRC) Honeynet (Honeynet.org) Internet Storm Center (ISC, SANS Institute) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 7

  8. The bad news How can we model cyber risks? • Extreme value theory / peaks over threshold approach; use of heavy tail distributions (e.g. log-normal/GPD for severity, negative binomial for frequency) Eling & Schnell (2016) • Eling & Wirfs (2016) Problem: Non-diversification trap for heavy-tailed risks (Ibragimov et al., 2009) • Another problem: Nonlinear Global correlation Böhme and Kataria (2006) dependence for aggregation of Internal correlation Low High cyber risk (typically applying High Insider Attack Virus copulas). Hardware Low Phishing Failure Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 8

  9. The conse- quences Cyber Insurance – Status Quo and Insurability • Market is very small (U.S. vs. rest of world) The main insurability problems are • Lack of data • • Lack of modelling approaches Conventional policies (property and liability) are • Risk of change frequently silent on whether cyber losses are • Accumulation risk covered (the bigger problem today) • Potential moral hazard problems • Insurability of cyber risks:  “Cyber risk of daily life”: Not too big to insure; within-industry collaboration useful (e.g. pooling of data)  “Extreme Scenarios”: Difficult to insure; integration of the government (e.g. backstop for cat risk) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 9

  10. The conse- quences Cyber Insurance – Status Quo and Insurability The development of a more reliable and comprehensive data set on digital Local Global security incidents and digital risk management practice would likely require: • (i) consensus on typology and taxonomy; • (ii) a trusted public-private digital security incident repository; • (iii) incentives (e.g., mandatory notification requirements) to promote reporting of incidents and data sharing by organizations. Mandatory? - + • • Awareness Direct costs • • Representativeness Indirect costs (loss of trust) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 10

  11. Cyber Insurance – Outlook / Future Research Micro perspective Macro perspective • Demand side research (e.g. risk perception, • More scenarios analyses for measurement fatalism) and management of accumulation risk • Track technology and improve own IT; revise • Potential systemic risk from cyber risk existing policies and develop new ones underwriting • Optimal risk management and regulation • Become part of the global dialogue with (e.g. modelling; how much capital is needed stakeholders (pooling, common vocabulary,…) to cover cyber risks?) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 11

  12. Thanks a lot for your attention! … Questions? Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

921 views • 59 slides
Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2

Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2

Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2 Leading Canadian Media and Content Company Great portfolio of assets Leader in Canadian broadcasting Powerful brands and content Valuable

338 views • 21 slides
Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements

Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements

Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements Plans for 2013 Mobile Shibboleth Federations Fine Grained Access Control COUNTER 4 Discussion Relating to 2014 Recent

658 views • 46 slides
NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana Medkov Martin Husk, Martin Draar Introduction optimal strategy to defend network infrastructure no standard for benchmarking Network Defence

574 views • 18 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

384 views • 15 slides
NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -

859 views • 42 slides
Towards malware inspired management frameworks J er ome Fran cois, Radu State and

Towards malware inspired management frameworks J er ome Fran cois, Radu State and

April, 8 2008 http://madynes.loria.fr/ Towards malware inspired management frameworks J er ome Fran cois, Radu State and Olivier Festor Introduction Malware for management Models Results Conclusion Outline 1 Introduction 2

513 views • 34 slides
@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining

@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining

@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining the root of fear and its effects Fear-based architecture and antipatterns Fear leads to anger, anger leads to hatred. Fearless security

765 views • 40 slides
UKinbound and working with the Travel Trade Andrew Macnair Business Development Manager,

UKinbound and working with the Travel Trade Andrew Macnair Business Development Manager,

UKinbound and working with the Travel Trade Andrew Macnair Business Development Manager, Scotland What we will cover today Who UKinbound is and what we do What do we mean by Travel Trade and why is it important ? Scotland from the

381 views • 19 slides
Timeless Testing Skills for Modern Testers Presented by: Gerie

Timeless Testing Skills for Modern Testers Presented by: Gerie

W8 Personal Development 2019-05-01 13:30 Timeless Testing Skills for Modern Testers Presented by: Gerie Owen , Technology Strategy Research Peter Varhol, Exoprise

712 views • 24 slides
Northern Farming Conference 13 th November 2013 Rob Sanderson: Head of Central Store Development

Northern Farming Conference 13 th November 2013 Rob Sanderson: Head of Central Store Development

Northern Farming Conference 13 th November 2013 Rob Sanderson: Head of Central Store Development About Us Openfield markets 4.5m tonnes of grain per annum. This is 20% of UK grain market. This activity generates over 70% of our income.

589 views • 22 slides
Strategic Plan for Tourism 2016-2021 Stage 1 - Situation Analysis June 2016 Prepared for

Strategic Plan for Tourism 2016-2021 Stage 1 - Situation Analysis June 2016 Prepared for

Prince Edward Island Strategic Plan for Tourism 2016-2021 Stage 1 - Situation Analysis June 2016 Prepared for Contents Objectives Methodology Market Research Emerging Trends in North American Tourism Market External Trade

619 views • 39 slides
Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community

Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community

Automatic Ontology-Based Document Annotation for Arabic Information Retrieval Ashraf I. Kaloub Rebhi S. Baraka Alaqsa-Community College Faculty of Information Technology Khan Younis, Gaza Strip Islamic University of Gaza 1 The 3rd Palestinian

536 views • 31 slides
Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs

Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs

Hayes Park School Welcome to our Nursery! 07/06/2017 2 The Nursery Team Mrs Lorraine Rafferty Mrs Carly Skippins Ms Sarah Blakey Mrs Penny Woodman Nursery Nurse Nursery Nurse

477 views • 24 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts & Sciences Ubani A Balogun & Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
Do voluntary codes work? Whale-watching on the west coast August 2018 Hebridean Whale &

Do voluntary codes work? Whale-watching on the west coast August 2018 Hebridean Whale &

Do voluntary codes work? Whale-watching on the west coast August 2018 Hebridean Whale & Dolphin Trust 16 continuous years of boat-based survey effort 120,000 km surveyed 30,000 animals recorded Contributed to the identification and

413 views • 12 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

IBWAS 2010 From Risk Awareness to Security Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December 2010 About me Senior Information Security Consultant / Auditor University Professor: Security,

447 views • 23 slides
CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running

CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running

CLOUD VENDORS CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running startup Doing cloud since 2009 2 cloud-based products JFrog Bintray JFrog Artifactory Cloud THE JFROG EXPERIENCE

406 views • 26 slides
WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this

WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this

WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this presentation provides you with some understanding of who we are and why were able to keep our clients so happy. While 2020 is off to a tumultuous

515 views • 20 slides

More recommend