Title: Department of Computer Science and Engineering and the South Carolina Information Technology Institu
1The Economic Impact of Cyber Attacks The Global
Picture Chapter 9
2Risk Assessment
3Financial Loss
Dollar Amount Losses by Type
Total Loss (2006) 53,494,290 CSI/FBI Computer
Crime and Security Survey Computer Security
Institute
4System Security Engineering
Specify System Architecture
Identify and Install Safeguards
Identify Threats, Vulnerabilities, Attacks
Prioritize Vulnerabilities
Estimate Risk
Risk is acceptably low
5Security Protection
6Allocating Resources
- Limited resources
- Acceptable level of risk
- Tie technical risk to business risk
7Making a Business Case
- Description of the problem
- List of possible solutions
- Constraints on solving the problem
- List of underlying assumptions
- Analysis of each alternative, including risks,
costs, and benefits - Summary of why the proposed investment is good
8Influences on Cyber Security Investment Strategy
- Regulatory requirements
- Network history or IT staff knowledge
- Client requirements
- Results of internal or external audit
- Response to current events
- Response to compromised internal security
- Reaction to external mandate or request
9Determining Economic Value
- Many different ways to determine value
- Internal rate of return
- Return on investment
- Net present value
- Investment analysis best way to allocate capital
and human resources - Accounting measures are inappropriate for
evaluating information security inverstments
10Quantifying Security
- Difficult problem
- Not fully understood
- Limited historical data to estimate likelihood
- Attacks that are possible but havent happened
- Threat estimation uses
- Number and types of assets needing protection
- Number and types of vulnerabilities that exist in
a system - Number and types of likely threats to a system
11Data to be Protected
- National and global data
- Enterprise data
- Technology data
12Real Cost of Cyber Attack
- Damage of the target may not reflect the real
amount of damage - Services may rely on the attacked service,
causing a cascading and escalating damage - Need support for decision makers to
- Evaluate risk and consequences of cyber attacks
- Support methods to prevent, deter, and mitigate
consequences of attacks
13Jess-Based Modeling
- Graphical tool to model system components,
values, - dependencies, and
- compensating rules
14Cascading and Escalating Effects
- Model cascading and escalating damage.
15Presentation slides for research project on
Cyber insurance. Presented by Sarika
Saxena Recommended reading only.
- A Framework for Using Insurance For Cyber-Risk
Management - -Lawrence A. Gordon, Martin P. Loeb and Tashfeen
Sohail - CSCE 824 - Spring 2005Secure Database Systems
- Sarika Saxena
- Department of Computer Science and Engineering,
USC - April 14th 2005
16ContentsHistory and FactsIntroduction Cyber
InsuranceUnique Characteristics Cyber
RisksInsurance companies, policy
issuesInsurance CoverageFramework for
Information securityFour step Decision
PlanConclusionsReferences
17- Information Security Issues-Forefront of agenda
for Corporate Executives.- Brought into
importance in 2002 survey of CSI/FBIsurvey
(responses from 503 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities) - 90 respondents
detected security breach.- Average estimated
loss 2 M per organization.- 74 reported
internet connection as point of attack.- 223
respondents reported approximately 456 M
financial losses.
18How did Cyber Insurance come into
existence?Traditional security measures- cannot
fully eliminate risk to security breaches with
associated losses-Passwords,-biometrics,-antivi
rus softwares,-intrusion detection systems
etcSo new approach was developed.
19Cyber Insurance
- -Deals with risks of substantial financial losses
remaining after technical security measures have
been instituted. - -Provides coverage against losses from computer
network, intranet, internet (typically, place
where data can flow electronically) related
breaches. - -A firm may hedge its potential losses from Cyber
Crime.
20Unique Characteristics of cyber-risk
- - Location A perpetrator may be thousands of
miles away from business location. - - Degree Viruses damage can go beyond effects
on data and software (business interruption,
defamation etc). - - Visibility Commodity on internet is
Information. Security breaches (firms sensitive
information) often go undetected.
21Insurance companies and policy issues
- Companies
- -AIG, Chubb, Fidelity and Deposit, Marsh, Lloyds
of London etc - In designing new policies, issues addressed are
- - Pricing
- - Adverse Selection
- - Moral Hazard
22Pricing
- - Traditionally relies on actuarial data
constructed from voluminous historical records. - - Internet-relatively new, histories of e-crimes
and related losses do not exist. - Insurance companies trying to quantify what some
claim as unquantifiable risk.
23How to quantify risk?
- - Quantitative model- determine chance and
frequency (e-crimes and related losses), the
equivalent of actuarial tables can help. AIG etc
are already building actuarial tables - - Private incident-response centers gathering,
publishing statistical data on frequency of
certain events that could expose risk. - - Government, research are also filling databases
with information thats quickly growing large
enough to detect trends and probabilities. - - CERT Coordination Center at Carnegie Mellon
15, 167 incidents were reported in 2000, an
increase from 9,859 in 1999. These reports could
be mined for deeper statistical data.
24Adverse Selection
- Refers to problem that arises because a firm
choosing to insure against a particular loss is
likely to have private information not available
to insurance company at the time of contracting.
25How to deal with adverse Selection?
- Security audit When offering insurance policy,
insurance firms require an information security
audit. - Identify High risk users Insurance firms
identify these users and differentiate the
premium for such users. - Example JS Wurzler offering policy to cover loss
from hackers, adds a surcharge to firms using
Microsofts NT software for internet operations. - Insurers consider Microsoft NT high-risk.
26Moral Hazard
- - Adverse Selection deals with insured's private
information prior to contracting. - Moral Hazard deals with lack of incentives by the
insured to take actions that reduce the
probability of a loss subsequent to purchasing
the insurance.
27How to deal with Moral Hazard?
- Deductibles The insured will suffer some loss
if there occurs some security breach. - Provides monetary incentive for the insured to
take actions that reduce the likelihood of the
loss actually occurring. - Premium reductions Policies offer these
reductions for taking actions to reduce the
probability of a loss. - Example AIG offers discounts for firms using
Invicta Networks security device for shifting
Internet Protocol addresses.
28What Cyber Insurance Covers?
- - Computer networks, Internet, e-mail ,websites
exposed damage, liabilities from unexpected
sources like defamation, hacking, fraud or virus
attack. Â Â - - The costs of third party legal claims against
you (the insured company) arising out of your
e-activities (e-mail, e-commerce and your
website). Â Â - - Losses suffered as a result of viruses or
hackers, even if your employees carry out or aid
the attack.  - - Your liability due to your customers' credit
card numbers being stolen, or the theft of your
money during transactions on electronic
networks.  - Â
29Continued Cyber Insurance Coverage
- - Claims made against you by your employees for
an unsuitable office environment due to
disturbing e-mail content or website use, or due
to breaches of confidentiality. Â Â - - Financial losses suffered due to a business
interruption, which prevents you from using your
computer systems or trading via your website. Â Â - - Damage to your computer network or any data you
hold electronically arising from unauthorized
access. Â
30Policies available
- - Chubbs Cyber Security,
- -AIGs NetAdvantage Security
- - Hiscoxs Hackers Insurance
- - Legion Indemnitys INSUREtrust
- - Lloyds e-Comprehensive
- - Marshs NetSecure
- - St. Pauls Cybertech
31First party Risks
- Occurs when insured faces possibility of loss of
profits due to - - Theft of trade secrets,
- Destruction of the insureds property
- ( software, hardware and data),
- - Extortion from hackers.
32Third Party risks
- Faced by insured because of damages caused,
directly or indirectly to another firm
(individual). - Includes liabilities for
- - A computer virus inadvertently forwarded,
- - Failure to provide products (as contracted)
because a hacker or virus stopped insureds
delivery system, - - Contents placed on the companys web-site
(infringement of copy-rights), - - Theft of information held about a third party
such as credit card records.
33Cyber-Risk Management Framework For Information
Security
- - Process of assessing risk, taking steps to
reduce risk to an acceptable level, and
maintaining that level of risk. - - The value of the information vulnerable to
threats also needs to be considered - Value-Vulnerability Grid
- - Helps identify which information should receive
the what level of security. - - It categorize information from high to low for
both value and vulnerability
34Value-Vulnerability Grid
35Next, reduce information security risk to
acceptable level.- Vary from organization to
organization, based partly upon the location of
information in the V-V grid.Two steps to reduce
risk1. Invest in protecting against the risk of
actual security breaches by installing firewalls,
encryption, access control techniques.2.
Acquisition of Cyber-Risk Insurance.
36- 483 computer security practitioners in US
corporations, government agencies, financial,
medical institutions, universities participated.
37(No Transcript)
38Cyber-risk Management Framework for Information
security
- Cyber-Risk Management Process
39Decision Plan
40Conduct Information risk audit
- -Audit uncover firms information security risk
exposure and place value on that exposure. - -Assure that intrusion detection systems are in
place to provide documentation on breaches.
41Assess current insurance coverage
- Corporate executives review existing property and
liability insurance policies. - Review focus on gaps in Internet-related
coverage in the current policies.
42Examine and Evaluate Available Policies
- Better position to negotiate with their current
insurance providers. - Consider a firms potential losses and the
security measures in place.
43Select a Policy
- Select Policy appropriate for unique
circumstances of a given firm. - Policy should have desired additional coverage
at an acceptable price. - Companies should determine the portion of
financial risk they want the insurance company to
cover and the residual portion they willing to
bear. -
44Conclusions
- - Information security risk highlighted by hacker
attacks on high-profile US Web-sites, computer
viruses, thefts, that caused considerable
financial damage. - - Companies invested heavily in security
measures. - No amount of security can prevent all breaches.
- Viable market has emerged for Cyber-Risk
insurance to protect against financial losses. - Insurance companies are uncertain about how to
price their products, considerable room for
negotiating prices with agents.
45References
- http//www.computerworld.com.au/index.php/id10652
7059relcomp1 - http//www.irmi.com/Expert/Articles/2001/Rossi02.a
spx - http//i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004
.pdf