Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Risk Transference

No description
by

Declan O'Riordan

on 28 August 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Risk Transference

Will Risk Transference outgrow Risk Mitigation?
The Royal Navy used to be the pride of the nation.
By 1695 it was larger than every other navy combined.

HMS Bellerophon epitomised the spirit of the time. It was a 74-gun third-rate ship of the line in the "Senior Service". It was the opposite of weak.
Aboukir Bay, 1–2 August 1798
40 admirals. 260 captains. 19 warships
The boy stood on the burning deck,
Whence all but he had fled;
The flame that lit the battle’s wreck,
Shone round him o’er the dead.

Yet beautiful and bright he stood,
As born to rule the storm;
A creature of heroic blood,
A proud, though childlike form.

The flames rolled on – he would not go,
Without his father’s word;
That father, faint in death below,
His voice no longer heard.
Lloyd's Coffee House was a coffee shop in London opened by Edward Lloyd, originally on Tower Street in 1688.
Partnerships at Lloyds started insuring ships to carry cargo.
Between 1530 and 1780, 1–1.25 million Europeans were captured and taken as slaves to North Africa, principally Algiers, Tunis, and Tripoli.
During the reign of Charles II (1660-85) a series of English expeditions won victories over raiding Barbary squadrons and mounted attacks on their home ports; these actions permanently ended the Barbary threat to English shipping.
The Royal Navy was the largest and most powerful fleet in the world, but it couldn't provide 100% protection against all possible losses to commercial shipping.
Data is scarce because there is a reluctance to report occurrences unless forced to by law.

Most empirical research is based upon U.S.A. data breach information, not loss value.

U.S. market is ahead of Europe because they have more breach data.
Transporting cargoes and communications over water required an appetite for risk.
£6.2 billion building aircraft carriers, in case WW2 isn't really over
Since the mid-1800s, the world’s population has grown roughly six-fold, world output has grown 60-fold, and world trade has grown over 140-fold.
It took around 30 years after the invention of cars and motorcycles for motor insurance policies to become commonplace.

Pioneering insurers had difficulty pricing the risks until a historical claims model was established.
1997: First 'Internet Liability' policy written. 1999: Y2K catalyst to focus on technology risk. 1999-2002: Dot-Com bubble 1st phase of growth.
2003: CA1386 first U.S. breach notification law.
2005: Increasing regulation prompted by increasing data breaches.
2016: EU General Data Protection Regulation comes into effect 2018.
Cyber-risk is continuously evolving and characterised by inter-dependencies, accumulation risk, potential extreme events, moral hazard, risk of change, and high uncertainty with respect to data and modelling approaches.
The past is
not
a good predictor of future cyber-breach events.
Scenarios for hurricanes and earthquakes are too vague to be adopted for cyber-insurance.
Pent-up demand for cyber-insurance products increases with every bad news story.
But Mega-breaches are impacting underwriters appetites for large risk.
Without being able to measure risk on the books, policies cannot offer what customers want. Many policies have specific exclusions and caps where risk cannot be quantified.
Only 25% cover loss of money. Some cover business interruption but not intellectual property or reputation harm. Cloud hosting contracts are crafted to avoid liability.
What were heroic naval teams fighting for?
The mortal combat was driven by these goals:
Basic State security
Command of the sea
Secure trade routes
Prosperity through trade
Stable Government by means of the goals above
Insurance provides financial coverage for unforeseen circumstances surrounding an event, such as sinking, fire, theft, or flooding.

Assurance provides coverage for events that will occur, such as death.
Testing - identification, monitoring, and control part of risk management.
Risk Treatments:
Avoidance (eliminate, withdraw from or not become involved)
Reduction (optimize – mitigate)
Sharing (transfer – outsource or insure)
Retention (accept and budget)

111 billion new lines
of code will be delivered in 2017. They cannot all be manually inspected.
Data is the new cargo
w.w.w. is the new trade route
Organizations are the ships
We are the crews
Cyber-security spending continues to grow at over 5% p.a. BUT the breaches keep getting worse.
Business Leaders are being advised to divert spending from cyber-breach defences to cyber-breach insurance.

If security risks can be transferred to insurers, perhaps all IT risks could be insured instead of mitigated through testing?

The UK had the most powerful navy in the world for three hundred years, but it couldn't stop every British ship from being lost to piracy, hostile nations, storms, rocks, or negligence.

Insurance was established in London to cover ships and cargo. It has grown enormously to cover many risks. The fastest growth is now cyber-breach insurance.

Data is the new cargo. The Internet is the new high seas.

Insuring systems against data breaches by pirates, hostile nations, or negligence faces many challenges....
The Royal Navy
now is weak
The Royal Navy now is very top-heavy
Belleraphon confronted the
much larger French Flagship
at the battle of The Nile, and
despite losing all their leaders
in the first five minutes the
self-managing crew of
lower ranks won.
When L'Orient detonated it split the seams of nearby ships and sent debris flying hundreds of feet into the air.
Crews on every ship in the battle thought they had just received a huge direct hit.
In a state of shock, everyone stopped fighting and the Battle of the Nile ended.
Nelson said afterwards "Victory is not a name strong enough for such a scene"
Insurance
provided a
means of
transferring
the risk.
Meanwhile....
Do we really believe self-managing
teams of 3 to 9 members can be
self-contained for security expertise?
Or are we still using sporadic
waterfall visits from security silos?
The facts don't care about your feelings.
We are losing the cyber-security war.
Our approach is clearly weak.
We are barely in the fight at all.
We are not of the Bellerophon.
Verizon Data Breach
Investigation Report
Our DevOps delivery pipelines are dominated by almost useless SAST and DAST tools created in a bygone era.

That technology has been proven weak many times before.

The mismatch between expectations and reality is huge.
But new IAST and RASP tools
instrument the byte-code and
source-code interpreters.

They see everything.
They know (almost) everything!
They use real-time analysis
of behaviours and attributes.
Super-fast and super-
accurate IAST & RASP
is filling the gap left by slow manual testing and inaccurate old tools
Insurers already monitor customer cars with black boxes.
Instrumenting customer applications to detect vulnerabilities would allow accurate cyber-breach insurance pricing, and improve security.
At some point, spending more money on defences becomes inefficient.

The first few £s could improve security a lot.
The last few £ billion might leave you with an ineffective aircraft carrier.

That point is where to buy insurance, if the premium and cover are priced fairly using accurate risk data.
The means to add ten years to your life are known, but doing it is difficult.

The means to add security to your systems are known, but doing it is difficult.

If we don't improve the cost-benefit of our security testing, then instrumentation and insurance may replace us.
HUGE scope for
improvement here.

Either by us or new tools.
Full transcript