1

The Evolution of Cyber Risk and Mitigation Strategies David Johnson, Horace Li (Updated Jul 2015)

Abstract Today, technology underpins an ever-growing share of society, from healthcare to entertainment, banking

to government. With new technology, comes new business processes, opportunities, and unfortunately,

threats. In the increasingly data-driven economy we live in today, it is therefore little surprise that cyber

threats have become one of the most important risks we face today, leveraging the most critical driver of

progress today, technology, against, what could be the most prized commodity of the information age,

data. Indeed, the World Economic Forum Global Risks Report 2014 ranked “cyber-attacks” in the top 5

global risks in terms of likelihood, and “critical information infrastructure breakdown” in the top 5 risks in

terms of impact1.

This report tries to provide a context and short history of cyber-attacks, and explore past and current

efforts in quantifying, identifying, and managing cyber security risk. It will also discuss briefly issues with

current approaches, challenges now and in the near future, and steps organizations and governments

should take to manage and mitigate such risks.

Introduction Today, cyber risk is regarded as one of the most important risks, especially within large or financially

related companies. We are now within an era where technology has become a part of our daily lives,

whether that is for social purposes, communication, or business. Focusing on the integration between

technology and businesses, the growth and success of the World Wide Web has allowed firms to

significantly improve their processes including storage, transfer, and securing information. However,

despite the Internet providing numerous benefits it has now meant that firms have become reliant on it.

This reliance at a glance would not appear to be a problem, however it inadvertently created an

opportunity for ‘hackers’ to carry out cyber-attacks.

Previously so called hackers would simply try to breach systems just for fun to prove themselves within a

community, and a lot of the damage that they could do would not be as significant due to the companies’

offline nature. Due to the increased dependency on the Internet now however, if a hacker is successful

with an attack it can cause severe damage to the operations of a firm, as well as knock-on effects such as

loss of reputation and consumer confidence. This has led to a change in the motives of hackers with greatly

increased incentives, ranging from the ability to attack companies for wrongdoing (the Anonymous Group

having ideological or political beliefs), to monetary reward for espionage or sabotage on rival companies.

These changing natures of hacking motives have created a much higher chance of cyber-attacks. The

1980s was a decade in which we saw this gradual change of motives and uses of hacking.

In 1981 came the formation of prominent black hat hacking groups namely Chaos Computer Club formed

in Germany, and The Warelords within the United States. The Warelords quickly became a dangerous

group due to their highly developed communication abilities to collaborate and maintain an international

ring of piracy groups reaching as far as Japan. Despite the Warelords being able to infiltrate large

1 (2014). Global Risks 2014 Ninth Edition - weforum.org - World Economic Forum. Retrieved November 27, 2014,

from http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf.

2

corporations and even the White House, it wasn’t until 1982 that the U.S. House of Representatives held

hearings on computer security and passed several cyber security-related laws2. This came about due to

another group called the 414s who broke into 60 computer systems at institutions including laboratories

and cancer research centres; the story was the first mass-media event surrounding computer security

hacking. Fast forwarding to 2014 several more laws have been introduced around cyber risk, notable ones

including: The Comprehensive Crime Control Act - giving the Secret Service jurisdiction over computer

fraud; the Computer Fraud and Abuse Act; the Computer Misuse Act 1990, and the Digital Millennium

Copyright Act. Even with these laws however, nearly every company are still susceptible to cyber risk.

With distributed denial of service attacks (DDoS), data security breaches, and other attacks on the rise,

addressing and mitigating cyber risk is an emerging priority among companies across the globe, as reports

of high-profile cyber-attacks make headlines almost every day. These modern cyber-attacks make it

necessary for all companies, and even more so financial services, to evolve security with advanced and

robust cyber risk assessment. In fact in January 2014, the WEF, in collaboration with researchers from

McKinsey, published a report on risks in the cyber world. Unlike many papers in the past, they investigated

cyber risk within the context of current society and technological changes, with major technology trends

such as big data and cloud computing. They concluded that this new risk of cyber-attacks and the indirect

consequences from failure to manage such risks could impede the growth of such sectors (and the world

economy) and innovation, eventually resulting in an estimated economic impact of up to $3 trillion3.

Cyber risk falls under the branch of operational risk, the risk of loss resulting from inadequate or failed

processes, people and systems or from external events. Operational risk itself is a fairly new domain in

which there is increasing acceptance for its need as well as detailed measurement models. Similarly cyber

risk is also a new area of risk and only recently has begun to be credited with the same if not the greatest

importance within the operational risk domain. This is due to the fact the proportion of operational risk

with risk drivers related to cyber security is rising significantly. The impact on businesses however is very

much identical to other operational risk drivers, and so in a sense cyber risk is a back door to creating

greater operational risk. This recognition is actually an important step, as not long ago, like operational

risk, efforts to analyse or mitigate cyber risk were seen as simply a large cost with little reward for

businesses, considered as simply another part of infrastructure expenses.

A core objective surrounding cyber risk has been raising awareness and buy-in from senior management.

The lack of knowledge around the domain meant many people, especially senior management were not

able to understand the threat of cyber risk and identify it as a pivotal operational risk. Examples include

the realisation that a system is only as strong as its weakest link, which encourages organisation-wide

plans to tackle it, as opposed to discrete efforts within a siloed IT division. Furthermore, unlike other

operational risks, cyber risk is constantly evolving. We have already seen a significant change from

harmless hacking, to espionage, and within that there are multiple approaches and tactics which vary in

scale and complexity. This variance and inconsistency means we are unable to analyse key factors used to

assess cyber risk which other operational risk types benefit from. As examples, it is not easy to identify

the many types of vulnerabilities of the cyber risks, nor is it easy to identify the cyber attackers and their

2 (1996). Computer security: Legal Lessons in the Computer Age. Retrieved November 27, 2014, from

http://groups.csail.mit.edu/mac/classes/6.805/articles/rasch-comp-law.html. 3 (2014). 'Risk and Responsibility in a Hyperconnected World' Report ... Retrieved November 25, 2014, from

http://www3.weforum.org/docs/WEF_RiskResponsibility_HyperconnectedWorld_Report_2014.pdf.

3

capabilities and motivations. As a result, it is also extremely hard to quantify possible consequences or

costs of mitigation, especially when compared to maturing methodologies for calculating other types of

operational risk.

Quantification Cyber risk, like the majority of operational risk is often described in a qualitative sense, identifying the

issues, potential vulnerabilities, and methods of attack. However, little success has been seen in

quantifying such risks in terms of probabilities, potential financial losses, and financial costs required to

manage such risks effectively.

At a high level, the impacts of operational failures can often be separated into two categories - the

immediate operational impact, affecting business continuity directly, and the longer term impacts, mostly

manifesting in terms of reputational damage. The former is more easily quantifiable in monetary terms,

whilst the latter has both a greater difficulty of measure, and is also much more variable depending on

the damage control procedures and subsequent actions (communication plans, announcement of

breaches etc). Work in the industry so far has been focus on the former, aiming to calculate concrete

numbers for the potential financial loss and risks.

There are two main approaches to modelling operational risk - statistical, and causal. The statistical

approach is suited for frequent events from which distributions can be derived from existing data, often

using the Loss Distribution Approach. However, unlike operational risks such as fraud or damage to

physical assets, which can occur fairly frequently with less financial loss, cyber security incidents tend to

be infrequent, but serious, leaving a shortage of statistical data. As a result, efforts at cyber security risk

measurements tend to be based on scenario analysis.

Early efforts of research of cyber risk began in the late 90s4 and had a more academic and formal approach

to it, as opposed to solving industry threats (thought of as insignificant at the time). The research was

around analysis of vulnerabilities in software and systems, via lapses in network security, in terms of attack

graphs. This was done through identification vectors of attacks and model checking to enumerate states

as an attack progresses through the components of a system until a ‘goal state’ in which the system is

compromised is reached. The sequence of states effectively shows the combination of exploits used to

ultimately compromise the target host. A final table is produced showing the possible exploits and results

of each:

Source Target Exploit Result

Hacker Public Web Server Phf User access on Public

Server

Hacker Public Web Server Capture pwd hashes Public Web Server’s

password hashes

known to hacker

4 Ritchey, R. W., & Ammann, P. (2000). Using model checking to analyze network vulnerabilities. Security and

Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on. IEEE.

4

Hacker Public Web Server Brute Force Passwords Hacker knows Public

Web Server’s root

(admin) password

Public Web Server Private Web Server Shell login as root Hacker’s access level

on Private File server is

now root (admin)

By the latter half of the noughties, research in this area had begun to look at more complex attack graphs

and dealing with cumulative probabilities and cycles within the graph56. The approach has been mostly

theoretical, and did not go into the context of such metrics in enterprises until the end of the decade7. By

2011, the focus was firmly on quantifying risk in enterprise networks and how the methodology could be

used to reduce the security risk of enterprise systems8. Analysis of attack graphs can now quantify the

severity9 and probability of risk in enterprise systems, and when combined with existing operational risk

quantification techniques, has the potential to provide a measurement of risk in financial terms.

Looking at the broader range of cyber-attacks, a notable point occurred in 200810 when ANSI and the

Internet Security Alliance (ISA) published a report aiming to utilise a structured approach to qualitative

domain, which described how financial risk could be calculated. Their model, seen in the diagram below,

shares remarkable resemblance to the XOI Loss model11, a method for calculating risk from scenario

analysis12

5 Wang, L., Islam, T., Long, T., Singhal, A., & Jajodia, S. (2008). An attack graph-based probabilistic security metric.

Data and Applications Security XXII, 283-296. 6 Frigault, M., Wang, L., Singhal, A., & Jajodia, S. (2008). Measuring network security using dynamic bayesian

network. Proceedings of the 4th ACM workshop on Quality of protection. ACM. 7 Homer, J., Ou, X., & Schmidt, D. (2009). A sound and practical approach to quantifying security risk in enterprise

networks. Kansas State University Technical Report, 1-15. 8 Singhal, A., & Ou, X. (2011, September). Security risk analysis of enterprise networks using probabilistic attack

graphs. US Department of Commerce, National Institute of Standards and Technology. 9 Schiffman, M., Eschelbeck, G., Ahmad, D., Wright, A., & Romanosky, S. (2004). CVSS: A common vulnerability

scoring system. National Infrastructure Advisory Council (NIAC). 10 ANSI (2008). Financial Impact of Cyber Risk - Internet Security Alliance. Retrieved November 24, 2014, from

http://isalliance.org/publications/1A.%20The%20Financial%20Impact%20of%20Cyber%20Risk%2050%20Questions%20Every%20CFO%20Should%20Ask%20-%20ISA-ANSI%202008.pdf. 11 Condamin, L., Louisot, J., & Naim, P. (2007, January 30). Risk Quantification: Management, Diagnosis and

Hedging (Vol. 409). John Wiley & Sons. 12 ANSI (2010). The Financial Management of Cyber Risk. Retrieved November 24, 2014, from

http://publicaa.ansi.org/sites/apdl/khdoc/Financial+Management+of+Cyber+Risk.pdf.

5

Having arrived at a fairly abstract formula for calculating net financial risk, there is still a need to acquire

data, relatively scarce within cyber risk, to input into this equation. Wipro, an IT consulting firm, recently

published an article with a high level overview of how an organisation could measure cyber risk13. Their

suggestion was to measure organisations along three core dimensions:

Core business assets to be protected

Ability of the organisation to identify and analyse threats

Defences (proactive defence, attack detection, and response management)

This allows organisations to be compared with each other against three main dimensions and provides

some guidance as to the aspects an organisation should look at. However, it still doesn’t give a concrete

monetary amount or probability, in the same way that assessments of other operational risks can more

easily yield. Difficulties in effectively quantifying cyber risk does not end at the risk calculation itself. A

paper published in 2009, titled Quantified Security is a Weak Hypothesis14 concluded that “it is unknown

if the methods are valid or not in representing operational security”, noting that there’s been very little

empirical validation of existing quantitative methods to demonstrate that any methods are actually

effective and accurate. Statistical approaches are ineffective due to the low frequency of incidents, whilst

causal approaches are similarly difficult due to the uncertainty in cyber security, especially given the pace

of change in IT.

Prominent Cyber Risks The term cyber risk encompasses an incredibly huge set of risks, being any risk related to the failure or

incorrect functioning of information technology systems. Despite this variance the majority of people

focus on cyber-attacks from third parties (which we will question later in the report), and thus we will look

at some of the key malicious threats over the years.

The first real acts of cyber-attacks came with the introduction of malware. This is malicious software that

is used to alter or disrupt computer operations, acquire access to private computer systems or gather

13 Wipro (2014). How Do You Measure Cyber Risk?. Retrieved November 24, 2014, from

http://www.wipro.com/insights/winsights/jan-mar-2014/how-do-you-measure-cyber-risk. 14 Verendel, V. (2009). Quantified security is a weak hypothesis: a critical survey of results and assumptions.

Proceedings of the 2009 workshop on New security paradigms workshop. ACM.

6

sensitive information. Malware can be used a direct sabotage or to operate undetected in the hope of

causing greater damage in the long run (known as Trojan horses). Initially malware was only transferred

by creating an infected floppy disk and inserting the copy of itself from the floppy disk to the executable

boot sectors of a computer. However, with the arrival of the internet, so called viruses evolved into worms,

the first well-known case in 1988 called the Internet Worm, where the malware was network-borne,

exploiting vulnerabilities in network server programs in order to replicate itself. Malware is still very much

used in practice today, and as mentioned it itself has grown since its inception producing variant types

over the years. It has been the most prominent external threat until the social engineering.

Social engineering is the psychological manipulation of people into performing actions or divulging

confidential information. Techniques are based on attributes of human decision-making and human

biases. An extremely popular technique of social engineering is phishing (notably a variant known as spear

phishing), and it’s particularly prevalent in retail banking. The act of phishing is fraudulently obtaining

private information, and typically involves the phisher sending an email that appears to come from a real

and commonly known bank or credit card company. A user will then enter their private information, such

as bank or login details, unwittingly into the malicious site. Alternatively social engineering has also been

used together with malware, by first sending a phishing email and tricking a user into downloading an

infected programme.

For attacks on organizations, Distributed Denial of Service (DDoS) techniques are currently the most

common and effective cyber-attacks. These attacks are efforts to temporarily or indefinitely interrupt or

suspend services of a host connected to the internet. Volumetric attacks like this overwhelm a network’s

infrastructure with bandwidth consuming traffic or resource sapping requests. For example an attack can

generate 100Mbps of traffic, which can definitely inconvenience or block access to a small site. However,

attackers can collaborate together through ‘botnet herding’ to significantly amplify the traffic data. This

is a method that the hacking group Anonymous, founded in 2011, have been using to shut down multiple

corporations and governments sites. They use the botnet herding and coordination techniques to notify

fellow “anons” of the time to start an attack and therefore will create enough of a traffic surge to affect

the victim’s resources. Some attackers use even more advanced techniques such as NTP or DNS

application attacks to generate traffic orders of magnitude greater. This method is particularly effective

today partly due to the increased adoption of big data and cloud computing. The first, big data, is

becoming relied upon to provide vital info to firms about their clients and processes. The DDoS attacks

can be made to networks containing this data which generally have less complex security setups than core

infrastructure such as Active Directory servers. Secondly many firms choose to utilise cloud computing for

many beneficial reasons, and the need to transmit data externally provides further vectors to attack

networks.

Management and Mitigation Within operational risk, and cyber security risk in particular, there are four ways of dealing with risk.

Accepting risk as it is would risk fines and more potential losses in the future, and is deemed unacceptable.

Elimination of such risks would be similarly difficult as IT has become such a crucial part of many

businesses. Functionality such as websites, remote access, and backend IT infrastructure has become an

invaluable part of many corporations. Transfer of risks is possible, and in the past two decades, numerous

specialized policies for insuring against consequences for cyber security-related incidents have appeared,

7

but these are often used as a final line of defence. The most common approach is still mitigation or risk

reduction, through changes in the business and its policies.

The management of cyber security risks are somewhat different from many other operational risks in that

there are malicious agents, and almost all attacks result from the actions of such agents rather than acts

of God or inadvertent mistakes. Cyber security is also unique amongst other threats by having equal

elements of both detection and prevention, and response and damage control. Contrast this with natural

disasters, which are almost exclusively based on responses and business continuity, or fraud, which is

much more focused on prevention techniques and processes.

As a result of this complexity there is a challenge to develop robust cyber risk management process. In

order to address this, a summary of cyber security questions for CEOs was published by the DHS15 which

noted a number of themes central to effective cyber threat mitigation, including:

To incorporate cyber risks into existing risk management and governance processes.

To elevate risk discussions to the CEO.

To maintain situational awareness of cyber threats.

To implement best standards, rather than mere compliance to the legal minimum.

The first point is a theme that appears in numerous publications - that cyber risk is currently restricted to

IT security teams, and does not adequately involve all the stakeholders. In the past it has often been seen

as strictly a technology issue, and risks seen as technology failures. As a result, mitigation techniques have

been too often restricted to technical solutions. Examples of this include employees losing laptops and

data, where the solution is normally data encryption16, rather than an assessment of policies that have

allowed the laptop to leave the company premises, or failures in following the policy. PWC notes in its

findings from the Global Cyber Security Survey 2008 that companies “trumpet a headlong rush into

technology, [but] these investments don’t necessarily mean better security.”17 Following natural disasters,

organizations often have plans to ensure business continuity across the entire organization. However,

whilst IT teams ensure software, configuration, and process compliance, there not equivalent planning

and discussions for serious IT breaches and security failures involving the whole organization.

Involvement with stakeholders in organizations have gradually improved in the past couple of years,

involving not only IT, but also risk teams. But it should involve many more departments, including legal,

compliance, operations, and communications18 when incidents do occur. An interdepartmental approach

is needed, far from just being a tech issue for IT. A survey in 2008 done by CMU showed that only 17% of

15 DHS (2013). Cybersecurity Questions for CEOs - US-Cert. Retrieved November 25, 2014, from

https://www.uscert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf. 16 Martin, P. K., & General, I. (2012). NASA Cybersecurity: An Examination of the Agency’s Information Security. US

House of Representatives, Feb. 17 PwC. (2008). Safeguarding the new currency of business: Findings from the 2008 global state of information

security study. 18 ANSI (2010). The Financial Management of Cyber Risk. Retrieved November 24, 2014, from

http://publicaa.ansi.org/sites/apdl/khdoc/Financial+Management+of+Cyber+Risk.pdf.

8

corporations had a cross-organizational privacy/security team19. By 2012 this had increased to 72%20,

which is a significant improvement within four years. Despite this increase however there still remains a

significant proportion of corporations still do not have such cross-organizational teams, bridging the gap

between IT and risk. Indeed, the CMU governance report in 2012 states that “while placing high

importance on risk management generally, there is still a gap in understanding the linkage between IT

risks and enterprise risk management”.

Cyber risk has not been acknowledged and incorporated into the management and governance process

for substantial amount of time, and even when it was introduced in the last decade, there has still been a

lack of supporting policies and their enforcement. Evidence to this is a study conducted by Verizon in 2008,

which showed in 59% of data breaches, policies and procedures existed that could have prevented such

incidents, but were not followed through. The study also noted that 87% of breaches were considered

avoidable through reasonable controls (by enacting or enforcing policies)21. In a similar report published

a year later, it was found that for every software vulnerability exploited by hacking or malware, a patch

had been available at least six months prior, but the compromised systems were not patched 22 .

Furthermore, publication by CESG released in 2013 showed that of its studied attacks, 80% of known

attacks could have been prevented by basic information risk management practices23. The recurring

theme is that current cyber-attacks are often successfully carried out not because of poor technology, but

because of poor processes to secure this technology, and in many cases, failure to follow the processes

even when they are in place.

The second theme is involvement with the CEO and other members of the C-suite. Cyber security used to

be viewed as a specialised issue, with the technology under the remit of the CTO, high level enterprise

risks under the CRO, and data-related issues under a CISO/CIO if appointed24. Previously very rarely were

members of the C-suite expected to understand topics outside their domain, and as a result C-suite

members often have not known about cyber threats and their risks. However, as operational risks and

indeed cyber risks have grown in prominence during this last decade, cyber security risks are now

increasingly the joint responsibility of the CTO, CIO, CRO, CISO, and even the COO.

Awareness of IT risks are being raised at the same time as increasing regulation in operational risk,

encompassing cyber security risk. As a result, roles such as the CISO are becoming more prevalent, a

19 Westby, J. R. (2010). Governance of enterprise security: CyLab 2010 report. Pittsburgh, PA. 20 (2012). Governance of Enterprise Security: CyLab 2012 Report How ... Retrieved November 25, 2014, from

http://www.hsgac.senate.gov/download/carnegie-mellon-cylab-cybersecurity-report. 21 Verizon (2008). 2008 Data Breach Investigations Report - Verizon ... Retrieved November 26, 2014, from

http://www.verizonenterprise.com/resources/security/databreachreport.pdf. 22 Verizon Business (2009). Team, 2009 Data Breach Investigations Report. Verizon, March. 23 CESG (2013). 10 steps to cyber security: executive companion - Gov.uk. Retrieved November 26, 2014, from

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/73128/12-1120-10-steps-

tocyber-security-executive.pdf. 24 Economic Intelligence Unit. (2005). The evolving role of the CRO. The Economist Intelligence Unit, London/New

York/Hong Kong (May).

9

dedicated role to oversee the “confluence of IT security and audit”25. Indeed, some organisations take this

a step further, with multiple CISOs specializing in business, technology, or strategy – 7% of respondents

for the PwC 2011 Global Information Security Survey reported having more than one CISO26. Another PwC

report in 2014 found that 68% of corporations in Europe and 65% in North America employed a CISO27.

The figures for APAC and LATAM are even higher. Today, the discussion is not whether to have a CISO, but

rather if they’re important enough to report directly to the CEO, as opposed to the CIO as is commonly

the case today28.

In the aftermath of the financial crisis, the regulatory climate has been highly risk-averse, in all types of

risk. In combination with recent high-profile cyber-attacks, this has vastly raised the awareness of cyber

risk amongst C-level staff, and improved senior management’s understanding of how to identify such risks.

Today, we see year-on-year increases in proportions of CEOs who claim to identify cyber security risks as

important and are actively seeking proven or new approaches to deal with such risks. This awareness is

not only apparent in industry business leaders, but also in government and regulators. In 2013, Obama

mentioned cyber threats as one of the core threats to the USA in his State of the Union address29, and

subsequently issued an executive order to improve critical national infrastructure30. In mid-2014, at a BBA

cyber conference30, the BoE highlighted that cyber risk was the most commonly mentioned specific risk in

operational risk in their industry survey32.

Despite previous difficulties with digital immigrants at C-level and a lack of understanding about cyber

security risk at this management level, significant progress has been made in recent years. Company-wide

approaches are increasing, and this will help effect more risk-aware cultures across organizations.

The third theme is to maintain situational awareness of risks, and to plan for them effectively. Like the

previous two themes there has been little to no implementation of this before the current decade. As of

now this is currently done as part of operational risk assessment. Although it cannot be as easily quantified

as other types of OR, methods for risk identification still apply, such as using heat maps and scenario

analysis. The difficulty though is usually dealing with the wide ranging scenarios. As mentioned before the

25 Tom Borton (2014). Tom Borton - Evolution of the CISO.pdf. Retrieved November 27, 2014, from

https://chapters.theiia.org/Orange%20County/IIA%20OC%20Presentation%20Downloads/2014%20Joint%20IIA%2

0ISACA%20Spring%20Conference/Tom%20Borton%20-%20Evolution%20of%20the%20CISO.pdf. 26 John Kirkwood (2014). Who should the CISO report to? | CSO Online. Retrieved November 27, 2014, from

http://www.csoonline.com/article/702330. 27 PwC (2014). The Global State of Information Security® Survey 2014. Retrieved November 27, 2014, from

http://www.pwchk.com/home/eng/rcs_info_security_2014.html. 28 Bob Bragdon (2014). Maybe it really does matter who the CISO reports to | CSO ... Retrieved November 27,

2014, from http://www.csoonline.com/article/2365827/security-leadership/maybe-it-really-does-matter-who-

theciso-reports-to.html. 29 (2013). President Barack Obama's State of the Union Address -- As ... Retrieved November 25, 2014, from

http://www.whitehouse.gov/the-press-office/2013/02/12/president-barack-obamas-state-union-address. 30

Order, Executive. "1636,‘Improving Critical Infrastructure Cybersecurity’." Federal Register 78 (2013):

1173711744. 30 (2014). Managing cyber risk – the global banking perspective. Retrieved November 25, 2014, from

http://www.bankofengland.co.uk/publications/Documents/speeches/2014/speech735.pdf. 32

(2014). Bank of England Systemic Risk Survey. Retrieved November 25, 2014, from

http://www.bankofengland.co.uk/publications/Documents/other/srs/srs2014h1.pdf.

10

types of perpetrators of cyber-attacks, and their motives have evolved over time, from harmless hacking

to specific espionage. This has had a knock-on effect of constantly evolving techniques, and the increasing

sophistication of attacks in combining multiple techniques and vulnerabilities. However, a new study

published this year reveals that although the exact combination of techniques used to compromise a

system may differ vastly across time and attacks, 92% of incidents (across all sectors) can be classified

under nine basic patterns31. Depending on the sector, certain types of attacks can be focused on - for

example, the majority of incidents against financial services firms were either DDoS, web app attack, or

payment card skimming (pre-EMV), and so corporations in finance could then focus on scenarios based

around these three areas.

A more comprehensive approach at risk identification and analysis was published by Lockheed Martin,

looking at the Cyber Kill Chain32, the stages of a successful cyber-attack. Instead of focusing of particular

vulnerabilities from the organization's perspective, it identifies the steps needed for a third party to mount

a successful attack. Whilst this approach shows promise in that it purports to cover all the potential bases,

allowing multiple opportunities to foil an attack, it fails to deal with the most common causes of breaches

- the failure of (or to enact) the appropriate business processes and even most basic security preventative

measures.

A lot of thought and discussion goes into the prevention of cyber risk, but when there are multiple variants

of attack it’s extremely challenging. An equal amount of time should also be spent on the last line of

defence, reducing the impact of a cyber-attack, typically through insurance. The first specialised policies

extending crime insurance to cover physical access to computer systems appeared in the 1970s. The first

insurance policies targeting hackers appeared in 1998, and by 2000 cyber insurance plans covering first

and third party losses were available on the market33. However, growth in the market for such specialized

policies did not pick up until the late noughties. In 2010, there were 19 insurers in the US which offered

policies for cyber security breaches. By 2012 this had more than doubled to 39, with an estimated cyber

insurance market exceeding $1b34.

The practice of mitigating cyber risk through insurance policies is no longer novel, as corporations identify

the need for such line of defence, and the insurance market has responded accordingly. Losses that

current policies come under two main themes - that resulting from loss of PII, and that affecting the

business operation directly. The former includes typical costs such as third-party liability, regulatory fines,

whilst the latter covers costs associated with business interruption, expenses needed to complete audits

and RCAs of the breached systems, and even public relations costs to rectify reputational damage. A point

to note is that the policies primarily underwrite the business processes based around technology rather

31 Verizon (2014). 2014 Verizon Data Breach Investigations Report (DBIR ... Retrieved November 26, 2014, from

http://www.verizonenterprise.com/DBIR/2014/. 32 Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed

by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security

Research, 1, 80. 33 Ty R. Sagalow (2013). An Executive View of Cyber Risk Management. Retrieved November 25, 2014, from

http://www.nymissa.org/wp-content/uploads/2013/09/SAGALOW-ISA-II-manage-cyber-risk-9-18-13-ISSA-

ChapterMtg.pdf. 34 Richard S. Betterley (2013). CYBER/PRIVACY/MEDIA LIABILITY MARKET SURVEY ... Retrieved November 25, 2014,

from http://www.casact.org/community/affiliates/CANE/0412/Betterley.pdf.

11

than the technology itself. This continues with the idea throughout that while technology is inherent to

cyber security, it only plays a small role in the management and mitigation of cyber security risk, both

because of the overwhelming impact the supporting non-technical processes have on the risks, and the

difficulties in measuring the risk within the technology and IT systems themselves.

The final theme of note is compliance and regulations. Compliance and regulation has unlike the other

themes been around for significant amount of time. However, the type and level of regulation has changed

drastically over the years, from single laws and acts being passed on a relatively ad hoc basis to regular

and multiple restrictions and demands from regulators post-GFC.

As governments have become increasingly acquainted with the risks of cyber security and methods to

reduce risk, there has been an encouraging tendency to focus on collaboration and investment in

mitigation research and expertise, rather than, as is traditionally the case, legislation and enforcement,

shifting the onus onto corporations. Thus instead of acting as simply the regulator, governments are now

often at the heart of collaborative efforts spanning industry, intelligence and security services, law

enforcement, and academia. In the US, a prominent example of this is the CERT Program, part of the

Software Engineering Institute at CMU, which operates with federal funding from and collaboration with

the DoD. The equivalent in the UK is the more recently established CERT-UK, which acts similarly as a

bridge between industry, government, academia, and indeed other CERTs around the world. Industry-

government data sharing is facilitated by the CiSP initiative, a subcomponent of CERT-UK.

A more material and industry-specific example in the UK is CBEST, a framework to improve resilience to

cyber-attacks for the UK financial services sector35. Whilst there is an element of policy enforcement and

encouragement to adhere to recommended policies, the scheme itself is voluntary, and the hope is that

corporations will participate of their own will, both for the benefit of their organization and the wider

sector. What they offer, apart from recommendations and guidelines, are expertise and information

sharing across a wide range of organizations, from the government (GCHQ, CESG, BoE), to security

specialists (CREST, Digital Shadows), to peer organizations (other financial services firms). Such schemes

aim to look at the wider the picture, that of entire organizations, or indeed sector, rather than single

systems or environments. Collaborative approaches in cyber security can be contrasted with previous

governmental and industry approaches to systemic issues in the past, such as that towards digital piracy.

They included heavy but uncoordinated investment in technology (DRM), regulation (CPDA 1988, DEA

2010), enforcement (site blocking, Intellectual Property Office), which to this date has yielded little result.

The DHS recommends organizations to implement the best industry standards rather than compliance

with the minimal regulations, but the theme stretches much further, to how regulations are defined and

their impacts. Business in the past have expressed concern regarding the value of regulation in itself36.

Their three main areas of concern were a lack of faith in officials understanding the sector, the possibility

that poor regulation would level down security, and unintended consequences of mandatory disclosure.

For the first point, the sentiment is similar to that for other red tape and bureaucracy - that “regulation is

a lot of useless activity at great cost, that provides little to no security”. For the second, businesses felt

35 (2014). cbest implementation guide - Bank of England. Retrieved November 25, 2014, from

http://www.bankofengland.co.uk/financialstability/fsc/Documents/cbestimplementationguide.pdf. 36 Baker, S. A., Waterman, S., & Ivanov, G. (2009). In the crossfire: Critical infrastructure in the age of cyber war.

McAfee, Incorporated.

12

that in diverse sectors in particular, standards would be flattened. For a small number of businesses, it

would be of benefit. But for many others, it would provide a false sense of security, with what is actually

the minimal standards being considered a recommendation, and reduce incentives for more sophisticated

organizations to go beyond the statutory regulations. The final risk for regulations is that mandatory

disclosure of security breaches may have counterproductive effects - organizations may target investment

and policies at discrete regulatory requirements rather than planning for security across the organization,

and modify policies to reduce number of reportable incidents, rather than actually reducing the likelihood

of such incidents. As a paper published in 2000 notes with regards to risk modelling, in reference to

Goodharts law, “A risk model breaks down when used for regulatory purposes”37.

Challenges In the coming years, IT will play an increasing role in businesses across all sectors. We see three main

technology-related issues which will impact businesses and require transformational change in order to

maintain competitive. And unfortunately, all these changes will be accompanied with new risks.

Firstly, the rate of change has increased dramatically over the past decade, and this trend is set to continue

at similar, if not even faster rates. Updates for software are now monthly or even weekly, as opposed to

traditional new major releases every 1-3 years. Some software houses now deploy new code to production

up to 50 times a day38. Whilst the benefits of agile are undisputed, such as allowing for easier rollbacks,

the risk of so many deployments without adequate testing also increases dramatically. Risk management

strategies will not only have to change, but will have to be able to cope with change, both in the usage of

technology and increasingly, consequential business transformations.

Secondly, with an increasing number of technology products being developed and maturing, businesses

will become increasingly dependent on IT as cost gains from increased automation and efficiency are

identified and realized. IT is no longer limited to workstations, but now includes new devices and

technologies, client and customer facing IT, and an ever increasing proportion of business work is done

on computers or even automated. This is not limited to any particular sector - technologies such as SCADA

and Smart Grids may only impact infrastructure or manufacturing-related sectors, but others such as cloud

computing and mobile devices will become increasingly adopted across all sectors. To limit risk by limiting

use of such new technologies is impossible - some are driven by client needs or cost requirements, and

failure to adapt will threaten the viability of the business itself. Whilst operational risk can be reduced by

following best practices and process, strategic risk can often only managed by embracing change.

Finally, many of the challenges that have existed in IT since the 80s have yet to be solved, and these

persistent issues are increasingly the source of the most leveraged vulnerabilities. The topic of user

authentication has been an intense topic of research, both in academia and industry, but to this day has

changed very little from the basic username and passwords. A wide range of attacks centred around this

link in security has developed over the years, from password database hacking in the beginning, to

keyloggers at the turn of the century, to social engineering, what is now one of the most common and

successful techniques. Another topic that has persisted since the beginning of the last decade is

37 Danıelsson, J. (2002). The emperor has no clothes: Limits to risk modelling. Journal of Banking & Finance, 26(7),

1273-1296. 38 (2014). How Etsy Deploys More Than 50 Times a Day - InfoQ. Retrieved November 25, 2014, from

http://www.infoq.com/news/2014/03/etsy-deploy-50-times-a-day.

13

management of mobile and external devices in corporations. The approach most businesses have taken

have been to use a walled garden ecosystem such as BlackBerry and Microsoft Exchange, and forbid use

of any other devices on the network. Whilst offerings by Google and Apple have aimed to facilitate remote

device management and allow a much larger variety of devices to be used by employees, there is often

still a blanket policy against BYOD and remote working, sacrificing potential increased productivity in

favour of tighter controls over company data and network access. That said, progress has been made in

both of these areas, with examples such as federated identities and Google’s recent BeyondCorp project.

Improvements in operational awareness and current techniques will set to continue and improve as they

have substantially over the past few years. The progress seen in raising the profile of cyber security risks

has been promising, both in the boardroom and across organizations, as reflected in governance

structures and processes. However, two main challenges have already begun to emerge in this area, both

related to the human element. Firstly, there is increasing shortage of security specialists, both in the UK

and across the sector worldwide. There have been numerous attempts to increase interest and training

in this field, and indeed computer science as a whole, but the results have yet to be significant. Secondly,

organizations are still slow to increase training in risk management for nontechnical employees.

Compliance training in areas such as fraud and due diligence are already prevalent, but cyber security

training and awareness is still insufficient. As a result, whilst those in IT, risk, and management may

acknowledge the risks in cyber security, many employees are still unaware of the risks present, frequently

engaging in risky practices such as leaving screens unlocked, sending sensitive information over unsecured

channels, and sharing passwords, leading to disastrous consequences3940.

The results of governmental efforts in this area have yet to be seen. However from past government

projects, there are significant risks with government schemes in general, especially when related to IT.

Issues have often been related to poor management, lack of involvement with other stakeholders, and

running schemes too close to central government and politics rather than at arm’s length by a specialized

agency. Commonly cited examples include Healthcare.gov and the NHS National Programme for IT.

Conversely successful projects have often been overseen by agencies operated without political

interference as semi-independent entities, such as DARPA and many federally/government-funded,

industry/academia-run schemes. Lack of involvement with potential stakeholders is also a recurring

theme. In cyber security, although specialized agencies are heavily involved in collaborative efforts, sector

regulators rarely involved in systemic cyber threats, and their involvement is crucial in understanding the

specific needs and risks of a particular sector.

Conclusion Far from becoming easier, IT risk management is becoming more difficult, and efforts to quantify and

mitigate risk have not yet caught up. We have seen efforts to quantify the two aspects of cyber risk - the

processes and human element, measured like many other operational risks, and the technology, where

the main approach is formal analysis of attack vectors. Quantification of cyber security risk today is around

the stage operational risk was before the financial crisis. Corporations have yet to incorporate many of

39 Bright, P. (2011). Anonymous speaks: The inside story of the HBGary hack. Ars Technica, 15. 40 (2011). Lincoln Financial Services, Inc. AWC - finra. Retrieved November 25, 2014, from

http://www.finra.org/web/groups/industry/@ip/@enf/@ad/documents/industry/p122945.pdf.

14

the methodologies devised in academia into their own risk calculations, but most sectors, especially

financial services, are fully aware of the presence of such risks, and need to manage them.

Currently, the main strategy for mitigating cyber risk centre around raising awareness across organizations

and ensuring good practices for all employees. To date, significant progress had been made identifying,

raising awareness of, and implementing policies against the risks, though time can tell regarding their

effectiveness. Regulations has also developed around reducing cyber risks, and although some scepticism

remain over the efficacy of government intervention, collaborative approaches have been well received

and facilitated expertise and information sharing. The results of such efforts remain to be seen, but the

high priority placed on managing and mitigating cyber risk across industry, academia, and government is

encouraging - the political willpower is definitely present. Malicious cyber-attacks are still ever present,

changing from malware to social engineering and DDoS attacks. Preventing these is extremely challenging

and possibly futile as a new types of attacks appear, but the recognition and awareness of cyber threats

is a promising start to long term mitigation.

In the near future, we foresee current efforts to continue, with risk measurement practices moving from

academia into industry, and the gradual maturity of cyber risk regulation and policies. However,

corporations must not be complacent - IT continues to evolve at an ever increasing rate, putting pressure

on all areas of the business to deal with new challenges and threats, be it competitors, criminals, or client

demands. Risk management practices must evolve to cater to the needs to the business environment, and

to avoid continuously playing catch-up with IT and the rest of the business, risk departments will need to

adapt to the new pace of change.

The Evolution of Cyber Risk

and Mitigation Strategies

David Johnson & Horace Li

Agenda

● Introduction

● Quantification

● Prominent Cyber Risks

● Management & Mitigation

Past

● Technology a novelty

● Notion of cyber risk almost non-existent

● One type of hacker with a motive to gain

reputation

Introduction

Present

● Technology embedded into modern society

● Cyber risk regarded as one of the most important

risks

● Hacking motives and types of perpetrators have

expanded

Introduction

Quantification

● Direct vs Indirect Impact

● Statistical vs Causal

● Processes vs Technology

Quantification - Attack Graphs

● DHS (2013) Cybersecurity questions for CEOs - key themes

o To incorporate cyber risks into existing risk management and

governance processes.

o To elevate risk discussions to the CEO.

o To maintain situational awareness of cyber threats.

o To implement best standards, rather than mere compliance to the

legal minimum.

Management & Mitigation

Risk Management and

Governance

● “[Companies] trumpet a headlong rush into technology, [but] these

investments don’t necessarily mean better security” o PwC (2008)

● “In 59 percent of data breaches, the organization had security

policies and procedures established for the system but these were

not enacted through actual processes.”

o “Stated differently, victims knew what they needed to do, fully

intended to do it, but did not follow through.” Verizon (2008

● Siloed

o CTO vs CRO

● Cross-functional

o CISO

o CTO

o CIO

o CRO

o CEO

C-Suite Awareness

● Scenario Analysis

o Varying Techniques, Motives

o 92 % of incidents (all sectors) based on 9

basic patterns

e.g. Financial Services - web app attack, DDoS,

card skimming

Risk and Threat Identification

● McAfee (2009)

o Worry that regulation is “a lot of useless activity at great cost, that

provides little to no security”

o Would level down security

o Unintended consequences

● Focus on collaboration

o CERT

o CBEST

o SEI

● Best standards, not minimum requirements

Standards and Regulations

● Estimated cyber insurance market $1B

(2012)

● Focus on processes, NOT technology

o Liability and loss of PII

o Business disruption

Insurance

● Awareness

● Political willpower

● Implementation

● Active vs passive approaches

Conclusion