What if cyber security wasn’t about technology, but about a malevolent or accidental human threat?
That is the perspective taken by Arvind Parthasarathi, CEO of an economic cyber risk modelling company called Cyence.
“When we think about cyber-risk, immediately our minds move towards hackers and technological issues,” Parthasarathi said. “Whereas in reality, 25% of claims are not from events caused by hackers from the outside world - they’re malicious insiders. People with legitimate access to the data they’re taking.”
Parthasarathi said an additional 25% of attacks are caused by accidents involving losing a laptop on a train or using the wrong email address.
Pinpointing where risks come from, be it disgruntled employees, accidents or hackers, requires data collection.
Unlike earthquakes where risks are determined by the US Geological Survey, there is no authoritative data on cyber-risk, Parthasarathi said.
That’s why Cyence collects its own.
Parthasarathi said job postings can provide data on the human weaknesses of a company by disclosing how many employees are working at a given organization and what methods of communication they’re using.
Cyence and the hackers they’re attempting to mitigate against both use this form of promoted information when they’re looking for holes in a company’s security.
Parthasarathi describes it as holding a mirror to the client.
“Let’s say you have 17 vulnerabilities in your firewall, OK great, but what does that really mean?” posed Parthasarathi.
The risks of a cyber-attack are formed by probability, frequency and severity, Parthasarathi said.
Cyence then models scenarios based on human and other exposure data.
“We create a financial model around it…what’s the dollar impact? How are those loss curves going to look? Then you look at accumulation,” Parthasarathi said, arguing insurers are more concerned with accumulation like faulty airbags than an individual’s probability of getting into a car accident.
Also, unlike disaster risk, cyber risk has unlimited possibilities because of the sequence of events that can occur.
“The interesting thing about cyber is it’s really about a myriad of scenarios,” Parthasarathi said. “Florida is not going to have a hurricane, a tornado and an earthquake at the same time.”
But because in the virtual world, cyber possibilities aren’t bound by physics or what we know from the US Geological Survey, scenarios can change or nest in more unpredictable ways.
“There are infinite scenarios in cyber, that’s why the data is so valuable,” Parthasarathi said.
Related Stories:
Private cyber insurance provides adequate risk coverage: study
