Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Cyber-Risks: Trends and Consequences

Swiss Re Broker Event, October 4th, London

Myriam Dunn Cavelty

on 8 November 2018

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cyber-Risks: Trends and Consequences

Cyber-Crime Cyber-War Cyber-Terror Cyber-Sabotage Cyber-Espionage Hacktivism Economic and political all the time, $ all the time, $$ all the time, $$ - $$$ rare (Stuxnet!) Thank you for your attention
Trends and Implications Underlying insecurity of information infrastructure
Opportunities and risks asymmetric
Low barriers to entry
Innovation on the side of the attacker cyber attacks are hugely unpredictable
can come from virtually everywhere
change shape constantly Yes: Terrorist Use of Internet (Support, Mobilization, Fundraising) No: Large-Scale Terrorist Attack through Cyber-means Yes: modest CNO, auxiliary, supporting (EW) No: Stand-alone strategic cyber-attack Critical Infrastructures Knowledge / Data Cascading Effects Fraud Identify Theft Blackmail Economic Damage Reputational Damage Political Damage Property Damage Malware Life & Death Situations Double Risk in Cyberspace Technical level: Dependence, (unpatchable) vulnerabilities, danger of system failure and cascading effects Attacks and Targets: What and How? The Threat Spectrum: Who and Why? PCCIP Report (1997): S. 20 Nature /
Type of Threat Hacker Tools / Malware Infectious malware:
viruses and worms Concealment:
Trojan horses, rootkits,
and backdoors Profit:
Spyware, Botnets, Keystroke loggers,
and "Ransom" Malware Espionage:
Data Stealing Malware Attribution Problem the difficulty to clearly determine those initially responsible for a cyber-attack plus identifying their motivating factors Critical Infrastructures Knowledge / Data Fraud Identify Theft Blackmail Economic Damage Reputational Damage Political Damage Property Damage Data Theft (Life & Death Situations) Disruptions Ridiculing How Big are the Losses? probability and consequence of something that has never happened? Surveys Statistics Unreported Incidents Undiscovered Incidents + rapid changes in technology complexity never being, but always becoming biased information? "Guesstimates" Enabling for serious and organized crime, ideological and political extremism, and state-sponsored aggression Actor level: Various types of (potentially) malicious actors = malicious software Summary Attention Money Laundering Current Risk Types Concrete intelligence data (which non-state actor is likely to employ cyber-tools as an offensive weapon at what point in time and for what reasons?) unavailable Data on vulnerabilities is patchy
New ones created all the time No consolidated /global statistics for computer-based threats or incident rates Intrusion detection technology limited There is a lot we do not know about the risk today and the risk tomorrow There is a lot of confusion and incomplete and/or inaccurate information regarding cyber-risk cyber-defense spending is increasing heavily
there is profit in cyber-hype! (economic and political) in numeric surveys, errors are almost always upward samples... The (Undesirable?) Economics of Cyber Security Externalities
Information asymmetry
Unclear value of cyber-security the use of cyber-risk insurance to limit liability and
encourage risk reduction Market Forces are not adequately responding! Solutions reinforcement of incentives the creation of increased accountability the strengthening of the impact of liability (at least for some) for more cyber-security Size (2012): approximately US $ 800 million in premiums, increasing in volume by roughly 30% in each of the past two years adverse selection: Early adopters of cyber-insurance are typically from high-risk industries emerging market: insurance providers enter and exit
as the market evolves Only government actions related to accountability has
the ability to significantly impact the risk landscape going
forward. Interaction between the levels:
Security challenge posed by potential systemic failure is inherent to the nature of the technological development in ICT
Dangers caused by and through malicious agents are conditioned by the nature of ICT "Groups" of Damage How Big is the Risk? Certainties: The Cyber-world is not getting more secure if left to market forces value = decrease of potential loss if cyber-risk occurs
no immediate upside to investment benefit for many secure technology only when critical mass, limited first mover advantage free riding tragedy of the commons information about relative security of potential business partners is not available buyers cannot tell if products are secure, refuse to pay premium for high quality voluntary standards and norms security as competitive advantage cyber-aware culture government interventions
(harmonization of laws, cyber regulations) penalties or disclosure rules clarify "duty of care" duty to safeguard data / duty to notify data subjects No agreement on pricing Myriam Dunn Cavelty
Full transcript