Insurance Thinking Meets The Security Practitioner

by | Jan 24, 2022

Graph Briefly Explained: This graph models the probability of exceeding a cyber insurance limit. Three types of events (perils) are considered: data breach, business email compromise, and ransomware. The total risk line aggregates the likelihoods and impacts together.

 

It is utterly implausible that a mathematical formula should make the future known to us, and those who think it can would once have believed in witchcraft.”  – Jacob Bernoulli



Who This Article Is For

This is the second short article in a series on managing cybersecurity risk – with a quantitative bent (the first article in the series was published in Dec. 2021). This particular article is for security leaders. It’s the first step in a peril-based approach to building out your cybersecurity risk management program. Insurance professionals may also find this topic of interest.


 

Insurance Thinking For Security Practitioners

Cyber insurance’s main job is reducing the impact of loss. Security’s main job is reducing the likelihood of loss.1  When security and insurance work together, they help keep loss within tolerance (i.e., risk tolerance).

Unfortunately, security leaders are regularly cut off from insurance discussions – this is a huge lost opportunity for security. We need to change that. There is a gap between what insurance covers and the losses the business will tolerate. Security can fill that gap. Formally, we would say that security keeps risk within tolerance. Bridging the “tolerance gap” becomes a defensible approach to funding a security program. 

The business leaders (CFO, GCs, etc.) responsible for buying insurance want higher limits on low-cost policies. Who wouldn’t want to transfer most, if not all, of their risk away? Business leaders want limits to look more like this:

Graph of likelihood of exceeding limits

Figure 1.2


The likelihood of loss hasn’t changed. What has changed is the limit on coverage. The irony is that a lack of security will prevent the business from getting their desired limits. Weak security also keeps the cost of insurance high and threatens renewals. 

In a hardened cyber insurance market, security and insurance MUST work together.2   Before your business leaders can get a desirable limit, you need to control for losses. That means security controls must adjust the likelihood of loss downward. The ideal likelihoods would look more like this:

Graph of likelihood of exceeding cyber insurance limits

Figure 1.3


As you can see above, the likelihood of exceeding $5 million in three years is now 9% instead of 25%. Those likelihoods could lead to a better policy with larger limits. A new limit with better controls might look something like this:

Graph of likelihood of exceeding limits

Figure 1.4


A 3% chance of losing $20 million with a negligible chance of exceeding $40 million – this is the result of insurance and security working together.2  This figure is likely much closer to business stakeholder tolerances. What about the likelihood of exceeding $5 million? It’s now around ~8%, well within the bounds of the current limit. 

Next, let’s discuss the intersection of perils, losses, and impacts. Understanding these concerns is key to optimizing spend on controls. Ultimately, we want to invest in cost-effective controls that reduce the chance of impacts exceeding risk tolerance. 



Perils, Losses, and Impacts

 

Many-to-many diagram

Figure 1.53

 

A peril is a bad event that can contribute to loss. For example, fires and explosions are perils that contribute to property loss. In our context, ransomware and data breach are perils that contribute to data loss. A peril can have many losses. A loss can have many perils. It’s a many-to-many relationship.

Impact values the relationship between perils and losses. Insurance codifies impact as dollars. Us security folks rarely codify impact as a dollar value, but we should. It’s how business people (especially insurance) think about absolutely everything. 

Business stakeholders and board members are aware of perils. They read the news. They ask about the latest headlines. However, they likely don’t have detailed knowledge about the interrelated nature of perils. For example, many (not all) perils have email as a key delivery mechanism. Stakeholders may not know that losses are also interrelated. Ransomware and data breach can both impact data loss.  

Insurance policies are generally written around perils and their losses.  The limits for losses may differ based on the perils that cause them. Limits may also have sub-limits based on the strength (or lack thereof) of security controls.

Security’s job is to invest in controls that reduce the most impact, across the most perils, with the least cost. For example, a security team could consider asking what is the most cost-effective way to go from figure 1.6a to figure 1.6b?

Figure 1.1 and 1.3 Comparison

Figure 1.6a (Before Controls) and Figure 1.6b (After Controls)

 

Answering questions like this lie at the heart of security optimization. It requires unpacking how we get impacts and likelihoods. 

In the next section, we cover how to develop impacts and likelihoods.  For now, we can only touch on this at a high level.  Future articles in this series will dive into these topics in much more depth. 


Preview To Developing Impacts and Likelihoods

In the first article in this series, I stated that impacts take on a range of possibilities. Those possibilities are informed by perils and losses (figure 1.5).  

Suppose your focus is on a data breach peril with privacy loss. Based on the size and regulatory nature of the data at risk we can develop a range of impacts. After all, you likely know something about the nature and volume of the data your company processes.  This is job #1 for security professionals. 

What you are likely uncertain about is the impact of breach. Part of our job in measurement (as discussed in the previous post) is measuring our uncertainty. That means putting a reasonable range on impacts, a range that reflects our uncertainty. It also means putting more weight on impacts that are most plausible. To do this we consider both industry data as well as expert inputs.

If the empirical data is limited (and it often is) then we become more reliant on experts for our ranges. Suffice it to say, not all experts are created equal. We have methods for cultivating and scoring experts – turning them effectively into security bookies. Through following our methods they become consistent and discriminating when making risk forecasts. This is covered in depth in our first book.4     

What you see below is an example impact model. The values under the highest portion of the shape are most plausible. Those values tend to get selected most often when we run our quantitative models.

Impact graph

Figure 1.7

 

Developing loss likelihoods is more complicated than impact rages. We still use industry data and expert inputs, but the reliance on experts is much greater. The method we use is a form of quantitative collective intelligence. It’s a method for meshing together a large set of expert forecasts. It’s a big topic. It will get its own article.

It’s here that I will point you back to the quote at the beginning of this article.  Even if we had overwhelming empirical data about loss events and their impacts, we are not engaged in predicting the future. That’s what astrology is for. We are making decisions under uncertainty.

Empirical data and quantified beliefs are the measures that drive decisions. Ultimately, we are making decisions about what to insure and how much.  We are also making decisions about what to mitigate and by how much. This is part decision psychology and part decision science, with ample use of predictive analytics.


 

What’s Next

In this article, I gave brief treatment to important topics like impacts, likelihoods, and expert elicitation. You can expect whole articles on these topics. For a broader list of forthcoming topics, please refer to the first article in this series.

 

If this subject interests you, and you would like to learn more, feel free to reach out to me directly at richardseiersen@resilienceinsurance.com.

If you are interested in a cybersecurity risk management program engagement, we are taking on a limited set of design partners (filling up quickly) for Q1 2022.

 

About the Author

Richard Seiersen
Chief Risk Officer

Richard Seiersen is the Chief Risk Officer at Resilience. Prior to joining Resilience in 2021, Seiersen was the co-founder and president of Soluble – a cloud security company sold to Lacework in October 2021. He was previously the Chief Information Security Officer of Twilio, GE Healthcare, and Lending Club. He’s also the co-author of “How To Measure Anything In Cybersecurity Risk” (July 2016) and author of “The Metrics Manifesto: Confronting Security with Data” (March 2022).

 

Sources:

1Security also reduces impact, but leads with likelihood reduction.

2 Mitigation Takes Center Stage in Hardening Cyber Market (Insurance Journal 2021)

3 BEC stands for Business Email Compromise 

4How To Measure Anything In Cybersecurity Risk (Wiley 2016)