Monday, November 25, 2019

Talk Like a Cyber Insurance Risk Analyst

In a recent class on catastrophe risk modeling, I learned the definition of terms that are common in insurance but not so well understood elsewhere:
  • Peril
  • Exposure
  • Hazard
  • Ground-up Loss
  • Risk
Read on for definitions, ending with an analogy that, hopefully, ties them all together.



Peril

A 'peril' is a class of process in Nature or Society that causes damage and losses.  It's not just the proximate mechanism (wind, water, fire, cyber breach), but instead the entire causal process.  Thus, a hurricane is a different peril from tornado, and both are different from wide-spread "wind events".

In cyber risk, we might label every loss process as a sub-class of a generic "cyber" peril.  You'll see that frequently in insurance industry publications, presentations, and legal documents.   Things get trickier to label sub-types, because it is generally necessary to include threat actors, attack method, loss processes, etc. in the label.

At RMS, the way we handle this is to define "loss processes" that also include some reference to the other elements.  Our loss processes include "Data Exfiltration", "Distributed Denial of Service", "Contagious Malware/Extortion", "Cloud Outage", and "Financial Transaction Theft".  This allows us take a divide-and-conquer to the task of risk modeling.

Exposure

'Exposure' is the set of the factors that determine whether a particular "insured entity" (person, building, or organization) will suffer losses in any particular instance of a peril event.  For physical perils, 'exposure' also includes most of the factors that determine the magnitude of 'ground-up loss', given a loss event.  For physical perils, exposure is mostly determined by geographic location and other physical characteristics (building type, construction, elevation above ground floor in multi-story buildings, etc.)

In cyber risk, exposure is more complicated.  At a base level, geography and demographic factors (sector, industry, size) do have some influence over whether a given organization will be attacked in a given type of cyber attack, and what magnitude of losses they might experience.  But do to both the connectivity cyber space and the relative homogeneity, it's not impossible for determined threat actors to get from any "Point A" to any other "Point B".

Furthermore, many factors beyond geography, industry, and size determine the magnitude of losses for a given firm to a given cyber attack, including internal network topology, security and operational practices, and even business architecture.

At RMS we handle this complexity of exposure inside of our risk models for each loss process in what we call 'high resolution models'.  For example, in the Financial Transaction Theft model for banks (e.g. SWIFT attacks, ATM jackpotting), we developed a high resolution model that includes attack campaign lifecycle, targeting strategy, among many other factors.  We then ran used Monte Carlo simulation on high resolution model to generate estimates for exposure at aggregate levels --  geography, industry, and size.

In cyber risk, the concept of 'exposure' would encompass the security concept of 'vulnerability', but not exactly as information security (InfoSec) specialists use the term.  In InfoSec, a 'vulnerability' is a specific flaw, weakness, or opportunity for malfunction in some specific software or hardware that can, conceivably, be harnessed by a threat actor to do bad things, directly or indirectly.  In other words, InfoSec definition of 'vulnerability' focuses on the technical aspects and functions, and not so much on the operational or business aspects, which is what matters for cyber risk modeling.  The InfoSec community has attempted to incorporate the operational and business aspects through scoring systems such as CVSS (Common Vulnerability Scoring System), but experience and research have show it to be not well suited for risk modeling.

Hazard

'Hazard' is is the probability that a given insured entity will suffer any loss due to a defined set of perils, in a defined time period.  Most often, hazard is estimated for a broad set -- e.g. probability of  loss in Florida for residential housing due to hurricane (wind + storm surge + local flooding) in a specified year's hurricane season. If "Hazard > 0.0" for a given residence, then there is some chance of loss because the given residence is exposed to at least some degree.

'Hazard' functions also contain information about the severity of the peril at each point (wind speed, flood level) but says nothing about the probability that losses will be greater than $0, or even relative loss magnitude.  That's where 'exposure' comes in.

'Hazard' can also be estimated for a single event.  This is what is being conveyed in the maps of particular hurricanes that show the "cone of uncertainty".

Ground-up Loss

'Ground-up loss' is the total dollar amount of losses for a given insurable entity or set of entities, before all insurance payments.  It is usually calculated based on legal accounting rules, which may be different from financial reporting rules and tax accounting rules (and, of course, might be different from common sense accounting rules).

In cyber risk, 'ground-up loss' is generally any cost directly due to a breach event or campaign that someone has to pay out of pocket or might be recoverable in a lawsuit.  This would include costs of PR, forensics, extra legal costs, and loss of intellectual property (usually valued at recovery cost, not market value). But it almost always excludes cost of "technical debt" -- IT and security spending that a firm should have been paying but didn't, but then had to spend post-breach to bring IT and security up to standard.

Of course, in 'ground-up loss' there is the distinction between 'first party' (the firm that got attacked) and 'third party' (people or firms who experienced losses, but were not directly attacked or responsible for security).  For systemically important firms, there may even be losses attributed to 'public harm' in the context of class action lawsuits or regulatory action, as a catchall for all externalized costs.

Reputation harm, including brand damage, is tricky territory.  While many experts assert that this is the largest category of cost in data exfiltration attacks, I personally would be surprised to see 'reputation harm' included in insurance contracts for cyber risk, except maybe if it narrowly defined.

The insurance industry uses 'ground-up loss' as a basis their calculations of insurance coverage, deductibles, limits, attachment points, and all the rest.

Risk

When used as a noun in the insurance industry, the term 'risk' combines all of the above elements: 
Risk (noun)  -- an insurable entity (property, person, organization, etc) with associated exposure(s) and hazard(s), for a given a set of perils (usually one, but could be more).
In contrast, in InfoSec the term 'risk' as a noun rarely includes all of these factors and instead can be interpreted as "something bad that might happen, associated with some IT assets, vulnerabilities, threats, etc."  In a blog post, I call these "little 'r' risks', and I propose an alternative "Big 'R' risk" which is more compatible with the insurance industry definition.

An Analogy -- Gambling Casino

To help understand this view of risks, think of special kind of gambling casino.

Think of each insurance company as the "House" in a gambling game (e.g. Black Jack).  "Nature" is the deck of cards.  "Players" are insured entities -- e.g. firms. Every "bet" by Players is a premium payment (lets assume that players can only bet in fixed amounts).

Every time a Player losses a bet, the House pockets the money (premium).  Every time the  Player wins, the House (insurance company) pays the Player (the insured).

The House aims to make money in the long run by taking in more money than they pay out and -- very important -- not run out of money in the case of large "winning streaks" by Players.

The key to this analogy is that the House gets to pick and choose what types of bets (a.k.a. "risks") it will payoff for any given Player or set of Players.  This is how our "Insurance Casino" is different from regular casinos, where every player is offered the same choice of bets and rules (roughly speaking;  high rollers get more favorable rules and bets!).

To an insurance company, a 'risk' (noun) is a bet they are either willing to cover or not, depending on the needs and priorities of the insurance company itself, as a profit seeking, survival-oriented agent.



3 comments:

  1. I disagree that 'vulnerability' refers to technical vulnerabilities in the field of information security, although it usually does in cybersecurity. I define and interpret vulnerability as an inherent weakness in something (normally an IT system, process or activity) that, if exploited by a threat, is likely to lead to impacts. It's not a lack of control, which is another common misconception: controls are conceptually distinct from risks.

    ReplyDelete
    Replies
    1. Thanks Gary. I share your view, but in InfoSec, 'vulnerability' nearly always refers to a technical vulnerability in software or hardware.

      Delete