SlideShare une entreprise Scribd logo

Cyber Risk Wednesday: October 23, 2013

atlanticcouncil
atlanticcouncil

Join us every third Wednesday of the month for interactive discussions on the hottest topic in cyber.

TechnologieÉconomie & financeBusiness
1  sur  21
Télécharger pour lire hors ligne
Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Global Aggregation of Cyber Risks • Push by Martin Senn to be thought leader in cyber risk management, – Understand, not protect, from cyber risks – Not necessarily tied to immediate insurance products • Funded by Zurich Insurance for ~1-year effort – Under think tank, not commercial, agreement • Result in report on global pools of cyber risk, understandable to boards, other executives • Major launch event in 2Q2014 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 2 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Traditional Cyber Threats “Cyber” just means interconnected IT, but that increasingly means everything Common Terms: • Intrusion, hack • Cybercrime • Carders • Russia, East Europe • Stolen identity, credit cards, records • Extortion Internet Criminals Steal individual records with personal info to sell Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 3 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Traditional Cyber Threats Common Terms: • Intrusion, hack • DDoS (distributed denial of service) • Anonymous • Patriotic hackers Internet Criminals Hactivists Disrupt network or steal sensitive or embarrassing info Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Spies Militaries 4 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Traditional Cyber Threats Common Terms: • Intrusion, hack • IP Theft • China • Advanced Persistent Threat Internet Criminals Steal R&D, business plans or negotiating strategies Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 5 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Traditional Cyber Threats Common Terms: • Stuxnet • Shamoon • Iran, US, China • Cyber war, cyber conflict Internet X Criminals Disrupt network or systems or even upstream Internet – very rare Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Hactivists Spies Militaries 6 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Non-Traditional Cyber Threats The Cloud 23 October 2013 7 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
But This is All At the Level of Individual Organization What About the Systemic Risks? Mainstream cyber risk management is markedly similar to that for financial prior to 2008! 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 8 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Cyber Sub-Prime • Cyber is in the same place finance was prior to 2008 • Examination of cyber risk pools • Analysis of key factors • Recommendations 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 9 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Cyber Sub-Prime Cyber is in the same place finance was prior to 2008 • Risk only examined one organization at a time • Risks passed outside organization into unknown pools • Little if any governance of the system as a whole and complex interdependencies ignored • Led to catastrophic global failure, even for those organization which handled internal risks correctly! • We are heading for similar fate with global aggregation of cyber risk 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 10 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Overlapping Pools of Systemic Cyber Risk 1 A 0 1 1C 0 T 1 0 0 Y 0 0 0 0 1 L 1 1 1B 0A 0 0 0E 1N 1 1 1 R 0 0 0 0 • Electrical, finance • Conflicts, malware pandemics1 1 T 0 1 • Bandwidth and Internet infrastructure • States: China, Russia,0US 1 0 0 S I like IXPs, submarine cables, security • Non-states: Activists, 0 C 0 0 0 T 1 1 1 tokens Anonymous, organized crime 1 A 0 0 0 • Embedded devices: ICS, SCADA • Intrusion, disruption, theft of 0 1 C 0 1 1T • Some key companies: MSFT IP, espionage 0O 1 0 0E • Networking standards like BGP and DNS 1 0 1 1 • Internet governance C 0U 0 0 0 1 N 1 1 1R 0 C 0 0 0A 1 1 1 1 F 0 I 0 0 0 1 L 0 1 1T 0 1 1 0 01 1 0 0 1 10 0 1 1 0 01 China • Desktop, server, data 1 0 0 0 0 1 Counterfeit centers, networks, 1 0 1 1 1 0 security components, • Software: in-house, legacy, 0 1 0 0 1 0 software custom, commercial,1open 1 1 1 0 1 0 1 1 0 00 Global logistics chain source, 1 0 0 1 11 • Internet of everything and digital economy 0 1 1 0 00 largely w/o human intervention 1 1 0 1 11 • Embedded medical, human enhancement, 0 1 1 0 00 11 driverless cars, etc 0 1 0 0 01 Upstream Infrastructure Outsourced and Contract • China, India • Manufacturing • Professional: HR, legal, accounting, consultancy • Defense industrial base Supply Chain Counterparties and Partner • • • • Trusted interconnections • Dependence External Shocks Internal Enterprise Disruptive Tech
Highest Hazard Notional Quad Chart Disruptive Tech Every year, technology and business processes push us further up and to the right! Lowest Hazard Supply Chain External Shocks Upstream Infrastructure Mitigated government action, resilience, standards, regulations Outsourced and Contract Counterparties and Partner Internal Enterprise Mitigated by risk management, resilience contracts, SLAs, MOUs Most Control 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Least Control 12 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Analysis: The Upside • Few if any single shocks could affect cyberspace in any way that could transfer into a strategic shock to the global economy • Defenders are excellent at responding • System has been extremely resilient day-to-day and year-to-year 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 13 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Analysis: The Downside • Three separate vulnerabilities: interconnectedness and complexity, lack of transparency, and lack of either local control or system-wide governance – Everything increasingly interdependent in unknowable ways – Tech and business models continue to push major risks away from management understanding and control – No system-wide governance – In the face of catastrophic failures, not clear who would be in charge or what levers they could use – Few backup paths for crisis communication or manual workarounds 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 14 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Therefore • Main concern is a failure of key multiple key elements could lead to cascading failures – Where is the next Lehman? The next subprime? Expected future: Organizations will suffer ever more frequent shocks like natural disasters … too severe to ever be able to sufficiently protect 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 15 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
How? • Either one shock that cascades completely out of control or multiple shocks which cascade and reinforce one another • Examples: California earthquake, large cloud provider goes bust (Enron-style fraud, Lehman-style misunderstanding of risk, etc), major routing protocol failure or attack, slow deterioration of resilience and defenses over time, major GPS outage takes out global precision navigation and time signals 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 16 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Three Recommendations for Companies 1. Organizations can take basic and advanced mitigations, depending on their maturity and resources 2. However, since so much risk is external, complex, and interdependent then resilience is the main hope for companies 3. Board-level risk management including insurance and other risk transfer options 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 17 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Two Recommendations for Governments and System-Wide Organizations 1. Far more focus on systemic rather than organizational risk 2. Eventual goal for defense to be better than offense 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 18 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Notional Chart of Upstream Risks Mitigated by • SLAs • Contracts • MOAs/MOUs • Resilience 23 October 2013 Upstream Infrastructure Disruptive Tech Tight linkages More so over time Least Control Causal Upstream of all else Telco/Internet Energy Finance Supply Chain Outsourced and Contract Counterparties and Partner Info only Internal Enterprise Cascades farther downstream C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 19 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01 Over time, more business critical functions move upstream…. Mitigated by • Standards • Regulations • Governance • Resilience External Shocks A T L A N T I C Limited Control Mitigated by • Government actions • Resilience 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 Most Control Near Everywhere Distant Three Zones of Risk (?)
Cyber Risk Wednesdays Events and social receptions are scheduled every THIRD Wednesday of every month. • • • • • November 20 December 18 January 15 February 19 March 19 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 20 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01

Recommandé

The Great Disruption No One Planned For: COVID-19
The Great Disruption No One Planned For: COVID-19The Great Disruption No One Planned For: COVID-19
The Great Disruption No One Planned For: COVID-19Emile Sayegh
 
Achieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessAchieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessHappiest Minds Technologies
 
Corporate Cyber Attacks: Managing Risk to Avoid Reputation Harm
Corporate Cyber Attacks: Managing Risk to Avoid Reputation HarmCorporate Cyber Attacks: Managing Risk to Avoid Reputation Harm
Corporate Cyber Attacks: Managing Risk to Avoid Reputation HarmEthisphere
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?Thomas Malmberg
 

Recommandé

The Great Disruption No One Planned For: COVID-19
The Great Disruption No One Planned For: COVID-19The Great Disruption No One Planned For: COVID-19
The Great Disruption No One Planned For: COVID-19Emile Sayegh
 
Achieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessAchieving 360° view of security for complete situational awareness
Achieving 360° view of security for complete situational awarenessHappiest Minds Technologies
 
Corporate Cyber Attacks: Managing Risk to Avoid Reputation Harm
Corporate Cyber Attacks: Managing Risk to Avoid Reputation HarmCorporate Cyber Attacks: Managing Risk to Avoid Reputation Harm
Corporate Cyber Attacks: Managing Risk to Avoid Reputation HarmEthisphere
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?Thomas Malmberg
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
 
Judgement Day - Slovakia
Judgement Day - SlovakiaJudgement Day - Slovakia
Judgement Day - SlovakiaOCTF Industry Engagement
 
BIFM Risk Management Event 8th September 2016
BIFM Risk Management Event 8th September 2016BIFM Risk Management Event 8th September 2016
BIFM Risk Management Event 8th September 2016Whitbags
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimesChinatu Uzuegbu
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Will the next systemic crisis be cyber?
Will the next systemic crisis be cyber?Will the next systemic crisis be cyber?
Will the next systemic crisis be cyber?Arrow Institute
 
Does IT Security Matter?
Does IT Security Matter?Does IT Security Matter?
Does IT Security Matter?Luke O'Connor
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015Dale Butler
 
State of Compliance 2013
State of Compliance 2013State of Compliance 2013
State of Compliance 2013Stephen Selby
 
Torbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterTorbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterPeter Jones
 
2015 whats old is new again
2015 whats old is new again2015 whats old is new again
2015 whats old is new againDaren Dunkel
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Digicomp Academy AG
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk SolutionsGraeme Cross
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Securing Ukraine's Energy Sector
Securing Ukraine's Energy SectorSecuring Ukraine's Energy Sector
Securing Ukraine's Energy Sectoratlanticcouncil
 
Cyber912 student challenge_two_pager_general
Cyber912 student challenge_two_pager_generalCyber912 student challenge_two_pager_general
Cyber912 student challenge_two_pager_generalatlanticcouncil
 

Contenu connexe

Similaire à Cyber Risk Wednesday: October 23, 2013

CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin OCTF Industry Engagement
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
 
BIFM Risk Management Event 8th September 2016
BIFM Risk Management Event 8th September 2016BIFM Risk Management Event 8th September 2016
BIFM Risk Management Event 8th September 2016Whitbags
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimesChinatu Uzuegbu
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Will the next systemic crisis be cyber?
Will the next systemic crisis be cyber?Will the next systemic crisis be cyber?
Will the next systemic crisis be cyber?Arrow Institute
 
Does IT Security Matter?
Does IT Security Matter?Does IT Security Matter?
Does IT Security Matter?Luke O'Connor
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015Dale Butler
 
State of Compliance 2013
State of Compliance 2013State of Compliance 2013
State of Compliance 2013Stephen Selby
 
Torbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterTorbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterPeter Jones
 
2015 whats old is new again
2015 whats old is new again2015 whats old is new again
2015 whats old is new againDaren Dunkel
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Digicomp Academy AG
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk SolutionsGraeme Cross
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 

Similaire à Cyber Risk Wednesday: October 23, 2013 (20)

CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin CRI "Lessons From The Front Lines" March 26th Dublin
CRI "Lessons From The Front Lines" March 26th Dublin
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
Judgement Day - Slovakia
Judgement Day - SlovakiaJudgement Day - Slovakia
Judgement Day - Slovakia
 
BIFM Risk Management Event 8th September 2016
BIFM Risk Management Event 8th September 2016BIFM Risk Management Event 8th September 2016
BIFM Risk Management Event 8th September 2016
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimes
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Will the next systemic crisis be cyber?
Will the next systemic crisis be cyber?Will the next systemic crisis be cyber?
Will the next systemic crisis be cyber?
 
Does IT Security Matter?
Does IT Security Matter?Does IT Security Matter?
Does IT Security Matter?
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015
 
State of Compliance 2013
State of Compliance 2013State of Compliance 2013
State of Compliance 2013
 
Torbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security ClusterTorbay Business Forum with the South West Cyber Security Cluster
Torbay Business Forum with the South West Cyber Security Cluster
 
2015 whats old is new again
2015 whats old is new again2015 whats old is new again
2015 whats old is new again
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk Solutions
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
 

Plus de atlanticcouncil

Securing Ukraine's Energy Sector
Securing Ukraine's Energy SectorSecuring Ukraine's Energy Sector
Securing Ukraine's Energy Sectoratlanticcouncil
 
Cyber912 student challenge_two_pager_general
Cyber912 student challenge_two_pager_generalCyber912 student challenge_two_pager_general
Cyber912 student challenge_two_pager_generalatlanticcouncil
 
Cyber912 student challenge_two_pager_sponsors
Cyber912 student challenge_two_pager_sponsorsCyber912 student challenge_two_pager_sponsors
Cyber912 student challenge_two_pager_sponsorsatlanticcouncil
 
Afghanistan and US Security
Afghanistan and US SecurityAfghanistan and US Security
Afghanistan and US Securityatlanticcouncil
 
Crude Oil for Natural Gas: Prospects for Iran-Saudi Reconciliation
Crude Oil for Natural Gas: Prospects for Iran-Saudi ReconciliationCrude Oil for Natural Gas: Prospects for Iran-Saudi Reconciliation
Crude Oil for Natural Gas: Prospects for Iran-Saudi Reconciliationatlanticcouncil
 
Tunisia: The Last Arab Spring Country
Tunisia: The Last Arab Spring CountryTunisia: The Last Arab Spring Country
Tunisia: The Last Arab Spring Countryatlanticcouncil
 
Foreign Policy for an Urban World: Global Governance and the Rise of Cities
Foreign Policy for an Urban World: Global Governance and the Rise of CitiesForeign Policy for an Urban World: Global Governance and the Rise of Cities
Foreign Policy for an Urban World: Global Governance and the Rise of Citiesatlanticcouncil
 
Cyber 9/12 Student Challenge General Information
Cyber 9/12 Student Challenge General InformationCyber 9/12 Student Challenge General Information
Cyber 9/12 Student Challenge General Informationatlanticcouncil
 
Toward a Sustainable Peace in the South China Sea
Toward a Sustainable Peace in the South China SeaToward a Sustainable Peace in the South China Sea
Toward a Sustainable Peace in the South China Seaatlanticcouncil
 
Relaunching the eastern_partnership_web
Relaunching the eastern_partnership_webRelaunching the eastern_partnership_web
Relaunching the eastern_partnership_webatlanticcouncil
 
2015 Distinguished Leadership Awards
2015 Distinguished Leadership Awards2015 Distinguished Leadership Awards
2015 Distinguished Leadership Awardsatlanticcouncil
 
Harnessing social impact
Harnessing social impactHarnessing social impact
Harnessing social impactatlanticcouncil
 
Reimagining pakistan s_militia_policy
Reimagining pakistan s_militia_policyReimagining pakistan s_militia_policy
Reimagining pakistan s_militia_policyatlanticcouncil
 
Yp day-2015-report-webversion
Yp day-2015-report-webversionYp day-2015-report-webversion
Yp day-2015-report-webversionatlanticcouncil
 
Defeating the Jihadists in Syria: Competition before Confrontation
Defeating the Jihadists in Syria: Competition before ConfrontationDefeating the Jihadists in Syria: Competition before Confrontation
Defeating the Jihadists in Syria: Competition before Confrontationatlanticcouncil
 
Dynamic Stability: US Strategy for a World in Transition
Dynamic Stability: US Strategy for a World in TransitionDynamic Stability: US Strategy for a World in Transition
Dynamic Stability: US Strategy for a World in Transitionatlanticcouncil
 
Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...
Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...
Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...atlanticcouncil
 

Plus de atlanticcouncil (20)

Securing Ukraine's Energy Sector
Securing Ukraine's Energy SectorSecuring Ukraine's Energy Sector
Securing Ukraine's Energy Sector
 
Cyber912 student challenge_two_pager_general
Cyber912 student challenge_two_pager_generalCyber912 student challenge_two_pager_general
Cyber912 student challenge_two_pager_general
 
Cyber912 student challenge_two_pager_sponsors
Cyber912 student challenge_two_pager_sponsorsCyber912 student challenge_two_pager_sponsors
Cyber912 student challenge_two_pager_sponsors
 
Afghanistan and US Security
Afghanistan and US SecurityAfghanistan and US Security
Afghanistan and US Security
 
Crude Oil for Natural Gas: Prospects for Iran-Saudi Reconciliation
Crude Oil for Natural Gas: Prospects for Iran-Saudi ReconciliationCrude Oil for Natural Gas: Prospects for Iran-Saudi Reconciliation
Crude Oil for Natural Gas: Prospects for Iran-Saudi Reconciliation
 
Tunisia: The Last Arab Spring Country
Tunisia: The Last Arab Spring CountryTunisia: The Last Arab Spring Country
Tunisia: The Last Arab Spring Country
 
Foreign Policy for an Urban World: Global Governance and the Rise of Cities
Foreign Policy for an Urban World: Global Governance and the Rise of CitiesForeign Policy for an Urban World: Global Governance and the Rise of Cities
Foreign Policy for an Urban World: Global Governance and the Rise of Cities
 
Cyber 9/12 Student Challenge General Information
Cyber 9/12 Student Challenge General InformationCyber 9/12 Student Challenge General Information
Cyber 9/12 Student Challenge General Information
 
Toward a Sustainable Peace in the South China Sea
Toward a Sustainable Peace in the South China SeaToward a Sustainable Peace in the South China Sea
Toward a Sustainable Peace in the South China Sea
 
Relaunching the eastern_partnership_web
Relaunching the eastern_partnership_webRelaunching the eastern_partnership_web
Relaunching the eastern_partnership_web
 
2015 Distinguished Leadership Awards
2015 Distinguished Leadership Awards2015 Distinguished Leadership Awards
2015 Distinguished Leadership Awards
 
Camp david 0508
Camp david 0508Camp david 0508
Camp david 0508
 
Harnessing social impact
Harnessing social impactHarnessing social impact
Harnessing social impact
 
Reimagining pakistan s_militia_policy
Reimagining pakistan s_militia_policyReimagining pakistan s_militia_policy
Reimagining pakistan s_militia_policy
 
Yp day-2015-report-webversion
Yp day-2015-report-webversionYp day-2015-report-webversion
Yp day-2015-report-webversion
 
Defeating the Jihadists in Syria: Competition before Confrontation
Defeating the Jihadists in Syria: Competition before ConfrontationDefeating the Jihadists in Syria: Competition before Confrontation
Defeating the Jihadists in Syria: Competition before Confrontation
 
Dynamic Stability: US Strategy for a World in Transition
Dynamic Stability: US Strategy for a World in TransitionDynamic Stability: US Strategy for a World in Transition
Dynamic Stability: US Strategy for a World in Transition
 
Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...
Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...
Setting the Stage for Peace in Syria: The Case for a Syrian National Stabiliz...
 
Mexicos energy reform
Mexicos energy reformMexicos energy reform
Mexicos energy reform
 
Gulf innovation web
Gulf innovation webGulf innovation web
Gulf innovation web
 

Dernier

Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 

Dernier (20)

Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 

Cyber Risk Wednesday: October 23, 2013

  • 1. Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 2. Global Aggregation of Cyber Risks • Push by Martin Senn to be thought leader in cyber risk management, – Understand, not protect, from cyber risks – Not necessarily tied to immediate insurance products • Funded by Zurich Insurance for ~1-year effort – Under think tank, not commercial, agreement • Result in report on global pools of cyber risk, understandable to boards, other executives • Major launch event in 2Q2014 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 2 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 3. Traditional Cyber Threats “Cyber” just means interconnected IT, but that increasingly means everything Common Terms: • Intrusion, hack • Cybercrime • Carders • Russia, East Europe • Stolen identity, credit cards, records • Extortion Internet Criminals Steal individual records with personal info to sell Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 3 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 4. Traditional Cyber Threats Common Terms: • Intrusion, hack • DDoS (distributed denial of service) • Anonymous • Patriotic hackers Internet Criminals Hactivists Disrupt network or steal sensitive or embarrassing info Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Spies Militaries 4 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 5. Traditional Cyber Threats Common Terms: • Intrusion, hack • IP Theft • China • Advanced Persistent Threat Internet Criminals Steal R&D, business plans or negotiating strategies Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 5 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 6. Traditional Cyber Threats Common Terms: • Stuxnet • Shamoon • Iran, US, China • Cyber war, cyber conflict Internet X Criminals Disrupt network or systems or even upstream Internet – very rare Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Hactivists Spies Militaries 6 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 7. Non-Traditional Cyber Threats The Cloud 23 October 2013 7 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 8. But This is All At the Level of Individual Organization What About the Systemic Risks? Mainstream cyber risk management is markedly similar to that for financial prior to 2008! 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 8 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 9. Cyber Sub-Prime • Cyber is in the same place finance was prior to 2008 • Examination of cyber risk pools • Analysis of key factors • Recommendations 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 9 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 10. Cyber Sub-Prime Cyber is in the same place finance was prior to 2008 • Risk only examined one organization at a time • Risks passed outside organization into unknown pools • Little if any governance of the system as a whole and complex interdependencies ignored • Led to catastrophic global failure, even for those organization which handled internal risks correctly! • We are heading for similar fate with global aggregation of cyber risk 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 10 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 11. Overlapping Pools of Systemic Cyber Risk 1 A 0 1 1C 0 T 1 0 0 Y 0 0 0 0 1 L 1 1 1B 0A 0 0 0E 1N 1 1 1 R 0 0 0 0 • Electrical, finance • Conflicts, malware pandemics1 1 T 0 1 • Bandwidth and Internet infrastructure • States: China, Russia,0US 1 0 0 S I like IXPs, submarine cables, security • Non-states: Activists, 0 C 0 0 0 T 1 1 1 tokens Anonymous, organized crime 1 A 0 0 0 • Embedded devices: ICS, SCADA • Intrusion, disruption, theft of 0 1 C 0 1 1T • Some key companies: MSFT IP, espionage 0O 1 0 0E • Networking standards like BGP and DNS 1 0 1 1 • Internet governance C 0U 0 0 0 1 N 1 1 1R 0 C 0 0 0A 1 1 1 1 F 0 I 0 0 0 1 L 0 1 1T 0 1 1 0 01 1 0 0 1 10 0 1 1 0 01 China • Desktop, server, data 1 0 0 0 0 1 Counterfeit centers, networks, 1 0 1 1 1 0 security components, • Software: in-house, legacy, 0 1 0 0 1 0 software custom, commercial,1open 1 1 1 0 1 0 1 1 0 00 Global logistics chain source, 1 0 0 1 11 • Internet of everything and digital economy 0 1 1 0 00 largely w/o human intervention 1 1 0 1 11 • Embedded medical, human enhancement, 0 1 1 0 00 11 driverless cars, etc 0 1 0 0 01 Upstream Infrastructure Outsourced and Contract • China, India • Manufacturing • Professional: HR, legal, accounting, consultancy • Defense industrial base Supply Chain Counterparties and Partner • • • • Trusted interconnections • Dependence External Shocks Internal Enterprise Disruptive Tech
  • 12. Highest Hazard Notional Quad Chart Disruptive Tech Every year, technology and business processes push us further up and to the right! Lowest Hazard Supply Chain External Shocks Upstream Infrastructure Mitigated government action, resilience, standards, regulations Outsourced and Contract Counterparties and Partner Internal Enterprise Mitigated by risk management, resilience contracts, SLAs, MOUs Most Control 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Least Control 12 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 13. Analysis: The Upside • Few if any single shocks could affect cyberspace in any way that could transfer into a strategic shock to the global economy • Defenders are excellent at responding • System has been extremely resilient day-to-day and year-to-year 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 13 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 14. Analysis: The Downside • Three separate vulnerabilities: interconnectedness and complexity, lack of transparency, and lack of either local control or system-wide governance – Everything increasingly interdependent in unknowable ways – Tech and business models continue to push major risks away from management understanding and control – No system-wide governance – In the face of catastrophic failures, not clear who would be in charge or what levers they could use – Few backup paths for crisis communication or manual workarounds 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 14 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 15. Therefore • Main concern is a failure of key multiple key elements could lead to cascading failures – Where is the next Lehman? The next subprime? Expected future: Organizations will suffer ever more frequent shocks like natural disasters … too severe to ever be able to sufficiently protect 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 15 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 16. How? • Either one shock that cascades completely out of control or multiple shocks which cascade and reinforce one another • Examples: California earthquake, large cloud provider goes bust (Enron-style fraud, Lehman-style misunderstanding of risk, etc), major routing protocol failure or attack, slow deterioration of resilience and defenses over time, major GPS outage takes out global precision navigation and time signals 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 16 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 17. Three Recommendations for Companies 1. Organizations can take basic and advanced mitigations, depending on their maturity and resources 2. However, since so much risk is external, complex, and interdependent then resilience is the main hope for companies 3. Board-level risk management including insurance and other risk transfer options 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 17 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 18. Two Recommendations for Governments and System-Wide Organizations 1. Far more focus on systemic rather than organizational risk 2. Eventual goal for defense to be better than offense 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 18 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 19. Notional Chart of Upstream Risks Mitigated by • SLAs • Contracts • MOAs/MOUs • Resilience 23 October 2013 Upstream Infrastructure Disruptive Tech Tight linkages More so over time Least Control Causal Upstream of all else Telco/Internet Energy Finance Supply Chain Outsourced and Contract Counterparties and Partner Info only Internal Enterprise Cascades farther downstream C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 19 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01 Over time, more business critical functions move upstream…. Mitigated by • Standards • Regulations • Governance • Resilience External Shocks A T L A N T I C Limited Control Mitigated by • Government actions • Resilience 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 Most Control Near Everywhere Distant Three Zones of Risk (?)
  • 20. Cyber Risk Wednesdays Events and social receptions are scheduled every THIRD Wednesday of every month. • • • • • November 20 December 18 January 15 February 19 March 19 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 20 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  • 21. Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01