As technology increases in a 21st century marketplace, the ability to share products, ideas, and services increases. But so to do the threats and risk involved with utilizing a digital medium. Identifying and managing these cyber risks therefore, becomes imperative in ensuring the security of global business. With such an interconnected, 24/7 world, security cannot override the existing platforms of enterprise. Cyber security must be organic to the growth of business and international trade.
According to the joint study by the World Economic Forum and Deloitte, a shared response is the ultimate solution in providing resilience against possible attacks. These responses are created through the frameworks and models of different organizations in order to determine the cyber value-at-risk of assets. In building such models, the goal is to gather intelligence to determine from whom and from where an attack can occur.
As each firm creates individualized risk assessment models, the methodology can vary in collecting resilience data. This modeling can rely on statistical simulations, human behavior, parameters and future prediction, as well as other techniques. What each model attempts to combine however, is significant scope with applicable precision into the accuracy of subsequent decision-making processes. Despite the limitations of various approaches, such modeling is imperative in providing some idea of future risk, as well as areas more prone to attack within a given industry.
As any ecosystem carries with it an inherent risk, so too does the digital world. Looking towards the financial sector, this risk can be determined using an instrument known as value-at-risk. From a cyber standpoint, using a value-at-risk model can help determine the value of a companies assets from a digital perspective, as well as the potential losses, both tangible and intangible, that a firm could face in the result of a cyber attack. As digital threats exist across multiple global industries, finding a significant value-at-risk figure is determined through individual analysis of three aspects: Vulnerability, Assets, and Attacker Profiles. First, a firm’s possible vulnerabilities and openness to the market place must be taken into account as avenues of possible attack. Once such openings are recognized, determining the value of a company’s digital assets help to further examine the potential risk of an attack. Lastly, from that possibility of attack, who or what groups would be interested in those pieces of information or assets. It’s difficult to say which types of model are more accurate at this point.
Through a combination of monitoring, detecting, and responding to possible cyber threats, systems can be effectively installed in order to both mitigate damage and quantify value-at-risk. While there is no singular answer to the question of cyber security, the presence of modeling and predictive statistics helps to bolster marketplace vulnerabilities. As increasing numbers of firms adopt preemptive security measures, the amount of variable input for models subsequently increases, thereby keeping pace with ever-growing industry. If such industries are willing to cooperate in threat assessment and action, effective cyber threat management can be achieved with mutually bolstered resilience.
While in Davos, Switzerland, during the annual meeting of the World Economic Forum, Editor-in-Chief Ana Rold sat down with two of the architects behind the report: Jacques J. Buith and Dana Spataru to discuss the future of cybersecurity.
DC: Tell me about the significance of this newly released report on cybersecurity.
The report is about cyber threats, and the interesting component we added in this year’s project is to quantify both the cyber threats levels, as well as measure the benefits and opportunities a digital world gives us, and match that with the threats and levels of risk we see in cyber, and build that into a model. It is a simplification of the truth obviously, but at least start modeling it, in a similar fashion to what the financial services industry has done for 30 years, and apply the value-at-risk principles into a model for cyber threats.
So one thing I took away after reading the report is that, increasing expansions in technology, web, cloud, social media, etc., is inherently about sharing, not security. So we can’t be completely secure, clearly. What is your answer to this through your report?
The answer is, and always has been, that the word resilience is the most important thing. So 100% security is not an option. We always say, assume you will be hacked, prepare for the worst, and respond proactively with care. Have your plans for resilience at the right levels, and be ready for if it happens.
So if complete security is not an option, what is the next best thing? What does that resilience really mean?
Resilience starts with intelligence, to know what’s out there. Know what the vulnerabilities are; know when your data is more vulnerable than others. If you have your intelligence at the right level, then the next step is monitoring it. Monitor your own systems, networks, countries, if those vulnerabilities that exist really occur. And if they happen, then within the monitoring system the alarm system and the incident response need to kick in. But it’s also about reputation and risk. It’s about communication, legal, higher management. Don’t keep it at a technical level, scale up to management and the board and you will see at the end of the day it is they that will be affected by the reputational risk.
This makes total sense to me when I think about a big company. But when I think about a small company, what we’re talking about is less capacity. How does this scale for them? Do they need the same kind of resilience to build on?
They do. It all matters, and that’s also the quantification model, it all models how vulnerable the data is—in other words, how interested is their data, and their Intellectual Property, and their customer data, for things to happen. And if that’s at the same level, then a smaller company needs to have their act together. I think the smaller companies; also with cloud and the internet transformation, a lot of those have outsourced some of the components to technology providers. So they can also outsource pieces, from secure operating centers, monitoring centers, to outside parties to do that for them.
In the project, you talk about a shared effort among world participants, and how that’s required, and how business must understand counter-measures in order to feel secure. What does this effort look like, and what does it mean? Who is involved?
Deloitte has been involved in this project for the last two years. We’ve been working with the World Economic Forum and a lot of the parties the last couple of years. The first years is when we focused on awareness, principles, signatures, and training. We felt we made, as a partnership, a huge headway in this. So this phase is done I think—not done in that we should not spend time on it—but we are at the next step now. And the next step is, “what are we investing in the digital world?” And how valuable is the digital world for us, from a stakeholder’s value, from shareholder perspective, and match that with the risks and the threats.
The partnership is comprised of a lot of technology companies who are an instrumental part in securing the internet. One of the sessions we organized was with Singularity University in Silicon Valley, with Peter Diamandis and Mark Goodman. So that was the tech side. We had a session in London that focused more on insurance and financial services, and we looked at it from, how can we productize the cyber threats, and make cyber resilience insurance policies, and if a company makes an insurance policy, what’s the margin on it?
You were talking about making this more an effort where you monetize, where you’re creating products, and then companies can buy these products or use these products, and then they’re sort of checking the list of the things they’re supposed to be doing in order to build resilience. But a lot of these threats, if we’ve learned anything from Sony and other recent hacks, there are a lot of things that are unprecedented. So a lot of the experts out there say the worst hasn’t come yet. How do we simulate these issues?
That’s a good point. And that’s also the reason we picked up the challenge, and we call this VAR, Value-At-Risk, or Cyber VAR. In the financial services industry, for insurance products, it’s known for 25-30 years, it’s all worked out with regards to derivatives, insurance, because there is history, as you said. But in cyber, we are lacking that. We are lacking, “have we seen everything yet?” The answer is no, have we seen the worst? The answer is probably also no. But we believe that with this model, and continuously working and enhancing the model, we at least will start seeing the value of it. So we believe this is a starting point with the cyber VAR model, to collectively start working on it and enhance the insights that it will give us. If a company starts implementing it today, it will not give you all the insights, but it will at least be a pattern towards other insights for what you invest in cyber, versus what your threats are.
Twenty years ago you would buy your typical personal computer and you had to buy anti-virus products, and then you felt safe. Every now and then you clicked on something silly and then you got in trouble. We’re not talking about that, but can we get to that point, where you can go to your local computer store and get something off the shelf, and say, “now I’m protected”?
That’s a good question, and we have had debates on it. I think this will take some time, and the reason I’m saying that is because we are implementing cyber-security measures on top of legacy. In the banking and insurance world for example, a lot of systems and the software and the technical devices are 20 to 30 years old. That’s the real situation, and we first need to find solutions in the Internet of Things, in the appliances, in the semi-con [conductors], in the hardware, then into the software, which ultimately need to be implemented by the company. So it will take a long time to pass the situation we are currently in, which is not a very negative situation, by the way. I still think that the whole digital transformation, and what digital cyber brings us is creating lots of value. The growth we are experiencing because of it is still greater than risks that we are facing.
Tell me about the model in this report. Explain to me a little bit the details.
We started the model with the idea that the first step you need to take if you want to implement the model is to understand the different data points and components that you need for a start. Our model is based on the fact that you understand some of the variables, and start working on getting those data points for the variables. And to give you some examples, things like, “What is the security profile of your enterprise or organization?” We want to know, first of all, what’s your security infrastructure? Things like anti-virus, firewalls, all these pieces, do you have everything in place or not? That’s one of the components. Another important piece, which is also linking to the Value-At-Risk from financial services, is the criticality of your assets. So you need to understand what your critical assets are, what do I have, what’s the value for my company? And then the important part: who would attack it? Then you get more into the threat and the possible actors. These are things that are inputs into the model. First you need to do your homework and get your information for each one of these variables together, in order to model. So you have all these pieces together, and in the end you would use probabilistic modeling and model the different elements. And what we learned is that there are many organizations using different models.
So in layman terms, if a target has 20 million credit card numbers, they’re not worried if it’s all stored somewhere where there’s only one door?
Exactly.
What about reputational damage?
You need to model that as well.
What about barriers to entry that could result in smaller companies maybe not adopting this model right away? Clearly bigger companies with more to lose will start the model, getting wiser. Smaller companies might take awhile. What kind of ripple effect does that have in the marketplace?
I’m not sure I completely agree with smaller and difficult. If you are a startup, then you have some advantages over the larger companies with legacy and systems from 30 years ago. So that is much more challenging and difficult than an internet startup that starts from Greenfield and can adopt modern technology. Because with modern technology, modern software it’s much easier to do.
Is there anything else out there right now—that deals with this cyber security issue, at this depth and formula—that you know of?
No, we have incorporated very sophisticated models, and with the partnership with the World Economic Forum we have been working with multiple other technology and consultancy firms to add their components as well. Insurance companies also have models, technology providers have models, and so they are also part of the panel for this report. We have tried to have an open source community around this.
And is this mandatory reading for everyone right now?
Absolutely.
a global affairs media network
Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats
March 13, 2015
As technology increases in a 21st century marketplace, the ability to share products, ideas, and services increases. But so to do the threats and risk involved with utilizing a digital medium. Identifying and managing these cyber risks therefore, becomes imperative in ensuring the security of global business. With such an interconnected, 24/7 world, security cannot override the existing platforms of enterprise. Cyber security must be organic to the growth of business and international trade.
According to the joint study by the World Economic Forum and Deloitte, a shared response is the ultimate solution in providing resilience against possible attacks. These responses are created through the frameworks and models of different organizations in order to determine the cyber value-at-risk of assets. In building such models, the goal is to gather intelligence to determine from whom and from where an attack can occur.
As each firm creates individualized risk assessment models, the methodology can vary in collecting resilience data. This modeling can rely on statistical simulations, human behavior, parameters and future prediction, as well as other techniques. What each model attempts to combine however, is significant scope with applicable precision into the accuracy of subsequent decision-making processes. Despite the limitations of various approaches, such modeling is imperative in providing some idea of future risk, as well as areas more prone to attack within a given industry.
As any ecosystem carries with it an inherent risk, so too does the digital world. Looking towards the financial sector, this risk can be determined using an instrument known as value-at-risk. From a cyber standpoint, using a value-at-risk model can help determine the value of a companies assets from a digital perspective, as well as the potential losses, both tangible and intangible, that a firm could face in the result of a cyber attack. As digital threats exist across multiple global industries, finding a significant value-at-risk figure is determined through individual analysis of three aspects: Vulnerability, Assets, and Attacker Profiles. First, a firm’s possible vulnerabilities and openness to the market place must be taken into account as avenues of possible attack. Once such openings are recognized, determining the value of a company’s digital assets help to further examine the potential risk of an attack. Lastly, from that possibility of attack, who or what groups would be interested in those pieces of information or assets. It’s difficult to say which types of model are more accurate at this point.
Through a combination of monitoring, detecting, and responding to possible cyber threats, systems can be effectively installed in order to both mitigate damage and quantify value-at-risk. While there is no singular answer to the question of cyber security, the presence of modeling and predictive statistics helps to bolster marketplace vulnerabilities. As increasing numbers of firms adopt preemptive security measures, the amount of variable input for models subsequently increases, thereby keeping pace with ever-growing industry. If such industries are willing to cooperate in threat assessment and action, effective cyber threat management can be achieved with mutually bolstered resilience.
While in Davos, Switzerland, during the annual meeting of the World Economic Forum, Editor-in-Chief Ana Rold sat down with two of the architects behind the report: Jacques J. Buith and Dana Spataru to discuss the future of cybersecurity.
DC: Tell me about the significance of this newly released report on cybersecurity.
The report is about cyber threats, and the interesting component we added in this year’s project is to quantify both the cyber threats levels, as well as measure the benefits and opportunities a digital world gives us, and match that with the threats and levels of risk we see in cyber, and build that into a model. It is a simplification of the truth obviously, but at least start modeling it, in a similar fashion to what the financial services industry has done for 30 years, and apply the value-at-risk principles into a model for cyber threats.
So one thing I took away after reading the report is that, increasing expansions in technology, web, cloud, social media, etc., is inherently about sharing, not security. So we can’t be completely secure, clearly. What is your answer to this through your report?
The answer is, and always has been, that the word resilience is the most important thing. So 100% security is not an option. We always say, assume you will be hacked, prepare for the worst, and respond proactively with care. Have your plans for resilience at the right levels, and be ready for if it happens.
So if complete security is not an option, what is the next best thing? What does that resilience really mean?
Resilience starts with intelligence, to know what’s out there. Know what the vulnerabilities are; know when your data is more vulnerable than others. If you have your intelligence at the right level, then the next step is monitoring it. Monitor your own systems, networks, countries, if those vulnerabilities that exist really occur. And if they happen, then within the monitoring system the alarm system and the incident response need to kick in. But it’s also about reputation and risk. It’s about communication, legal, higher management. Don’t keep it at a technical level, scale up to management and the board and you will see at the end of the day it is they that will be affected by the reputational risk.
This makes total sense to me when I think about a big company. But when I think about a small company, what we’re talking about is less capacity. How does this scale for them? Do they need the same kind of resilience to build on?
They do. It all matters, and that’s also the quantification model, it all models how vulnerable the data is—in other words, how interested is their data, and their Intellectual Property, and their customer data, for things to happen. And if that’s at the same level, then a smaller company needs to have their act together. I think the smaller companies; also with cloud and the internet transformation, a lot of those have outsourced some of the components to technology providers. So they can also outsource pieces, from secure operating centers, monitoring centers, to outside parties to do that for them.
In the project, you talk about a shared effort among world participants, and how that’s required, and how business must understand counter-measures in order to feel secure. What does this effort look like, and what does it mean? Who is involved?
Deloitte has been involved in this project for the last two years. We’ve been working with the World Economic Forum and a lot of the parties the last couple of years. The first years is when we focused on awareness, principles, signatures, and training. We felt we made, as a partnership, a huge headway in this. So this phase is done I think—not done in that we should not spend time on it—but we are at the next step now. And the next step is, “what are we investing in the digital world?” And how valuable is the digital world for us, from a stakeholder’s value, from shareholder perspective, and match that with the risks and the threats.
The partnership is comprised of a lot of technology companies who are an instrumental part in securing the internet. One of the sessions we organized was with Singularity University in Silicon Valley, with Peter Diamandis and Mark Goodman. So that was the tech side. We had a session in London that focused more on insurance and financial services, and we looked at it from, how can we productize the cyber threats, and make cyber resilience insurance policies, and if a company makes an insurance policy, what’s the margin on it?
You were talking about making this more an effort where you monetize, where you’re creating products, and then companies can buy these products or use these products, and then they’re sort of checking the list of the things they’re supposed to be doing in order to build resilience. But a lot of these threats, if we’ve learned anything from Sony and other recent hacks, there are a lot of things that are unprecedented. So a lot of the experts out there say the worst hasn’t come yet. How do we simulate these issues?
That’s a good point. And that’s also the reason we picked up the challenge, and we call this VAR, Value-At-Risk, or Cyber VAR. In the financial services industry, for insurance products, it’s known for 25-30 years, it’s all worked out with regards to derivatives, insurance, because there is history, as you said. But in cyber, we are lacking that. We are lacking, “have we seen everything yet?” The answer is no, have we seen the worst? The answer is probably also no. But we believe that with this model, and continuously working and enhancing the model, we at least will start seeing the value of it. So we believe this is a starting point with the cyber VAR model, to collectively start working on it and enhance the insights that it will give us. If a company starts implementing it today, it will not give you all the insights, but it will at least be a pattern towards other insights for what you invest in cyber, versus what your threats are.
Twenty years ago you would buy your typical personal computer and you had to buy anti-virus products, and then you felt safe. Every now and then you clicked on something silly and then you got in trouble. We’re not talking about that, but can we get to that point, where you can go to your local computer store and get something off the shelf, and say, “now I’m protected”?
That’s a good question, and we have had debates on it. I think this will take some time, and the reason I’m saying that is because we are implementing cyber-security measures on top of legacy. In the banking and insurance world for example, a lot of systems and the software and the technical devices are 20 to 30 years old. That’s the real situation, and we first need to find solutions in the Internet of Things, in the appliances, in the semi-con [conductors], in the hardware, then into the software, which ultimately need to be implemented by the company. So it will take a long time to pass the situation we are currently in, which is not a very negative situation, by the way. I still think that the whole digital transformation, and what digital cyber brings us is creating lots of value. The growth we are experiencing because of it is still greater than risks that we are facing.
Tell me about the model in this report. Explain to me a little bit the details.
We started the model with the idea that the first step you need to take if you want to implement the model is to understand the different data points and components that you need for a start. Our model is based on the fact that you understand some of the variables, and start working on getting those data points for the variables. And to give you some examples, things like, “What is the security profile of your enterprise or organization?” We want to know, first of all, what’s your security infrastructure? Things like anti-virus, firewalls, all these pieces, do you have everything in place or not? That’s one of the components. Another important piece, which is also linking to the Value-At-Risk from financial services, is the criticality of your assets. So you need to understand what your critical assets are, what do I have, what’s the value for my company? And then the important part: who would attack it? Then you get more into the threat and the possible actors. These are things that are inputs into the model. First you need to do your homework and get your information for each one of these variables together, in order to model. So you have all these pieces together, and in the end you would use probabilistic modeling and model the different elements. And what we learned is that there are many organizations using different models.
So in layman terms, if a target has 20 million credit card numbers, they’re not worried if it’s all stored somewhere where there’s only one door?
Exactly.
What about reputational damage?
You need to model that as well.
What about barriers to entry that could result in smaller companies maybe not adopting this model right away? Clearly bigger companies with more to lose will start the model, getting wiser. Smaller companies might take awhile. What kind of ripple effect does that have in the marketplace?
I’m not sure I completely agree with smaller and difficult. If you are a startup, then you have some advantages over the larger companies with legacy and systems from 30 years ago. So that is much more challenging and difficult than an internet startup that starts from Greenfield and can adopt modern technology. Because with modern technology, modern software it’s much easier to do.
Is there anything else out there right now—that deals with this cyber security issue, at this depth and formula—that you know of?
No, we have incorporated very sophisticated models, and with the partnership with the World Economic Forum we have been working with multiple other technology and consultancy firms to add their components as well. Insurance companies also have models, technology providers have models, and so they are also part of the panel for this report. We have tried to have an open source community around this.
And is this mandatory reading for everyone right now?
Absolutely.