The Why and Wherefore of Cybersecurity Risk

by C. Warren Axelrod on May 28, 2019

There is a song in
Gilbert and Sullivan’s “HMS Pinafore” light opera that begins “Never mind the
why or wherefore.” Perhaps that has been a problem all along with cybersecurity
risk management. We discuss ad nauseum
the how, what, when and where of cyberattacks, but seldom do we really
understand why they are happening. Yes, we give standard reasons, such as
financial gain, revenge, and the like. But do they really represent the true
underlying motives? Perhaps we are getting it all wrong, which would explain
our failure to identify and curb so many of these attacks that are only getting
bigger, broader and more frequent and effective. Now we hear that our drones may be spying on
us! See David Shortell’s article “DHS warns of ‘strong concerns’ that
Chinese-made drones are stealing data,” which is available at https://www.cnn.com/2019/05/20/politics/dhs-chinese-drone-warning/index.html
If it’s true, it shouldn’t be a surprise. But there are greater concerns such
as with so much military software and equipment being sourced from other
countries, which may or may not be our friends at some future date.

We need to be aware that
the apparent motive behind a cyberattack may not be the real reason. For
example, in the financial services sector, where I have spent most of my
career, the greatest concern is loss of confidence in the financial system
rather than the stealing of funds, although large potential money losses are
always a worry. Whereas many attackers are in it for the money, hostile nation
states and terrorists may well be more interested in creating chaos and loss of
trust, which can be much more devastating than money losses.

Similarly, it was interesting to read Samuel Greengard’s article, “Deep Insecurities: The Internet of Things Shifts Risk,” in the May 2019 issue of the Communications of the ACM journal, which is available at https://cacm.acm.org/magazines/2019/5/236417-deep-insecurities/fulltext Greengard quotes consultant Benson Chan as saying: “In the end, the biggest danger isn’t a device failing or a grid shutting down; it’s a loss of trust in technology.” In my experience, working on a consulting project for a major payment card company, we were attempting to anticipate which accounts would default. We were able to analyze large amounts of payments data to try to identify which accounts might default. But the results were not conclusive. I suggested that we look at why the accounts defaulted. Was it due to contested charges? Or the incapacitation or death of a card holder? Or sudden financial difficulties? It would have made a big difference to our model if we knew why accounts failed. I feel the same way about cyberattacks. Do we know the real motives of attackers? Were the employees really disgruntled? Or had they experienced a sudden change in their financial obligations due to, say, a high, unexpected medical bill? Or did they by chance come across an opportunity to steal some money or data that could be sold … and take it? I contend that, unless we have a full understanding of why outside attackers or insiders embark on their nefarious activities, it is well nigh impossible to apply appropriate deterrence, avoidance or protective measures. There’s a big difference between trying to steal money and attempting to disrupt the system so that customers will lose confidence in it. Money losses by big corporations can usually be absorbed so that the incentive to protect against them is likely to be much less than the desire to avoid loss of confidence. The measures may be similar, but the scale will likely be much greater when reputation and future business are at risk. Knowing why specific kinds of attack are launched makes all the difference in what measures to take to mitigate cybersecurity risk. It’s well worth making the extra effort to find out the true motives behind attacks.