Beyond Security to Risk Management

Insurance companies are moving to a holistic model to measure risk, not just security. Businesses should, also

Reinsurance giant Swiss Re, together with British reinsurer Capsicum Re, launched a reinsurance product Sept. 8. Ho hum. Insurance is MEGO—that is, My Eyes Glaze Over. And reinsurance is MEGO-squared. But for those in the data privacy and security business, this new product, called Decrypt (not really a “product,” but what insurers call a “product”), reflects what we have been saying for decades. Forget privacy. Forget security. Look at risk. Or, in words that Mark Felt (Watergate’s “Deep Throat”) would understand: “Follow the money.”

The new insurance product (again, not a product) is, according to the Swiss Re press release, a “modular approach … comprised of risk identification, quantification and transfer.” MEGO. Allow me to translate.

All too often within a company, infosec personnel report to the CISO, who in turn reports to the CIO, who is responsible for “managing IT.” Privacy people (if they exist at all) may report to a CPO or to Legal. Or sometimes to Compliance. So privacy and security are seen respectively as compliance or IT issues. Which, of course, they are. But that means that they will never be seen as an integral part of the business; they are simply something you have to do, like complying with the fire code. They are a cost of doing business.

But insurance is also about risk. And security and privacy are, among other things, about managing risk. Risk and security are related but different things. The goal of the insurance product is to help INSURANCE COMPANIES evaluate their risk associated with covering YOUR risk. That way they know whether they are underinsuring you or overinsuring you—and, more importantly, whether they are getting enough premiums from you. It also allows them to tailor their policies to minimize their risk. Which is good for them, but maybe not so much for you.

Risk vs. Security

As a security professional, you are all about searching for and mitigating vulnerabilities. Vulnerabilities are things that, if exploited, would allow someone to get unauthorized access to networks or data, disrupt communications or services or otherwise cause “bad things” to happen. We are all used to scoring such vulnerabilities, sometimes on a scale of 1-10, sometimes simple “crimson, amber, emerald” (red, yellow, green) scores. Or just “high, medium or low.” And that’s the problem: These scorings are simply not accurate enough to permit effective risk management. It’s like saying someone is a “good” or “bad” driver. How good is good and how bad is bad? And you may have a good driver who is bad in the snow. And vice versa. That’s why insurance companies have launched products to track precisely the driving behavior of their customers (and potential customers) to collect data they can use to match the risk of the actual driver to the insurance they provide (oh, and to deny claims as well.)

Risk takes vulnerability data and maps it across the enterprise in terms of how that vulnerability will impact the enterprise. So if a vulnerability in, say SQL, is identified, you ask a series of questions. First, is my network vulnerable to this SQL attack? Sounds easy, but it’s not. Because other entities connected to my network or collecting, storing or processing my data, or upon whom I am dependent, may be vulnerable. And my supply chain for products or services may be vulnerable. Or my cloud provider. Or my ISP. Or my telecom. Or my “work at home” employees.

Having identified the vulnerability and my “exposure” to it, the next question is the potential impact. “What if” someone exploited the vulnerability? This is both a “meta” question and a personal one. On the meta-level, is this vulnerability the type that would allow someone to obtain root or superuser access to the network? Would it permit them to escape or avoid detection? Would it permit deep access to only superficial access? On the personal (specific) level, what specific networks or services would be impacted? What data is on those devices? What are those devices connected to? To answer the enterprise’s “exposure” to an exploit is to know what your network and users look like, and to know what data you have and where. And to map connectivity, dependencies, criticality and impact. You do that, right? Right?

Next, you need to look at the likelihood of exploit. Say I have a balky lock on a second-floor window to my house (I don’t actually, but follow with me). It’s a “major” vulnerability in that an attacker could get full access to my house for all purposes. But it may or may not be a significant risk. So to determine the likelihood of exploit, you need to look at the skill level of potential attackers (script kiddies to nation-states) necessary to exploit, the frequency of attacks to others, the motivation of attacks and whether exploits are available in the wild, and gather “threat intelligence.”

Then you look at impact. If there was an exploit, what are the potential business impacts? This is where many companies simply fail. They examine impact in terms of networks and services—IT impact. But that’s a minuscule part of business risk. Some impacts may be less than we think. Some greater. This is where you say, “What would happen to my company if …?” What happens if the production line is shut down for five minutes? Five hours? Five days? What if e-mail is disrupted? Delayed? Destroyed? Read by someone? Read by everyone? Published to the internet? Available to competitors? Regulators? Foreign adversaries? The risks are different in each scenario. In the Podesta e-mail and Sony email hacks, the damage done was not a massive exposure of personal data or even sensitive business strategy, but in the former case, recipes for polenta and references to a local pizzeria, and in the latter, disparaging remarks about Adam Sandler movies—not the kind of stuff you would think to protect in advance. It’s about business impact.

Next comes cost. What is the financial impact of all of this?

When it comes to insurance, and reinsurance, the goal is to (1) identify risk; (2) mitigate risks that are cost-effective to mitigate; (3) assign or offload risks. To decide what to do about identified risks, you have to ask the costs of a potential exploit and the costs to prevent/mitigate/minimize that risk. Some vulnerabilities are fixed because they are easy and cheap to do irrespective of impact. Some are fixed at all [reasonable] costs because of the potential for catastrophic impact. Most fall somewhere in the middle. One of the goals of the Swiss Re “product” (again, not a product) is to help insurance companies decide whether their customers have made the right decisions, and help them mitigate risk.

Costs are really difficult to determine. For example, a federal appeals court recently reversed a perfectly cromulent settlement with Google about its use of tracking cookies because the settlement required Google to fund privacy research by entities including the Berkeley Center for Law & Technology, the Berkman Center for Internet & Society at Harvard University, the Center for Internet & Society at Stanford University and the Center for Democracy & Technology (some of which have ties to Google) rather than compensate the individual “victims” whose activity was tracked by the cookies. Assessing the “cost” of a breach of privacy-related information is notoriously difficult because courts are all over the map as to whether mere privacy breaches cause any compensable “harm” to the victim. In other words, if my credit card number is exposed, do I suffer harm (other than the inconvenience of having to change my stored numbers, get a new card and monitor my credit for potential future unauthorized use?) What if it’s my spending patterns? Personal email? Medical records? Costs and damages are difficult to calculate. What insurance companies can use as a proxy are things such as damage recoveries and court damage awards, but they are an imperfect measure of cost. Cost also includes things such as data forensics, recovery, ransomware, legal bills, reputational costs, regulatory costs, etc.

Words Matter

With respect to insurance, it’s important to read your policy carefully. And then read it again. Many companies offer “cyber” insurance, but this may only be “data breach” insurance. What is covered by the policy? If the policy covers data “destruction,” does this also cover data unavailability? Does it cover ransomware? Does it cover the costs of paying ransom? Costs of investigation? Remember, as an insured you are trying to offload some costs to the insurer—and are paying them for the privilege. Getting the balance right is important to both you and the insurer.

And with respect to reinsurance—that is, the insurance policies insurers take to offload their risk to other insurers—it’s doubly important. That’s why companies such as Swiss Re and Capsicum Re are moving to a holistic model to measure “risk,” not just security. Or, at least they are claiming to. You should be, too.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark