Policy Implications of Faulty Cyber Risk Models and How to Fix Them

The talk discusses the policy implications of faulty cyber risk models and how to fix them using data-driven analysis. The focus is on the economic costs of historical cyber incidents and their impact on multiple organizations. The talk explores questions related to breach likelihood, risk management, third-party risk, inter-organizational approach to security policies, risk appetite, cyber insurance needs, and regulatory compliance. The talk emphasizes the need for better risk models based on better data science, collecting better data, building better models, and conducting better research.

• Bad security data leads to bad security policies; better data enables better policies
• The talk shares a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents
• The dataset used spans 56,000 cyber events experienced by 35,000 organizations over the last decade
• The talk explores questions related to breach likelihood, risk management, third-party risk, inter-organizational approach to security policies, risk appetite, cyber insurance needs, and regulatory compliance
• The talk emphasizes the need for better risk models based on better data science, collecting better data, building better models, and conducting better research

The talk mentions a headline that states that 60% of small companies that suffer a cyber attack are out of business within six months. This illustrates the impact of faulty risk models on policy decisions.

Bad security data leads to bad security policies; better data enables better policies. That, in a nutshell, is the thesis of this talk. To back that up, we'll share a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents, with a special focus on events that impact multiple organizations.Are we under or overestimating the economic risk of cyber events? How might errant estimates of breach likelihood or probable losses affect organizational governance and risk management? Could misunderstandings about the true extent of incident propagation across supply chains hamper the development of effective policies to manage third-party risk? What would an inter-organizational approach to security policies and practices look like? Can the study of past events aid future-looking decisions such as establishing risk appetite and evaluating cyber insurance needs? Could poor risk data lead to regulatory and/or compliance requirements that fail to meet their objectives? These are just some of the policy-oriented questions we'll explore in the talk.The dataset we'll use to explore those questions spans 56,000 cyber events experienced by 35,000 organizations over the last decade. More than 800 of those incidents generated nearly 5,500 downstream loss events impacting firms beyond the primary victim. We'll examine these inter-organizational events in detail and discuss the implications these have for future policy decisions.Attendees will gain an understanding how readily available data can be used to first orient to this problem space. From there, the audience will get a picture of ground truth to make better policy decisions on issues ranging from cyber insurance, supply chain management, and the near-mythical risk management ROI.