The non-technical handbook for cyber security risk management
Solving Cyber Risk distills a decade of research into a practical framework for cyber security. Blending statistical data and cost information with research into the culture, psychology, and business models of the hacker community, this book provides business executives, policy-makers, and individuals with a deeper understanding of existing future threats, and an action plan for safeguarding their organizations. Key Risk Indicators reveal vulnerabilities based on organization type, IT infrastructure and existing security measures, while expert discussion from leading cyber risk specialists details practical, real-world methods of risk reduction and mitigation.
By the nature of the business, your organization’s customer database is packed with highly sensitive information that is essentially hacker-bait, and even a minor flaw in security protocol could spell disaster. This book takes you deep into the cyber threat landscape to show you how to keep your data secure.
- Understand who is carrying out cyber-attacks, and why
- Identify your organization’s risk of attack and vulnerability to damage
- Learn the most cost-effective risk reduction measures
- Adopt a new cyber risk assessment and quantification framework based on techniques used by the insurance industry
By applying risk management principles to cyber security, non-technical leadership gains a greater understanding of the types of threat, level of threat, and level of investment needed to fortify the organization against attack. Just because you have not been hit does not mean your data is safe, and hackers rely on their targets’ complacence to help maximize their haul. Solving Cyber Risk gives you a concrete action plan for implementing top-notch preventative measures before you’re forced to implement damage control.
About the Authors ix
Acknowledgments xi
CHAPTER 1 Counting the Costs of Cyber Attacks 1
1.1 Anatomy of a Data Exfiltration Attack 1
1.2 A Modern Scourge 7
1.3 Cyber Catastrophes 12
1.4 Societal Cyber Threats 19
1.5 Cyber Risk 21
1.6 How Much Does Cyber Risk Cost Our Society? 24
Endnotes 30
CHAPTER 2 Preparing for Cyber Attacks 33
2.1 Cyber Loss Processes 33
2.2 Data Exfiltration 34
2.3 Contagious Malware Infection 41
2.4 Denial of Service Attacks 56
2.5 Financial Theft 63
2.6 Failures of Counterparties or Suppliers 68
Endnotes 78
CHAPTER 3 Cyber Enters the Physical World 81
3.1 A Brief History of Cyber-physical Interactions 81
3.2 Hacking Attacks on Cyber-physical Systems 83
3.3 Components of Cyber-physical Systems 86
3.4 How to Subvert Cyber-physical Systems 88
3.5 How to Cause Damage Remotely 91
3.6 Using Compromises to Take Control 92
3.7 Operating Compromised Systems 93
3.8 Expect the Unexpected 95
3.9 Smart Devices and the Internet of Things 99
Endnotes 101
CHAPTER 4 Ghosts in the Code 103
4.1 All Software Has Errors 103
4.2 Vulnerabilities, Exploits, and Zero Days 104
4.3 Counting Vulnerabilities 108
4.4 Vulnerability Management 113
4.5 International Cyber Response and Defense 118
Endnotes 122
CHAPTER 5 Know Your Enemy 125
5.1 Hackers 125
5.2 Taxonomy of Threat Actors 127
5.3 The Insider Threat 143
5.4 Threat Actors and Cyber Risk 145
5.5 Hackonomics 147
Endnotes 151
CHAPTER 6 Measuring the Cyber Threat 153
6.1 Measurement and Management 153
6.2 Cyber Threat Metrics 158
6.3 Measuring the Threat for an Organization 162
6.4 The Likelihood of Major Cyber Attacks 170
Endnotes 182
CHAPTER 7 Rules, Regulations, and Law Enforcement 183
7.1 Cyber Laws 183
7.2 US Cyber Laws 186
7.3 EU General Data Protection Regulation (GDPR) 190
7.4 Regulation of Cyber Insurance 192
7.5 A Changing Legal Landscape 194
7.6 Compliance and Law Enforcement 196
7.7 Law Enforcement and Cyber Crime 199
Endnotes 205
CHAPTER 8 The Cyber-Resilient Organization 207
8.1 Changing Approaches to Risk Management 207
8.2 Incident Response and Crisis Management 208
8.3 Resilience Engineering 212
8.4 Attributes of a Cyber-resilient Organization 214
8.5 Incident Response Planning 218
8.6 Resilient Security Solutions 219
8.7 Financial Resilience 225
Endnotes 234
CHAPTER 9 Cyber Insurance 235
9.1 Buying Cyber Insurance 235
9.2 The Cyber Insurance Market 244
9.3 Cyber Catastrophe Risk 248
9.4 Managing Portfolios of Cyber Insurance 251
9.5 Cyber Insurance Underwriting 258
9.6 Cyber Insurance and Risk Management 263
Endnotes 264
CHAPTER 10 Security Economics and Strategies 267
10.1 Cost-Effectiveness of Security Enhancements 267
10.2 Cyber Security Budgets 271
10.3 Security Strategies for Society 276
10.4 Strategies of Cyber Attack 283
10.5 Strategies of National Cyber Defense 289
Endnotes 294
CHAPTER 11 Ten Cyber Problems 295
11.1 Setting Problems 295
1 The Canal Safety Decision Problem 298
2 The Software Dependency Problem 300
3 The Vulnerability Inheritance Problem 301
4 The Vulnerability Count Problem 302
5 The Malware Overlap Problem 303
6 The Vulnerability Lifespan Problem 304
7 The Binary Similarity Problem 304
8 The Virus Modification Problem 306
9 The Cyber Criminal’s Dilemma Problem 306
10 The Security Verification Problem 307
Endnotes 308
CHAPTER 12 Cyber Future 309
12.1 Cybergeddon 309
12.2 Cybertopia 315
12.3 Future Technology Trends 321
12.4 Getting the Cyber Risk Future We Want 328
Endnotes 331
References 333
Index 355
THE ONE BOOK HACKERS DON'T WANT YOU TO READ
Solving Cyber Risk enables you to accurately assess cyber risk at your organization and develop a cost-appropriate plan for top- tier cybersecurity. From the leading-edge minds behind the most popular cyber risk model in the insurance industry, this authoritative work shares the wisdom mined from a decade's worth of research into the culture, psychology, and profit models of hackers.
Through a powerful, scalable framework, any size organization can effectively manage the likelihood and consequences of cyber attacks within any size budget. Step-by-step guidance to data-backed approaches and techniques empower you to:
- Measure and assess the five most expensive and damaging causes of cyber loss
- Understand the motivations, capabilities, and techniques behind the seven most common types of hackers
- Apply the same due diligence and expertise to defending against cyber attacks as the best in the business
Whether you need to update your cyber risk protocols or create a cutting-edge security plan from scratch, Solving Cyber Risk is your complete blueprint to protecting your digital assets from criminals.
-Domenico del Re, Director, PricewaterhouseCoopers
“Before we can begin to address the serious risks that accompany the modern world's increasing dependence on networked computer systems we have to understand them, and this is the key achievement of Solving Cyber Risk. Anyone reading the book will come away better able to assess, quantify, and reduce the risks faced by their business.”
-Bill Thompson, Technology writer and BBC presenter
“Is your organisation cyber-resilient? Are your services? Are you? Starting from practical assessments of how a security breach could damage the organisation, this comprehensive review of the current risk landscape will tell you why it matters, how to assess your own performance, and how to improve it.”
-Andrew Cormack, Former Computer Security Incident Response Team (CSIRT) manager
"The essential handbook for anyone that wants to understand the cyber risks facing their business. The authors draw on decades of experience in cyber, insurance and modelling to provide the essential context for the range of potential threats and losses, today and in the future, providing real life case studies and practical advice for assessing and managing the risks.”
-Matthew Grant, Founder and Executive Director, Abernite Ltd.
"Whoever feels overwhelmed by the sheer amount of unsorted information - around cyber risk, the uncertainties of managing this risk and its questioned insurability (which I do not share) - should read this book. It helps to ringfence the key issues by classifying, weighting and prioritizing cyber related decisions. It is good for IT security professionals to get familiar with risk management framework and it is equally helpful for risk management professionals to break down the complexity of 'cyber' and focus on the essentials."
-Simon Dejung, Senior Underwriter, SCOR
Cyber risk is a top priority if you're in business today. The digital economy requires companies to safeguard a wealth of sensitive information that can make hackers a fortune and ruin both a business and victims' lives. Solving Cyber Risk demystifies the threat of cyber attacks and guides you in implementing the most cost- effective methods of reducing risk.
In this practical, non-technical guidebook, three global thought leaders on cyber risk show you how to use risk management principles to lock down your cyber security. Written specifically for business professionals and policy-makers, this single resource covers everything from the fundamentals of cyber crime to the roles of information security officers and risk managers. Improve your cyber resilience by using this powerful guide to:
- Assess the latest vulnerabilities in software, industrial control systems and devices
- Gain an understanding of the regulatory and legal landscape and law-enforcement processes
- Make informed decisions about the costs and benefits of cyber resilient strategies, including key trends in cyber insurance
Avoiding cyber attacks isn't an option prepare to protect yourself and your clients with Solving Cyber Risk.
Produktdetaljer
Biographical note
ANDREW COBURN is senior vice president at Risk Management Solutions (RMS) and a director of the Cambridge Centre for Risk Studies, University of Cambridge. The architect of the leading cyber risk model in the insurance industry, he is coauthor of Earthquake Protection, Second Edition.
ÉIREANN LEVERETT is the founder of Concinnity Risks and a senior researcher on cyber risk at Cambridge Centre for Risk Studies. An ethical hacker, he was on the multidisciplinary team that built the first cyber risk models for insurance.
GORDON WOO is a catastrophist with RMS who helped create the conceptual framework for the RMS Cyber Accumulation Management System. An authority on cyber and insurance risk, he is the author of The Mathematics of Natural Catastrophes and Calculating Catastrophe.