Periodic Reporting for period 1 - QCYRISK (Quantifying cyber risk: a computational insurance approach)
Okres sprawozdawczy: 2020-05-01 do 2022-02-28
Quantifying cyber risk is an important step in assigning resources to cybersecurity measures. Yet data limitations mean that current estimates ignore certain incidents (e.g. ransomware), rarely provide the financial cost, and rarely describe how risk varies based on the firm’s revenue or industry.
This knowledge gap could lead organizations and policy-makers to either (a) under-estimate the problem and fail to assign enough resources to preventing adverse cybersecurity outcomes, or (b) possibly to become carried away by media attention surrounding cyber risk and to over-spend. The lack of firm-specific estimates likely means some organisations make the first type of errors and other organisations make the second type. The lack of data over certain incidents may mean the same organisation makes both errors regarding different aspects of cybersecurity. For example, a firm may over invest in measures intended to mitigate the risk of litigation over cybersecurity incidents and under invest in measures mitigating ransomware attacks.
This problem affects society because the movement to integrate personal data into business models means we are all potentially exposed to privacy violations. Impacts can also be seen when ransomware attacks disrupt a firm’s operation, such as when the Colonial Pipeline attack caused soaring petrol prices in the USA. Thus, all of society can benefit from private firms making better risk decisions by incorporating fine-grained loss estimates.
This project’s goal is to derive such risk estimates by inferring information from cyber insurance. Surprisingly insurers sell cyber insurance for the ignored incident types and vary the price based on firm-specific characteristics. Extracting insurers’ cyber loss models could help firms manage risk, regardless of whether they purchase insurance. Our contribution involved developing the underlying technique and also making practical estimates based on empirical data.
This knowledge gap could lead organizations and policy-makers to either (a) under-estimate the problem and fail to assign enough resources to preventing adverse cybersecurity outcomes, or (b) possibly to become carried away by media attention surrounding cyber risk and to over-spend. The lack of firm-specific estimates likely means some organisations make the first type of errors and other organisations make the second type. The lack of data over certain incidents may mean the same organisation makes both errors regarding different aspects of cybersecurity. For example, a firm may over invest in measures intended to mitigate the risk of litigation over cybersecurity incidents and under invest in measures mitigating ransomware attacks.
This problem affects society because the movement to integrate personal data into business models means we are all potentially exposed to privacy violations. Impacts can also be seen when ransomware attacks disrupt a firm’s operation, such as when the Colonial Pipeline attack caused soaring petrol prices in the USA. Thus, all of society can benefit from private firms making better risk decisions by incorporating fine-grained loss estimates.
This project’s goal is to derive such risk estimates by inferring information from cyber insurance. Surprisingly insurers sell cyber insurance for the ignored incident types and vary the price based on firm-specific characteristics. Extracting insurers’ cyber loss models could help firms manage risk, regardless of whether they purchase insurance. Our contribution involved developing the underlying technique and also making practical estimates based on empirical data.
The project began with a review of existing approaches to quantifying cyber risk, which we submitted as a “Systematization of Knowledge” paper to the IEEE Security and Privacy conference. In pursuit of practical insights, a journal paper was published at the Digital Threats: Research and Practice journal. The journal paper represents a first attempt at inferring practical risk estimates.
In addition, Daniel published the first academic analysis of a new form of privacy insurance at the Computers, Privacy & Data Protection conference in Brussels that is attended by a mix of academics, practitioners and policy makers.To pursue Daniel’s career goals, Daniel began publishing in a new research field, namely privacy economics. Daniel published a first-author theory paper at the Workshop on the Economics of Information Security, which turned into a Computers & Security journal article. He then collaborated with a PhD student, Max Hills, on three publications. The first was presented at the Internet Measurement Conference (IMC) in 2020. The second has been accepted to the Privacy Enhancing Technology Symposium. The third will be presented at the Computers, Privacy & Data Protection conference. Daniel also published on privacy insurance, the first such academic paper. He also collaborated with an academic on an article titled "An Economic Analysis of Appropriateness under Article 32 GDPR", which was accepted to the European Data Protection Law Review.
Daniel also had two papers accepted at the 2021 Workshop on the Economics of Information Security. The first tries to understand how cyber insurance shapes incident response. The second paper collaborates with researchers in the US to understand coordinated vulnerability disclosure.
There are a number of works that are currently under submission. The first is titled "Reviewing Estimates of Cybercrime Victimisation and Cyber Risk Likelihood", which builds on the project's core goal of quantifying cyber risk, and was submitted to the WACCO workshop. There is a theoretical work submitted to the Electronic Commerce Research and Applications journal. There is also a submissions to the 2022 Workshop on the Economics of Information Security titled "Characterising 0-day Exploit Brokers", and a submission to journal titled "A Longitudinal Perspective on 0-Day Brokers".
In addition, Daniel published the first academic analysis of a new form of privacy insurance at the Computers, Privacy & Data Protection conference in Brussels that is attended by a mix of academics, practitioners and policy makers.To pursue Daniel’s career goals, Daniel began publishing in a new research field, namely privacy economics. Daniel published a first-author theory paper at the Workshop on the Economics of Information Security, which turned into a Computers & Security journal article. He then collaborated with a PhD student, Max Hills, on three publications. The first was presented at the Internet Measurement Conference (IMC) in 2020. The second has been accepted to the Privacy Enhancing Technology Symposium. The third will be presented at the Computers, Privacy & Data Protection conference. Daniel also published on privacy insurance, the first such academic paper. He also collaborated with an academic on an article titled "An Economic Analysis of Appropriateness under Article 32 GDPR", which was accepted to the European Data Protection Law Review.
Daniel also had two papers accepted at the 2021 Workshop on the Economics of Information Security. The first tries to understand how cyber insurance shapes incident response. The second paper collaborates with researchers in the US to understand coordinated vulnerability disclosure.
There are a number of works that are currently under submission. The first is titled "Reviewing Estimates of Cybercrime Victimisation and Cyber Risk Likelihood", which builds on the project's core goal of quantifying cyber risk, and was submitted to the WACCO workshop. There is a theoretical work submitted to the Electronic Commerce Research and Applications journal. There is also a submissions to the 2022 Workshop on the Economics of Information Security titled "Characterising 0-day Exploit Brokers", and a submission to journal titled "A Longitudinal Perspective on 0-Day Brokers".
In terms of research, the previous section describes five peer-reviewed research publications that all advance the state of the art. For example, the SoK was published at IEEE Security & Privacy Symposium, an A+ venue. We proposed a novel causal framework for cyber risk and already saw researchers use this framework and attribute it to our article [1]. This represents an overwhelming success for the first work package. We also published a journal article for the second work package. While this was published in a new journal, we did so because it is read by both practitioners and academics. It was cited 3 times in 2021 and 2 times in 2022. He also published the first empirical analysis of privacy insurance for individuals, which could become a new research area. The final contribution in this direction is our WACCO submission. Notably, the bachelors student and Daniel won 2nd prize in a competition for their submission "Reviewing the Likelihood of Cyber Incident" at the RISCS Cyber Risk and Quantification workshop, which is based on the same work.
In terms of Daniel's career, he has accepted a lecturer position at the University of Edinburgh, a highly ranked and prestigious university in the UK. This is an overwhelming success given the competitive job market, and will allow him to continue working on these topics. During the course of the fellowship, he was invited onto the Workshop on the Economics of Information Security committee for two years running and became associate editor at the Digital Threats: Research and Practice journal. Also in terms of practitioner outreach, he is co-chair of the FIRST cyber insurance special interest group. He broadened his research profile and began supervising other researchers, four masters students and one bachelors.Together these outcomes represent a success in terms of the career development aspect of the fellowship.
Finally, in terms of out reach and dissemination, we took a number of steps. We tried to invest in high-quality presentation videos for each, all of which are now shared on YouTube. This helps disseminate the results beyond the tiny fraction of the world who attend academic conferences. Daniel also ran a practitioner Twitch workshop, a novel way to engage practitioners during the pandemic. He also shares research widely over LinkedIn and engages practitioners in that way, contributing to wider socio-economic impact. While it is difficult to measure this impact, engagement statistics provide one window. His posts regularly receive over a thousand views, with one achieving over 5,000. Daniel also appeared on a number of podcasts including one ran by the World Bank. All of these efforts to reach out were evidence of Daniel's commitment to sharing science.
[1] von Skarczinski, Bennet Simon, Arne Dreissigacker, and Frank Teuteberg. "More Security, less Harm? Exploring the Link between Security Measures and Direct Costs of Cyber Incidents within Firms using PLS-PM." Wirtschaftinformatik (2022).
In terms of Daniel's career, he has accepted a lecturer position at the University of Edinburgh, a highly ranked and prestigious university in the UK. This is an overwhelming success given the competitive job market, and will allow him to continue working on these topics. During the course of the fellowship, he was invited onto the Workshop on the Economics of Information Security committee for two years running and became associate editor at the Digital Threats: Research and Practice journal. Also in terms of practitioner outreach, he is co-chair of the FIRST cyber insurance special interest group. He broadened his research profile and began supervising other researchers, four masters students and one bachelors.Together these outcomes represent a success in terms of the career development aspect of the fellowship.
Finally, in terms of out reach and dissemination, we took a number of steps. We tried to invest in high-quality presentation videos for each, all of which are now shared on YouTube. This helps disseminate the results beyond the tiny fraction of the world who attend academic conferences. Daniel also ran a practitioner Twitch workshop, a novel way to engage practitioners during the pandemic. He also shares research widely over LinkedIn and engages practitioners in that way, contributing to wider socio-economic impact. While it is difficult to measure this impact, engagement statistics provide one window. His posts regularly receive over a thousand views, with one achieving over 5,000. Daniel also appeared on a number of podcasts including one ran by the World Bank. All of these efforts to reach out were evidence of Daniel's commitment to sharing science.
[1] von Skarczinski, Bennet Simon, Arne Dreissigacker, and Frank Teuteberg. "More Security, less Harm? Exploring the Link between Security Measures and Direct Costs of Cyber Incidents within Firms using PLS-PM." Wirtschaftinformatik (2022).