Enterprises intangible Risks Management via Economic models based on simulatioN of modErn cyber-aTtacks

HERMENEUT defined a holistic approach to cyber-security cost-benefit analysis that (i) starts from an integrated assessment of vulnerabilities and their likelihoods, (ii) exploits an innovative macro- and microeconomic model for intangible costs, (iii) ends with an estimation of the risks for an organisation or a business sector, (iv) is followed by guidelines on investments to mitigate the loss of an enterprise’s integrity.
HERMENEUT improved the risk assessment of the vulnerabilities on tangible and intangible assets of organisations taking into account multiple aspects (e.g. motivations of the attackers, commoditisation level of the target organisations, exposure of the target) and including human factors as well. The estimation of the consequences of cyber-attacks is based on innovative micro- and macroeconomic cost model focusing on intangible costs.
HERMENEUT defined an holistic risk assessment model to support decisions related to cyber-security investments on hard (traditional) and soft mitigation measures, also integrating dedicated elicitation approaches and a Benefit-Harm Index (BHI).

The methodology for the indirect measure of the likelihood, through an integrated estimation of the Enterprise's vulnerabilities for both humans and technology has been developed. A key task for delivering this result, consisted in the identification of the data sources and the corresponding funnelling process required in order to adapt the likelihood estimation to each single enterprise.
Studying and defining microeconomic models of intangibles cyber-risks set the baseline for understanding and evaluating the effects of cyber-attacks in HERMENEUT and therefore supporting risk assessment. The model has been applied in key sectors (like healthcare). Finally, in order to obtain a more comprehensive view about cyber-risks (and their assessment) the attackers’ business models (i.e. the ‘return’ expected by cyber-attackers), has begun in this period.
An initial version of a risk assessment model has been developed and matching proposals for soft mitigation measures outlined. Also, the Benefit Harm Index (BHI) was developed to distinguish among three mitigation levels: risk emergence, growth of risks following BHI analysis, and residual risk.
In order to assess the actual benefit and potential impact of the HERMENEUT results a sound validation strategy is being designed around two relevant use case scenarios and domains: the healthcare domain and the Intellectual Property (IP)-intensive industry domain. During the reported period a thorough analysis of these sectors and their respective states of the art has been carried out in order to fully understand them and provide a meaningful evaluation.
A series of actions were carried out to disseminate and communicate HERMENEUT to wide and diverse audiences. To this end, a detailed Communication and Dissemination plan has been delivered complemented by a matching Communication and Dissemination Toolkit providing the HERMENEUT consortium the actual tools used to maximise the dissemination effort. During the reporting period a series of communication actions in line with the proposed objectives and plans have been carried out spanning from scientific dissemination (conference, papers etc.) to wider dissemination actions through online tools and social networks, and including since early in the project the HERMENEUT public website.
Given the relevance of the domain covered in HERMENEUT (cybersecurity), specific work in WP7 on policies was carried out with the aim of deriving a set of policy recommendations and best practices.

The HERMENEUT project seeks to improve the understanding of cyber-risks on intangible assets by measuring their depreciation following a cyber-attack. Intangible assets that include brand value, Intellectual property, reputation, consumer trust on firms and firms' collected data represent on average 80% of companies' total assets and may have a high probability of being harmed by cyber-attacks. As a consequence, HERMENEUT first seeks to value intangible assets hold by firms, and then to evaluate the individual (firm level) and societal impacts of cyber-attacks on their intangible assets. In addition, the HERMENEUT project aims to mitigate, assess and manage the associated cyber-risks with the help of the different work packages involved.
By combining innovative economics, risk-mitigation and risk assessment approaches, HERMENEUT is innovative in the sense that it goes a step beyond the state of the art on cybersecurity modelling and impact evaluation. Progresses that are made include the definition of a proactive model of vulnerabilities from WP2, the definition of intangible assets taxonomy and their valuation, together with the definition and application of a generic micro and macro model of evaluation of the effects of cyber-attacks from WP3, the definition of the risk assessment methodology and definition of the Benefit-Harm Index (BHI) from WP4, the analysis of case studies in the healthcare and IP intensive sectors from WP5, and policy recommendations on cyber-risks from WP7. Modelling and analysing the impacts of cyber-attacks on intangible assets at the firm and macro levels represent a major contribution of the HERMENEUT project in particular, and to the cybersecurity field in general.
The results that are expected from the project include the identification of vulnerabilities, the provision of micro and macro estimations of the effects cyber-attacks according to the HERMENEUT defined taxonomy on intangible assets and their overall costs, and the provision of an innovative risk assessment methodology.
Impacts from the HERMENEUT project are thus expected at different levels. First, at the societal level, it is expected to improve the understanding of the cyberspace and its failures by individuals and organizations. Second, it is expected to improve security investments of firms given the importance of cyber-information and its failures. Third, improved resilience towards the cyber-risks within the society is also expected by the means of effective institutions, regulations and incentives. Finally, with the use of (economics) models that are beyond state of the art, HERMENEUT seeks to contribute to the information security field with innovative models aiming at managing, assessing and evaluating the effects of cybersecurity on economic activity.