In October 2015, IRGC, together with main partner Marsh & McLennan Companies and with support from Swiss Re, AXA Technology Services and Ecole Polytechnique Fédérale de Lausanne (EPFL), organised a workshop on cyber security risk governance.
Organizations are increasingly concerned about threats to data confidentiality, integrity and availability. When data are compromised and critical infrastructure and services are impacted, the cost to organizations and damage to trust and reputation can be very large. Most organizations use pragmatic solutions to address cyber-attacks, but much uncertainty remains about whether such solutions are able to address threats before they cause too much damage, whether the quantitative estimate of the potential impact (i.e. the risk) is accurate, whether investments for the protection of important assets are appropriate, and whether overall governance of the decision about cyber risk management is optimal.
Key points presented and discussed included:
- Cyber security is a rapidly evolving field that impacts governments, organizations, and individuals. More work is needed in this area, but collaboration between government, academia, and industry (notably insurers) stands to deliver large benefits to the cyber security community
- Uncertainty permeates cyber systems, and scientific evidence is hard to obtain
- Collecting data and sharing information about breaches and incidents is a critical step towards progress. However, how this can be done is subject to some controversy
- Organizations need to quantify cyber risk to enable better decisions about security investments and business management. Quantitative risk assessments are still rare, at least according to publicly available information, but major progress is currently being done to adopt new probabilistic approaches
- Insurance companies can improve cyber security risk management by collecting data and driving incentives for effective security controls through policy pricing
- Research into new security controls should broadly cover both short-term and long-term initiatives that either disperse best practices or work on novel technologies to shrink the attacker-defender gap. Research should be interdisciplinary and adaptive to address new issues that are not yet evident, given the rapidly evolving nature of cyber security.
Using the current best practices and on-going research initiatives, organizations can address the security gap by:
- Implementing the best controls
- Systematically using the most advanced security tools and implementing new systems designs, which exist today and are being developed by academia and security firms, and give defenders an edge in cyber security
- Implementing risk-based approaches to minimize cyber risk impact on business.
Cyber Risk Security Governance (Workshop Report, 2016)