Graph Briefly Explained: This graph models the probability of exceeding a cyber insurance limit. Three types of events (perils) are considered: data breach, business email compromise, and ransomware. The total risk line aggregates the likelihoods and impacts together.
“It is utterly implausible that a mathematical formula should make the future known to us, and those who think it can would once have believed in witchcraft.” – Jacob Bernoulli
Who This Article Is For
This is the second short article in a series on managing cybersecurity risk – with a quantitative bent (the first article in the series was published in Dec. 2021). This particular article is for security leaders. It’s the first step in a peril-based approach to building out your cybersecurity risk management program. Insurance professionals may also find this topic of interest.
Insurance Thinking For Security Practitioners
Cyber insurance’s main job is reducing the impact of loss. Security’s main job is reducing the likelihood of loss.1 When security and insurance work together, they help keep loss within tolerance (i.e., risk tolerance).
Unfortunately, security leaders are regularly cut off from insurance discussions – this is a huge lost opportunity for security. We need to change that. There is a gap between what insurance covers and the losses the business will tolerate. Security can fill that gap. Formally, we would say that security keeps risk within tolerance. Bridging the “tolerance gap” becomes a defensible approach to funding a security program.
The business leaders (CFO, GCs, etc.) responsible for buying insurance want higher limits on low-cost policies. Who wouldn’t want to transfer most, if not all, of their risk away? Business leaders want limits to look more like this:
Figure 1.2
The likelihood of loss hasn’t changed. What has changed is the limit on coverage. The irony is that a lack of security will prevent the business from getting their desired limits. Weak security also keeps the cost of insurance high and threatens renewals.
In a hardened cyber insurance market, security and insurance MUST work together.2 Before your business leaders can get a desirable limit, you need to control for losses. That means security controls must adjust the likelihood of loss downward. The ideal likelihoods would look more like this:
Figure 1.3
As you can see above, the likelihood of exceeding $5 million in three years is now 9% instead of 25%. Those likelihoods could lead to a better policy with larger limits. A new limit with better controls might look something like this:
Figure 1.4
A 3% chance of losing $20 million with a negligible chance of exceeding $40 million – this is the result of insurance and security working together.2 This figure is likely much closer to business stakeholder tolerances. What about the likelihood of exceeding $5 million? It’s now around ~8%, well within the bounds of the current limit.
Next, let’s discuss the intersection of perils, losses, and impacts. Understanding these concerns is key to optimizing spend on controls. Ultimately, we want to invest in cost-effective controls that reduce the chance of impacts exceeding risk tolerance.
Perils, Losses, and Impacts
Figure 1.53
A peril is a bad event that can contribute to loss. For example, fires and explosions are perils that contribute to property loss. In our context, ransomware and data breach are perils that contribute to data loss. A peril can have many losses. A loss can have many perils. It’s a many-to-many relationship.
Impact values the relationship between perils and losses. Insurance codifies impact as dollars. Us security folks rarely codify impact as a dollar value, but we should. It’s how business people (especially insurance) think about absolutely everything.
Business stakeholders and board members are aware of perils. They read the news. They ask about the latest headlines. However, they likely don’t have detailed knowledge about the interrelated nature of perils. For example, many (not all) perils have email as a key delivery mechanism. Stakeholders may not know that losses are also interrelated. Ransomware and data breach can both impact data loss.
Insurance policies are generally written around perils and their losses. The limits for losses may differ based on the perils that cause them. Limits may also have sub-limits based on the strength (or lack thereof) of security controls.
Security’s job is to invest in controls that reduce the most impact, across the most perils, with the least cost. For example, a security team could consider asking what is the most cost-effective way to go from figure 1.6a to figure 1.6b?
Figure 1.6a (Before Controls) and Figure 1.6b (After Controls)
Answering questions like this lie at the heart of security optimization. It requires unpacking how we get impacts and likelihoods.
In the next section, we cover how to develop impacts and likelihoods. For now, we can only touch on this at a high level. Future articles in this series will dive into these topics in much more depth.
Preview To Developing Impacts and Likelihoods
In the first article in this series, I stated that impacts take on a range of possibilities. Those possibilities are informed by perils and losses (figure 1.5).
Suppose your focus is on a data breach peril with privacy loss. Based on the size and regulatory nature of the data at risk we can develop a range of impacts. After all, you likely know something about the nature and volume of the data your company processes. This is job #1 for security professionals.
What you are likely uncertain about is the impact of breach. Part of our job in measurement (as discussed in the previous post) is measuring our uncertainty. That means putting a reasonable range on impacts, a range that reflects our uncertainty. It also means putting more weight on impacts that are most plausible. To do this we consider both industry data as well as expert inputs.
If the empirical data is limited (and it often is) then we become more reliant on experts for our ranges. Suffice it to say, not all experts are created equal. We have methods for cultivating and scoring experts – turning them effectively into security bookies. Through following our methods they become consistent and discriminating when making risk forecasts. This is covered in depth in our first book.4
What you see below is an example impact model. The values under the highest portion of the shape are most plausible. Those values tend to get selected most often when we run our quantitative models.
Figure 1.7
Developing loss likelihoods is more complicated than impact rages. We still use industry data and expert inputs, but the reliance on experts is much greater. The method we use is a form of quantitative collective intelligence. It’s a method for meshing together a large set of expert forecasts. It’s a big topic. It will get its own article.
It’s here that I will point you back to the quote at the beginning of this article. Even if we had overwhelming empirical data about loss events and their impacts, we are not engaged in predicting the future. That’s what astrology is for. We are making decisions under uncertainty.
Empirical data and quantified beliefs are the measures that drive decisions. Ultimately, we are making decisions about what to insure and how much. We are also making decisions about what to mitigate and by how much. This is part decision psychology and part decision science, with ample use of predictive analytics.
What’s Next
In this article, I gave brief treatment to important topics like impacts, likelihoods, and expert elicitation. You can expect whole articles on these topics. For a broader list of forthcoming topics, please refer to the first article in this series.
If this subject interests you, and you would like to learn more, feel free to reach out to me directly at richardseiersen@
|
About the Author
Richard Seiersen
Chief Risk Officer
Richard Seiersen is the Chief Risk Officer at Resilience. Prior to joining Resilience in 2021, Seiersen was the co-founder and president of Soluble – a cloud security company sold to Lacework in October 2021. He was previously the Chief Information Security Officer of Twilio, GE Healthcare, and Lending Club. He’s also the co-author of “How To Measure Anything In Cybersecurity Risk” (July 2016) and author of “The Metrics Manifesto: Confronting Security with Data” (March 2022).
Sources:
1Security also reduces impact, but leads with likelihood reduction.
2 Mitigation Takes Center Stage in Hardening Cyber Market (Insurance Journal 2021)
3 BEC stands for Business Email Compromise
4How To Measure Anything In Cybersecurity Risk (Wiley 2016)
