Policy Implications of Faulty Cyber Risk Models and How to Fix Them

Virtual October 22, 2020 1:00 pm - 1:40 pm Feedback     

Bookmark and Share

Wade Baker
David Severski

Bad security data leads to bad security policies; better data enables better policies. That, in a nutshell, is the thesis of this talk. To back that up, we’ll share a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents, with a special focus on events that impact multiple organizations.

Are we under or overestimating the economic risk of cyber events? How might errant estimates of breach likelihood or probable losses affect organizational governance and risk management? Could misunderstandings about the true extent of incident propagation across supply chains hamper the development of effective policies to manage third-party risk? What would an inter-organizational approach to security policies and practices look like? Can the study of past events aid future-looking decisions such as establishing risk appetite and evaluating cyber insurance needs? Could poor risk data lead to regulatory and/or compliance requirements that fail to meet their objectives? These are just some of the policy-oriented questions we’ll explore in the talk.

The dataset we’ll use to explore those questions spans 56,000 cyber events experienced by 35,000 organizations over the last decade. More than 800 of those incidents generated nearly 5,500 downstream loss events impacting firms beyond the primary victim. We’ll examine these inter-organizational events in detail and discuss the implications these have for future policy decisions.

Attendees will gain an understanding how readily available data can be used to first orient to this problem space. From there, the audience will get a picture of ground truth to make better policy decisions on issues ranging from cyber insurance, supply chain management, and the near-mythical risk management ROI.