A new methodology developed by a team of researchers aims to standardise the assessment of economic risks posed by cyber incidents, highlighting the need for effective cyber risk evaluation in contemporary business.
Digital technology has permeated almost every aspect of contemporary life, offering remarkable benefits but also exposing businesses and individuals to various risks, particularly in the realm of cybersecurity. As more incidents of software failures, cyberattacks, and data breaches become commonplace, the demand for effective methodologies to assess and compare these risks has intensified. According to a survey conducted by the Society of Actuaries (SOA) Research Institute in May 2024, cyber and network incidents were identified as the second most significant emerging risk by risk managers.
Acknowledging this urgent need, the North American Actuarial Journal (NAAJ) recently awarded its annual prize for the best paper to “The Economic Impact of Extreme Cyber Risk Scenarios.” This work was authored by Martin Eling, Mauro Elvedi, and Greg Falco, and published in Volume 27, Issue 3 of the NAAJ. The paper presents a framework aiming to standardize how businesses assess the economic impacts of various cyber risk scenarios.
In an interview with The Actuary Magazine, Eling, a professor of Insurance Economics and chair for Insurance Management at the University of St. Gallen, Switzerland, explained, “Existing studies often lacked a standardized methodology, making it difficult to compare results or apply findings across different contexts.” This shortfall in methodological consistency has been highlighted as a significant obstacle in accurately assessing the risks posed by cyber incidents, compounded by the limited availability of historical data due to the underreporting of such events.
The authors’ comparative analysis stems from the growing interdependence of critical infrastructures across different sectors. Eling, alongside his co-authors Falco, an assistant professor at the Sibley School of Mechanical and Aerospace Engineering at Cornell University, and Elvedi, a former Ph.D. student at the Institute of Insurance Economics, aimed to systematically analyse cyber incidents, which was further complicated by the geographical separation induced by the COVID-19 pandemic. The team worked collaboratively through video conferencing technology, allowing them to merge their diverse areas of expertise.
Falco remarked, “I’m a cyber technical expert, so I brought the technological depth,” noting that their methodology included evaluating potential system disruptions. This comprehensive approach allowed the integration of qualitative risk descriptions with quantitative economic impact assessments. Eling added, “Our approach allows for the comparison of diverse scenarios within a standardized model.” This not only enhances the accuracy of economic impact estimates but also promotes replicability across various contexts.
Findings from their research indicate that the economic impacts of cyber incidents can significantly differ even within their newly established framework. In certain instances, the most severe economic outcomes suggested a potential for these cyber risks to be insurable, as some were found to be less severe than the impacts of natural disasters.
The findings presented in the paper have implications for a wide range of stakeholders, including actuaries, insurance professionals, risk managers, and policymakers. The methodology enables an understanding of the broader ripple effects of cyber incidents and includes a sensitivity analysis that can inform future research as well as practical applications in risk management.
Eling, Falco, and Elvedi envision that their work could guide the development of innovative cyber insurance products and adaptable strategies that address the nuances of cyber risks on a global scale. Falco pointed out the prospects for future research, stating, “We see AI risk and insurability as the next opportunity in this sector.” While they acknowledge that they currently lack enough case studies specifically regarding AI, they suggest that forthcoming analysis will likely yield valuable insights in this area.
Overall, the authors of the recognised paper hope to create a framework that encourages sectors to quantify the scale of cyber risks, enhancing preparedness and response strategies in a digital age chock-full of technological challenges.
Source: Noah Wire Services
- https://acronymsolutions.com/resources/what-is-ict-the-global-impact-of-information-communications-technology-in-2024/ – Corroborates the widespread impact of digital technology on various aspects of life, including cybersecurity risks and benefits.
- https://www.kaspersky.com/resource-center/preemptive-safety/website-security-is-your-business-at-risk – Supports the discussion on cybersecurity threats such as ransomware, phishing, and weak passwords, highlighting common risks businesses face.
- https://www.kaspersky.com/resource-center/preemptive-safety/website-security-is-your-business-at-risk – Provides details on the prevalence and impact of human error in cybersecurity breaches, aligning with the need for robust risk assessment methodologies.
- https://www.aegissofttech.com/insights/pros-and-cons-of-digital-transformation/ – Discusses the challenges and risks associated with digital transformation, including cybersecurity and technical debt, which are relevant to the broader context of cyber risk assessment.
- https://travasecurity.com/learn-with-trava/blog/what-are-the-methodologies-of-a-risk-assessment/ – Outlines various risk assessment methodologies in cybersecurity, such as qualitative, quantitative, threat-based, and vulnerability-based approaches, which align with the standardized framework discussed in the article.
- https://travasecurity.com/learn-with-trava/blog/what-are-the-methodologies-of-a-risk-assessment/ – Details the steps involved in a cybersecurity risk assessment, including assessing, identifying, planning, executing, and monitoring, which are crucial for the methodology proposed by Eling, Falco, and Elvedi.
- https://travasecurity.com/learn-with-trava/blog/what-are-the-methodologies-of-a-risk-assessment/ – Mentions the NIST and ISO risk assessment frameworks, which are relevant to the standardized methodology for assessing cyber risks discussed in the article.
- https://www.kaspersky.com/resource-center/preemptive-safety/website-security-is-your-business-at-risk – Highlights the importance of protecting against cyber threats, particularly for small and medium-sized businesses, which is a key aspect of the economic impact analysis in the paper.
- https://www.aegissofttech.com/insights/pros-and-cons-of-digital-transformation/ – Discusses the interdependence of critical infrastructures and the challenges posed by digital transformation, which are relevant to the collaborative and comprehensive approach taken by Eling, Falco, and Elvedi.
- https://travasecurity.com/learn-with-trava/blog/what-are-the-methodologies-of-a-risk-assessment/ – Explains the importance of sensitivity analysis in risk assessment, which is mentioned as a component of the methodology developed by the authors to inform future research and practical applications.
- https://www.kaspersky.com/resource-center/preemptive-safety/website-security-is-your-business-at-risk – Supports the notion that cyber risks can have significant economic impacts, similar to natural disasters, and the need for innovative insurance products and strategies to address these risks.
Automate Your Business
You are one step away from removing your bottlenecks, automating your business and getting your time back. It’s like hiring 3 staff members – minus the headache, minus the pensions, minus the sick pay!
Schedule a free automation consultation
Automate Your Business
You are one step away from removing your bottlenecks, automating your business and getting your time back. It’s like hiring 3 staff members – minus the headache, minus the pensions, minus the sick pay!
Schedule a free automation consultation
Automate Your Business
You are one step away from removing your bottlenecks, automating your business and getting your time back. It’s like hiring 3 staff members – minus the headache, minus the pensions, minus the sick pay!
