Skip to main content

The first cybersecurity management system providing evidence based metrics for cyber risk at the business asset level in real-time

Periodic Reporting for period 1 - STORM (The first cybersecurity management system providing evidence based metrics for cyber risk at the business asset level in real-time)

Reporting period: 2017-07-01 to 2017-10-31

The General Data Protection Regulation (GDPR) is a new regulation that moves cyber from an IT initiative to a board room program. It requires a privacy impact assessment (article 5) that measures the confidentially and integrity of each system that processes privacy data and a risk assessment of technologies that are deemed risky (article 32). Additionally, article 35 requires that risk and privacy scores are compared against thresholds and findings are ranked in order of risk and article 36 requires that there is a clear line of sight into prioritization of each risk based on its impact. There is no automated solution currently that allows organizations to meet these articles.

InnoSec’s STORM Enterprise version aims to protect the most critical business assets and processes by using a “business-backed” approach. STORM uses a cyber security strategy based on the identification of the importance of business systems (assets) i.e. crown jewel, business critical or business crucial. STORM maps relationships between data asset classifications (intellectual property, credit card data, privacy data, etc.) to business units, business processes systems, and technologies and measures the cyber security risk exposures and costs aligning them to cyber risk tolerance and insurance requirements. The STORM module for GDRP has been specifically designed in way that organizations can achieve full compliance with the new regulation.
Overall, Phase 1 provided time and resources to understand the technical and business viability of STORM. In particular, following aspects were assessed and provided valuable insights:
• The Value Proposition of STORM and its benefit levels were analyzed and comprehended;
• The product development plan to develop STORM and DREG solutions from current stage to the final version was prepared;
• The Risk Assessment and Contingency plan was prepared for the innovation project;
• Cost of the product development over 2 years is estimated around €1.325 M, consisting of €1.07 M direct costs and €255 k indirect costs;
• Key emerging regulations, such as the GDPR were researched and elaborated;
• The overall European market and the target markets of UK, Germany, Benelux were assessed in terms of market trends, drivers, key players and potential first users;
• Based on this, the ambition of InnoSec is to commercialize STORM to the following user segments:
- financial institutions, such as banks, who process critical data (including privacy data) and transactions, of which loss or corruption will directly result into financial losses and loss of reputation
- data processors, such as First data, who process critical data (including privacy data) and transactions, of which loss or corruption will directly result into financial losses and loss of reputation
- insurance companies, who collect, process sensitive customer (including privacy data) and transactional data, but also manage savings
• Based on the commercialization plan, depth financial projections for the next 5 years were prepared that confirmed the highly attractive economics of the innovation project.

During Phase 1, dozens of discussions took place with potential users and re-sellers based on which InnoSec was able to better define the objectives and the next steps. In summary, Phase 1 convinced the management of InnoSec to further pursue the idea and to prepare next steps towards the product development, to be conducted with the help of Phase 2 of the Horizon 2020 grant scheme.
The expected outcome of the project is to scale up the internal metrics based solution to support large scale deployment, finalize the engineering of DREG (Drag & Drop Risk Engine Generator), finalize new modules for Cyber Insurance, M&A and GDPR, Integrate APIs and validate STORM in beta testing with end users. To perform these activities dozens of discussions took place with potential users.

STORM complies with the EU Data Protection Directive and anticipates the upcoming General data protection regulation (GDPR), since the project will enhance the level of personal data protection for individuals and increase business opportunities in the Digital Single Market. InnoSec contributes to the recent European Agenda on Security by offering to the European businesses a tool to ensure more safe and effective management of their data.

The successful demonstration of the beta version of STORM will fully validate the technology and InnoSec is confident that re-sellers will be interested in the commercialization.
STORM provides GDPR privacy impact assessment and risk assessment module