CORDIS - EU research results

a Security ECONomics service platform for smart security investments and cyber insurance pricing in the beyonD 2020 netwOrking era

Periodic Reporting for period 1 - SECONDO (a Security ECONomics service platform for smart security investments and cyber insurance pricing in the beyonD 2020 netwOrking era)

Reporting period: 2019-01-01 to 2020-12-31

Technological inventions and developments have started to become an integral part of a company’s lifecycle. However, as well as conferring significant advantages, they bring with them an enhanced risk of cyber incidents - including cybercrime - and a subsequent growth in products and services aimed at combatting the risks. In turn, the proposed solutions (products or services) come with a cost making cyber security investment a key problem for CISOs to tackle. However, uptake is far from universal and a recent Forbes survey found that 60 percent of FORTUNE 500 companies currently lack any insurance against cyber incidents. Importantly, the new EU data protection framework, namely, the General Data Protection Regulation (GDPR) brings into force strengthened requirements for organisations that process or store data in terms of responsibility for building data protection and privacy into their organisation and design and to notify the authorities of all data breaches that put individuals at risk. With the high fines for GDPR violations (up to €20 million or 4% of annual turnover), cybercrime can no longer be considered as an acceptable 'running cost' of business, providing a major impetus for organisations to minimise their risk exposure by proceeding to optimal investments in cyber security solutions and procedures, while transferring the residual risk to cyber insurance.
However, to achieve the highly accurate calculations of optimal security investments and hence insurance premiums, the following limitations must first be addressed: Asset interdependencies: the interdependencies of security vulnerabilities and the multidisciplinary nature of cyber threats is a problem not only with technological dimensions. Growing and evolving types of impact: the rapidly changing cyber landscape, which implies that historical may not reflect the most recent risk levels. Quantifying cyber risks: the lack of verified and standardised risk management methodologies that employ commonly agreed metrics and risk aggregators. Growing attack surface: technological inventions and modern paradigms that bring a new range of threats to both tangible and intangible assets. Security economics: the absence of effective applied econometric models that: a) guide and estimate the optimal investment in cyber security solutions; and b) compute optimal thresholds of residual risks that must be outsourced to a cyber insurer. Knowing the actual losses: the currently limited availability of established methods that can quantify the economic value of an insured organisation’s information loss and the general unwillingness on the part of companies to share such information. More inclusive cyber insurance: the role of an insurer as someone that merely protects is not the case anymore, given that clients demand preventative solutions to stop cyber incidents before damage is inflicted and they also ask for support during a crisis to avoid the paralysation of their businesses.
Considering the above limitations together with the emergence of GDPR and the rapid growth of cyber threats, there is an irrefutable need for developing new and automated tools to better explain and appropriately address existing and rising challenges through not technical approaches, but also through the lens of economic analysis.
The SECONDO consortium and the participated secondees achieved significant progress during the first periodic report of the SECONDO project (1/1/2019-31/12/2020). It is identified not only in technical activities, e.g. technical deliverables but, also in dissemination activities.

Regarding the technical activities, the secondees finalized the reference platform architecture on time (D2.1). They defined the requirements of each module that consist of the general SECONDO platform. Moreover, they declared the technologies that will get used for developing each module. Except for designing, they chose some real-life use-cases that will assess the individual innovative SECONDO modules and the general platform efficiency. Its effectiveness will get evaluated on these, and then, based on the results, the necessary refinements will take place for designing the final version of the platform.

Also, the secondees delivered the Quantitative Risk Analysis Metamodel (QRAM) designing an innovative and risk-assessment methodology. The QRAM contains unique and innovative techniques developed by the SECONDO secondees. These are the evaluation model, risk assessment method as well as harmonization method. Also, for assessing the users' behavior an innovative and open-source tool is used (GoPhish).
Moreover, the Econometrics Module (ECM) was designed by the secondees. They developed a tool that will calculate the cost of attacks and will propose security tools together with costs for mitigating the risk. Furthermore, the Big Data Collection and Processing Module (BDCPM) got designed and initial development actions occurred by the active secondees.

Regarding the dissemination activities, the consortium of the SECONDO project is very active. First and foremost, the SECONDO project has its official website and official social media accounts in well-known social networks (Twitter, Facebook, LinkedIn, YouTube). The SECONDO consortium organized the 1st DESECSYS workshop (online) together with other EU projects. Furthermore, the secondees published several scientific publications in scientific journals and well-known conferences. These are available for free. The consortium designed brochures, leaflets, and banner; these get used with every chance for dissemination activities. A newsletter is issued every fourth month and gets shared via social media accounts and the website. The dissemination material is available for free on the official SECONDO website. Last but not least, the consortium participated in numerous events presenting the vision, aims, scope, and technical progress of the SECONDO project. Finally, the SECONDO platform will comply with well-known standards since the researchers follow popular and upcoming standardization groups.
Driven by market needs, SECONDO therefore proposes a unique, scalable, highly interoperable Economics-of-Security-as-a-Service (ESaaS) platform that encompasses a comprehensive cost-driven methodology for: (i) estimating cyber risks based on a quantitative approach that focuses on both technical and non-technical aspects, (e.g. users behaviour), that influence cyber exposure; (ii) providing analysis for effective and efficient risk management by recommending optimal investments in cyber security controls; and (iii) determining the residual risks and estimating the cyber insurance premiums taking into account the insurer’s business strategy, while eliminating the information asymmetry between the insured and insurer. With the capabilities mentioned above, the SECONDO platform will establish a new paradigm in risk management for enterprises of various sizes, with respect to the GDPR framework, while it will enable formal and verifiable methodologies for insurers that require estimating premiums.
Architecture of the general SECONDO platform