Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Incentivizing Better Risk Decisions - Lessons from Rogue Actuaries - SIRAcon 2019

90 vues

Publié le

Slides from Tony Martin-Vegue's presentation at SIRAcon (Cincinatti, OH) on May 1, 2019

What do Tom Jones’ chest hair, alien abductions, and Tylenol’s brand recognition have in common? An actuary – somewhere in the world – determined the probability and impact of a loss event and reduced enough uncertainty to issue an insurance policy. Yet, in the field of risk management, we hear that this is impossible: we can’t measure intangibles; we can’t determine the probability of an event that’s never happened, and oftentimes, measuring probability itself is not possible. The insurance industry shows us that this just isn’t true, and they have the money to prove it. Insurance is a thriving business with excellent margins, built on uncertainty reduction.

Why? The answer lies in incentives. Insurance is based on making uncertainty reduction profitable. With very few exceptions, cyber risk is set up to disincentivize good decisions. Using superstition and gut checks as a cheap replacement for data and utilizing debunked risk models are deemed “good enough” at best, and “really good!” at worst. Attendees will learn about how actuaries have historically tackled these challenges and receive practical tips on how companies and risk managers alike can be incentivized toward better risk decisions.

Publié dans : Données & analyses
  • Soyez le premier à commenter

Incentivizing Better Risk Decisions - Lessons from Rogue Actuaries - SIRAcon 2019

  1. 1. Incentivizing Better Risk Decisions: Lessons from Rogue Actuaries #SIRAcon
  2. 2. Forget cyber risk…
  3. 3. “It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Risk management is impossible.” - Richard Stiennon, Cyber Security leader, author
  4. 4. Is cyber risk unique?
  5. 5. Medicine: The Constantly Mutating Influenza Virus
  6. 6. Oil and Gas Exploration: A Business Based on Betting with Incomplete Information
  7. 7. 2 1/2 million NASA’s Space Shuttle (2.5 million moving parts)
  8. 8. Seismic Hazard Assessments: 1,000 Year Earthquake
  9. 9. First SpaceX Falcon 1 Flight, July 14, 2009
  10. 10. The 4 Horsemen of Risk
  11. 11. War Quants
  12. 12. Economists Adam Smith: First Modern Economist
  13. 13. Medium High Low Medium Impact LikelihoodManagement consultants
  14. 14. Actuaries
  15. 15. Bottomry – 1700’s BCE
  16. 16. Ship Owner • Borrows money • Ship is collateral Voyage • The ship goes off and makes money Repayment • Ship returns: pay back loan with interest • Doesn’t return? Loan is forgiven How Bottomry Works
  17. 17. Medium High Low Medium Impact Likelihood Hammurabi
  18. 18. What starts out as an outlandish idea, often turns into thriving business later.
  19. 19. Quant risk is too hard.
  20. 20. The Current State of Cyber Risk Management
  21. 21. The Current State of Cyber Risk Management Standards Consulting & Auditors Management Cyber Risk Managers
  22. 22. Think Like a Rogue Actuary
  23. 23. Skin in the Game 1:
  24. 24. Risk Description Likelihood Impact Risk Weak admin password on SQL server High High High 30 Windows servers out of patch compliance Medium High High Data breach Very High Very High Very High Server room lock is broken Low High Medium “Risk to say we did it”
  25. 25. Bad bookies Bad actuaries
  26. 26. Fantasy Football Prediction Market
  27. 27. Risk: Will there be a reportable data breach originating from public facing web servers by December 31, 2019? SME Probability Why are you making this prediction? Pradeep 10%-20% No data to support increased threat level Alice 5%-15% About the same as other companies in our sector Bobby 10-20% Company has written patching policy; no past breaches Susan 50%-60% Apache Struts patches are 6 months out of date Internal Prediction Market
  28. 28. Find Superforecasters through leaderboards Feed KRIs, KPIs Incentivizes good decisions
  29. 29. (What would Fermi do?) 2: WWFD?
  30. 30. Classic Fermi Problem What is the circumference of the Earth? ?
  31. 31. 24,000 mi What is the circumference of the Earth? 3 3,000 3,000/3=1000 24 24 * 1000 =
  32. 32. Source: www.google.com
  33. 33. Hold my beer.It is impossible to identify all critical assets. WWFD?
  34. 34. 3: Be the Business
  35. 35. Is this your Vuln scan report?
  36. 36. Decision maker is trying to solve a problem Makes up mind (use a hammer) Justify use of hammer to boss Oh, risk analysis Engaging the Risk Team
  37. 37. Risk analysis: Uncertainty reduction when making a decision.
  38. 38. Decision Science the…
  39. 39. Choice Information Logic Preference Decision Essentials Ronald A. Howard
  40. 40. Risk assessment request Identify choice Identify preferences Identify information Form decision statement Decision Maker: Fork in the Road A Risk-Based Decision Start scoping the risk assessment
  41. 41. Risk analysts behave differently when they have something on the line. Be unafraid of measurement challenges. Uncertainty reduction when making a decision. You are not alone.
  42. 42. Tony Martin-Vegue @tdmv www.tonym-v.com