Better Security Through Risk Pricing
A Critical Challenge
The inability to accurately quantify cyber risk hinders a company’s and a market’s willingness to invest in security. For many companies, security is often viewed as a cost that may be warranted, but is difficult to justify as it offers little discernible benefit in terms of competitive advantage or the bottom line. The I3P’s Better Security through Risk Pricing project tackles this critical issue by exploring the potential for a multiple factor scoring-system to drive better decision making and fuel market-driven solutions to information security problems. Such a system characterizes cyber security risk in a manner analogous to risk scoring, say, in the insurance sector, thus enabling organizations to quantitatively assess their cyber defenses, reduce exposure to unexpected losses, price risk more effectively, and communicate their cyber-readiness to potential partners in a marketplace.
The project builds on existing scoring methods used in risk-based markets, including credit scoring, bond rating, cyber vulnerability scoring, cyber insurance questionnaires, the Capability Maturity Model Integration (CMMI), and ISO cyber security standards and benchmarks. Working closely with industry to ensure the solutions are both realistic and cost sensitive, I3P researchers are developing risk scoring metrics and effective scoring systems. Overall, the work takes into account the two key determinants of cyber risk: technologies that reduce the likelihood of attack and internal capabilities to respond to successful or potential attacks.
Working With Industry
The creation of consistent, accurate and transparent methods for incorporating cyber risk into general risk calculations has practical implications, especially for companies such as credit rating agencies, insurance companies, lending banks that already specialize in risk pricing, and supply chain partners with growing concern for risk transfer. Because cyber security risks are potentially high impact, assessing these risks accurately and including the data in larger risk portfolios should ultimately lead to more realistic risk pricing and improved market forces for information security incentives. In this regard, the Risk Pricing team’s multi-factor scoring system represents an important quantitative step toward more comprehensive risk pricing and improved market-driven cyber security.
Team Leader: Yacov Haimes firstname.lastname@example.org
Funded by the National Institute of Standards and Technology (NIST)