Risk Nexus: Overcome by cyber risks? Tom Bossert CDS Risk Management

Similar documents
Risk Nexus. Overcome by cyber risks? Economic benefits and costs of alternate cyber futures

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Click to edit Master title style

Middle Class Economics: Cybersecurity Updated August 7, 2015

CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE. AIIA Response

The promise and pitfalls of cyber insurance January 2016

Sytorus Information Security Assessment Overview

Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development

How To Defend Yourself Against Cyber Attacks

Cybersecurity: Mission integration to protect your assets

CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES

The threats which were perceivable 20 years ago differ greatly from our ever increasing

Managing the Ongoing Challenge of Insider Threats

CYBERSECURITY RISK RESEARCH CENTRE (832)

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

Cyber Risk to Help Shape Industry Trends in 2014

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Enterprise Risk Management

Managing Information Resources and IT Security

ICSA Labs Risk and Privacy Cloud Computing Series Part I : Balancing Risks and Benefits of Public Cloud Services for SMBs

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results.

2 Gabi Siboni, 1 Senior Research Fellow and Director,

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Privacy and Security in Healthcare

Managed Security Monitoring: Network Security for the 21st Century

Network security policy issues. Ilias Chantzos, Director EMEA & APJ NIS Summer School 2008, Crete, Greece

Lessons from the DHS Cyber Test Bed Project

Before the DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, DC ) ) ) ) )

A Channel Company White Paper. Online Security. Beyond Malware and Antivirus. Brought to You By:

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

Cyber-Security Risk Management Framework (CSRM)

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

Effective Information Sharing and Analysis Process

Defending against Cyber Attacks

Cybersecurity: What CFO s Need to Know

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cyber security Building confidence in your digital future

Network Security Landscape

Developing National Frameworks & Engaging the Private Sector

CyberSecurity Solutions. Delivering

Improving Cyber Security Risk Management through Collaboration

CyberArk Privileged Threat Analytics. Solution Brief

Priority III: A National Cyberspace Security Awareness and Training Program

2. OVERVIEW OF THE PRIVATE INFRASTRUCTURE

How to ensure control and security when moving to SaaS/cloud applications

Real-Time Security for Active Directory

BUSINESS CONTINUITY PLAN

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Capabilities for Cybersecurity Resilience

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Modalities for Cyber Security and Privacy Resilience: The NIST Approach

Cyberspace Situational Awarness in National Security System

An Overview of Large US Military Cybersecurity Organizations

Government + Enterprise + Innovation + Strategy

Cybersecurity. Are you prepared?

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Partnership for Cyber Resilience

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

Figure 1: Lower volatility does not necessarily mean better returns. Asset A Asset B. Return

UK School Opinions of Cloud Services and Student Privacy. A survey conducted by the Ponemon Institute for SafeGov.org May 2013

INTERNATIONAL STANDARD ON AUDITING 570 GOING CONCERN CONTENTS

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

Cyber-Insurance Metrics and Impact on Cyber-Security

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

iwr vw bs ww G-1 AwZwi³ msl v KZ cÿ KZ K cökvwkz g½jevi, gvp 11, 2014

A COMPLETE APPROACH TO SECURITY

Supplier Vigilance: A Critical Layer of Defense

AISA NATIONAL CONFERENCE 2015 TRUST IN INFORMATION SECURITY. 14 October 2015 OPENING ADDRESS LYNWEN CONNICK

BITS GUIDE TO CONCENTRATION RISK

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA

Making the Cloud Work for Business

Increasing Energy Reliability & Resiliency NGA Policy Institute for Governors' Energy Advisors Denver Colorado, September 11, 2013

MISSION-ESSENTIAL INTELLIGENCE AND CYBER SOLUTIONS

W H I T E P A P E R T h e R O I o f C o n s o l i d a t i n g B a c k u p a n d A r c h i v e D a t a

Supply Chain Risk: Understanding Emerging Threats to Global Supply Chains

Public Private Partnerships and National Input to International Cyber Security

The main object of my research is :

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

Contingency Planning

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

January 22, With this in mind, following are our responses to the questions posed in the December 18 Federal Register.

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

Can Cyber Insurance Be Linked to Assurance?

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

Can DC members afford to ignore inflation?

Cyber Security Ultimately Is Military Security

Understanding SCADA System Security Vulnerabilities

The Comprehensive National Cybersecurity Initiative

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

SEPTEMBER Reasons Why You May Be Spending Too Much on IT Support

Transcription:

Risk Nexus: Overcome by cyber risks? Tom Bossert CDS Risk Management 1

The Cyber Risk Trend Each year sees: More data breaches More disclosures of critical vulnerabilities More nations building and employing offensive cyber capabilities Growing cyber insurance industry, set to triple by 2020 Booming private cyber risk management industry, with billions in venture capital, and dozens of publicly traded companies 2

So, we know there are risks to being connected 3

So, we know the risks of being connected Yet, we accept them to gain the benefits 4

But How Would We Know If: The downside risks from being connected (whether those risks are realized or unrealized) are starting to outpace the upside benefits? 5

Will the next generation benefit from the cyber economy or be overwhelmed by the struggle to control its insecurities? What can we do today as policy makers and risk managers? Trends can lead to different futures depending on how we react to them. 6

https://vimeo.com/138263949 7

Overcome by Cyber Risks? Economic Benefits and Costs of Alternate Cyber Futures Atlantic Council University of Denver s Pardee Center for International Futures Zurich Insurance Group 8

Project on Global Risks Continuation of three-year relationship between Zurich Insurance Group and Atlantic Council on global risks New effort on global risks, partnering with the Pardee Center for International Futures, of the University of Denver: Year 1: Examine and model alternate cyber futures Year 2: Extend modeling to geopolitical and demographic risks Builds on success of report on cyber sub-prime of global interconnections of cyber risk 9

Four Traditional Cyber Threats 1 2 3 4 10

Mainstream cyber risk management is strikingly similar to financial risk management prior to 2008 1. Risks only examined one at a time and one organization at a time, ignoring interdependencies 2. Risks then passed to outside organizations who further passed them along 3. Risks accordingly concentrated in little known ways and places 4. Little if any governance of the system as a whole Cyber Sub-Prime 11

Why This Matters 1. Mainstream risk management likely ignores perhaps the greatest kind of risk: growing systemic upstream complexity 2. Future Internet may be far less business friendly with national borders, restrictions on data movement, frequent and severe outages 3. Companies (and nations) that are managing this risk have far better chance of surviving and thriving 12

What Do We Learn from Data and Modeling? It is the trend that matters look at the shape. Dan Geer 13

How does information and communication technology (ICT) benefit the global economy? How do ICT security problems cost the global economy? 14

How does information and communication technology (ICT) benefit the global economy? How do ICT security problems cost the global economy? Cyber Benefits 1. ICT Sector Size 2. Productivity and GDP 3. Consumer surplus Cyber Costs 1. Spending on risk mitigation 2. Cost of adverse cyber events 3. Opportunity cost 15

1 2 Cyber Benefits 1. ICT sector size fundamentally stable and not contributing growth via size change 2. ICT contributing about 20 percent of economic growth with high ICT pervasiveness/penetration 3. Consumer surplus could be one-third to one-half the measured economic growth contribution 3 16

Cyber Costs 1. Spending on risk mitigation is as high as 0.4% of GDP in the US and rising; closer to 0.1% globally 2. Cost of adverse cyber events is about 0.7% in the U.S.; data elsewhere less extensive 3. Opportunity cost varies by ICT use and could be as high as 1% of GDP in Cuba 3 1 2 Source: http://test.tiaonline.org/resources/market-forecast 17

Forecast Annual Cyber Costs and Benefits 18

Forecast Annual Cyber Costs and Benefits 19

Forecast Cyber Costs and Benefits: Annual totals, high-income countries It is the trend that matters look at the shape. Dan Geer 20

Forecast Cyber Costs and Benefits: Annual totals, high-income countries It is the trend that matters look at the shape. Dan Geer 21

Initial Conclusion With Very Limited Data An inversion where annual risks of being connected outweigh the benefits is not just theoretically possible but actually may have already happened in highincome nations and may happen in five years globally Fortunately, benefits from ICT investments continue to accumulate so your children should enjoy a better Internet than we do today 22

Initial Conclusion With Very Limited Data An inversion where annual risks of being connected outweigh the benefits is not just theoretically possible but actually may have already happened in highincome nations and may happened in five years globally Fortunately, benefits from ICT investments continue to accumulate so your children should enjoy a better Internet than we do today Unless the trends change, a discontinuity where the future looks much different than the past 23

Recommendations For policymakers Cautiously push new technologies: ensure benefits outpace cost Downside: increases dependence on inherently risky technologies Work to get defense better than offense Work at scale, drastically reduce costs, remove entire classes of attacks Be stewards of a sustainable cyberspace For risk managers Start hedging your long position in connected IT Continue emphasis on resilience in an increasingly dangerous world Consider worst-case futures in business plans Separate business plans for different Internet blocs Prevent rising costs from swamping digitally dependent strategies 24

You are Critical to Managing Cyber Risk Cybersecurity requires Controls, Audits, and Accountability 25

My Observations The scale of this challenge is awesome Our clients and your covered agencies all feel that cybersecurity is just a cost center; we must remind them of the benefit not just the risk Because of security concerns, opportunity costs are growing larger as agencies and commercial companies are passing on or waiting longer to adopt new, innovative technology Companies and governments are long on cyber reliance with almost no hedge. Spending on security must go up The future seems inconsistent with the military mentality that cyber is a domain to dominate; we must change that mentality State conflict in the digital arena is different from any precedent, as the states don t have a monopoly on the force, at least the defensive force ISACs are sprouting and growing and sharing information without legislation. Although it is important to share information, info sharing is a solution that doesn t scale, so it is not as relevant in the long term Slow, manual patching is dumb Access controls are exceedingly important Tech investment is needed, as is investment in professional development 26

Final Points What should auditors be doing to get ready for the future? What skillsets will they need? The new FISMA assess the effectiveness of controls, not just compliance with procedures, use DHS as a resource, and know your own limitations 1. Invest in tools, resources, training, and education 2. In-house your auditing of policies, procedures, and managerial controls 3. Outsource your tech controls, tech monitoring, effectiveness metrics, and innovation efforts 4. While info sharing is not sexy to long term strategy folks, coordination across agencies and sharing among state, local, federal and private partners is critical 27

QUESTIONS? 28

BACKUP SLIDES 29

Curveballs What discontinuities could tip us towards more extreme future? 1. General improvements in global governance (UN, G20, ICANN, etc) which reduces costs and increases benefits 2. Conflict or collaboration between US and China which reduces costs and increases benefits 3. Keep benefits booming with major new disruptive technology subwaves (cloud, quantum computing, Internet of Things, artificial intelligence) 4. Disruptive offensive technology gives attackers supremacy so costs rise suddenly and dramatically 5. Disruptive defensive technology gives defenders the edge reducing costs 30

Cyber Benefits 1. ICT sector size (value added) leaving out of analysis 2. Productivity and GDP growth general magnitude (up to about 20% of growth); compounded 3. Consumer surplus (up to about 40% of growth); compounded Cyber Costs 1. Spending on risk mitigation U.S. high at about 0.5% of GDP 2. Cost of adverse cyber events U.S. high at about 0.68% of GDP 3. Opportunity cost using regression and above as level of no cost 31

High Awesomeness of the Internet Strong defense, weak offense High trust Extensive usage Secure Internet is global right Government-Dominated Internet No longer a single global Internet National internets have very different characteristics High protectionist barriers, sovereign borders Technological elite serve the state Companies forced to accept backdoors, monitoring Private-Sector Dominated Internet Single global Internet Internet similar regardless of nation Minimal barriers and borders Technological elite defy the state Companies lockout and outfox the state Low Awesomeness of the Internet Strong offense, weak defense Low trust Declining usage Secure Internet is luxury good 32

High Awesomeness of the Internet Government- Dominated Internet Private-Sector Dominated Internet Low Awesomeness of the Internet 33

Forecast Annual Cyber Costs and Benefits It is the trend that matters look at the shape. Dan Geer 34

Forecast Annual Cyber Costs and Benefits Global Annual Totals It is the trend that matters look at the shape. Dan Geer 35

Where Does This All Lead? Two Main Axes of Uncertainty 36

High Awesomeness of the Internet Government- Dominated Internet Private-Sector Dominated Internet Low Awesomeness of the Internet 37

Shangri-La Amazing benefits, low risks Strong defense, weak offense Benefits spread equally to all people High trust and extensive usage Secure Internet is global right 38

Clockwork Orange Strong offense, weak defense Any neighborhood is or can quickly become overrun Low trust and declining usage Secure Internet is a luxury good 39

Leviathan No longer a single global Internet National internets have very different characteristics High protectionist barriers, sovereign borders Technological elite serve the state Perhaps defense gets better, but more nations are attacking Companies forced to accept backdoors, monitoring Very unequal as richer nations have generally better internet 40

Independent Internet Single global Internet which is similar regardless of national boundaries A Declaration Minimal of barriers the Independence and borders of Cyberspace: Technological elite defy and consistently outfox the state Governments of the Industrial Defense might be better, but World, [y]ou have no sovereignty where companies we gather have access to personal data Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here From John Perry Barlow, 1996: https://projects.eff.org/~barlow/declaration-final.html 41

Two Possible Futures Net Annual Benefits and Costs of Base Case, Shangri La, and Clockwork Orange Cumulative Annual Benefits and Costs of Base Case, Shangri La, and Clockwork Orange Potential loss of $30 trillion of potential net economic benefit to 2030 42

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information