Policy Implications of Faulty Cyber Risk Models and How to Fix Them

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 12:30 p.m. (40 minutes)

Bad security data leads to bad security policies; better data enables better policies. That, in a nutshell, is the thesis of this talk. To back that up, we'll share a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents, with a special focus on events that impact multiple organizations.

Are we under or overestimating the economic risk of cyber events? How might errant estimates of breach likelihood or probable losses affect organizational governance and risk management? Could misunderstandings about the true extent of incident propagation across supply chains hamper the development of effective policies to manage third-party risk? What would an inter-organizational approach to security policies and practices look like? Can the study of past events aid future-looking decisions such as establishing risk appetite and evaluating cyber insurance needs? Could poor risk data lead to regulatory and/or compliance requirements that fail to meet their objectives? These are just some of the policy-oriented questions we'll explore in the talk.

The dataset we'll use to explore those questions spans 56,000 cyber events experienced by 35,000 organizations over the last decade. More than 800 of those incidents generated nearly 5,500 downstream loss events impacting firms beyond the primary victim. We'll examine these inter-organizational events in detail and discuss the implications these have for future policy decisions.

Attendees will gain an understanding how readily available data can be used to first orient to this problem space. From there, the audience will get a picture of ground truth to make better policy decisions on issues ranging from cyber insurance, supply chain management, and the near-mythical risk management ROI.

Presenters:

• David Severski - Senior Data Scientist, Cyentia Institute
  David F. Severski is an information security data scientist, specializing in quantified risk management. He has provided risk management expertise across diverse industries -- retail, aerospace, finance, energy, and healthcare. David brings both broad and deep expertise in a number of technical areas with a special focus on cloud technologies and DevOps practices. He strives to combine rigorous methods, technical expertise, and a human-centered approach to advance the state of evidence-based information security risk management. David lives in Seattle, Washington with a low-maintenance spouse, a high-maintenance house, and a spiffy fedora.
• Wade Baker - Professor, Virginia Tech
  Wade Baker is a professor at Virginia Tech, teaching cybersecurity courses within the Master of IT and MBA programs for the university. In addition to his academic role, Wade remains active in the cybersecurity field through the Cyentia Institute, a research services firm he co-founded in 2016. Prior to this, he held positions as the VP of Strategy and Analytics at ThreatConnect and the Managing Director and CTO for Security Solutions at Verizon. He created and led Verizon's annual Data Breach Investigations Report series, widely regarded across the industry for understanding threat trends and prioritizing defenses.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#policy-implications-of-faulty-cyber-risk-models-and-how-to-fix-them-20454

Similar Presentations:

• BSidesLV 2023 / Cyber risk: How does cyber events become so costly?
• Black Hat USA 2019 / Integration of Cyber Insurance Into A Risk Management Program
• Texas Cyber Summit 2019 / CS-2024 The Risk Management Hydra and why you need multiple assessments