Cyber Risk: Assets, Access and Attackers
Patrick Naim, risk modelling expert.
Published Feb, 15, 2019
Patrick Naim, risk modelling expert.
Published Feb, 15, 2019
This article is a proposal for the structured identification and assessment of cyber risks. It is one of the proposals submitted the Federal Reserve of Richmond in March and November 2019, in preparation of the Cyber Risk Definition and Classification for Financial Risk Management.
A common standard for reporting cyber events is missing, and as a consequence data on cyber incidents is scarce and there have been very few quantitative analyses of cyber risk, as reported for instance in the International Monetary Fund Working Paper (Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment). According to this paper, when they exist « available public and commercial datasets [...] are incomplete, have different coverage and use different definitions of cyber-attacks, which makes the analysis of cyber losses difficult. »
The SEC Commission Statement (2018) just mentioned, refers to the « Willis Fortune 1000 disclosure report » issued in 2013 as an example of a survey of cyber-attack disclosure, as described in the 10K forms or annual reports. The Willis report lists the following « exposures » disclosed by the Fortune 1000 firms:
| Privacy/loss of confidential data |
| Reputation risk |
| Malicious acts |
| Liability |
| Business Interruption |
| Errors and malfunction |
| Cyber terrorism |
| Cyber regulatory risk |
| Outsourced vendor risk |
| Loss of intellectual property |
| Product or service failure |
| Social media risk |
| Actual cyber events |
This Prévert-list inventory is a mix of events, causes, consequences
attackers, resources at risk, etc. Although informative, this illustrates
the difficulty of proposing a common taxonomy for cyber-risks.
Indeed, more than a taxonomy, what is lacking is a rationale behind the
taxonomy, i.e. a way to represent the loss generation mechanism of
cyber-risks and derive a taxonomy from this approach. Building the
taxonomy in this manner would insure both possible evolutions and
consistency.
This is the first aspect of our proposal we will review now.
The cyber risk wheel is a representation of the mechanism representing
both the risk generation and the loss generation. This means that this
representation can be used both as a support for the identification of
risks and the reporting of losses, and for the structured analysis of
these risks.
This representation is based on 3 dimensions of a particular cyber risk:
This representation highlights the conditions for a cyber risk to exist:
it is necessary that an information or set of information represents a
certain value for an attacker, and that this attacker can find a way to
access this resource to steal or destroy it, in the event of sabotage.
The first dimension, which is at the centre of the wheel, is the asset,
i.e. the value that an attacker can covet. With regard to banks and
financial institutions, we can propose the following list:
| Banking services |
| Card data |
| Customer data |
| Confidential business data |
| Trade secrets |
| Monetary assets |
The second dimension defines the resource that need to be compromised to
access the asset. We propose the following list :
| Employees |
| Networks |
| Third parties |
The third dimensions defines the attacker, i.e. the entity that will
organise and perpetrate the attack.
We can use for instance:
| Criminal networks |
| Hacktivists |
| Competitors |
| Foreign governments |
Of course, these lists can be completed and are subject to change.
For instance, « Reputation » could be an asset added to the list.
Technological developments, particularly in payment methods and data
analysis, may lead to the emergence of new assets that have not yet been
identified. For example, in a recent 2019 article, the MIT technology
review mentions new trends in cyber attacks. Including some of them in the
cyber risk wheel, such as « hacking smart contracts » or « attacking
from the computing cloud » would require to add new items to the previous
lists. « Smart contracts » may well be coveted by criminals, and hence
could be an additional asset in the wheel. « The computing cloud providers
» could be another access point to assets.
According to the rationale we just proposed, the various cyber scenarios
can be defined by combining three criteria: the attackers, the access and
the assets. Who is attacking what and how will define the storyline of the
cyber-risk scenario.
Below are the main scenarios that can be identified using the proposed
decomposition.
| Asset | Access | Attacker | Scenario |
| Card Data |
Third Party | Criminals | Merchant or Processor Card Compromise |
| Card Data | Employee |
Criminals | Internal Card Compromise |
| Card Data | Networks | Criminals | External Card Compromise |
| Customer Data | Employee | Activists | Internal Customer Data Compromise |
| Customer Data | Networks |
Activists | Cyber Attack – Customer Data Compromise |
| Application | Networks | Criminal, Activists | Cyber Attack – Critical Application Disruption |
| Application | Networks | Criminal, Activists |
Cyber attack – Data alteration |
| Funds | Networks | Criminals | Cyber Attack – Fund misappropriation |
This list of scenarios is not necessarily comprehensive, but it works well when tested against some recent events, and in particular the list of recent attacks against Central Banks documented in the IMF working paper already mentioned.
One of the main interests of the proposed approach is that the scenarios
identified can directly be structured using the Exposure,
Occurrence and Impact method.
In theory, the decomposition of a cyber risk scenario into Asset, Access
and Attacker, would directly result in an Exposure, Occurrence, Impact
decomposition:
However, in practice, it is sometimes easier to consider that the Assets are directly exposed to the risk, and that the Access points are used only to defined the probability of Occurrence.
Let us consider the Internal Card Compromise as a first example.
| Asset | Card Data |
| Access | Employee |
| Attacker | Criminals |
In that case, the Access points are the Employees having access to large
volume of unencrypted card data. These people can be listed and
identified, therefore resulting in a proper assessment of the Exposure.
For this scenario, we can use the following XOI decomposition
| Exposure (Access) |
Number of Employees |
| Occurrence (Attacker) |
Threat Level of Criminals |
| Impact (Asset) |
Card Data volume |
On the other hand, let us consider now the Cyber
Attack – Critical Application Disruption scenario
| Asset | Bank Service |
| Access | Network |
| Attacker | Criminals, Activists |
In that case, evaluating all the possible ways to implement for instance a Denial of Service is not really possible. Therefore, it is preferred in that case to consider that:
| Exposure (Access) |
Bank Service |
| Occurrence (Attacker) |
Threat Level of Criminals Vulnerability of Access |
| Impact (Asset) |
Business dependent of the Service. |
This scenario occurs in case of an external attack that makes a critical application or a group of those unavailable and limits or stops operations. This scenario focuses on significant attacks, either in duration or magnitude.
Then, this story can be translated in the following graph as shown below:
Once this qualitative work is performed, drivers are assessed
individually, through various data sources.
Subject matter experts, external research, internal and external loss data
are useful inputs that allow scaling and assessing of drivers.
The table below presents some hypothetical value ranges for each driver.
| DRIVER | TYPE | ASSESSMENT | SOURCE |
| Number of Critical Applications | Objective | 5 applications: Cards, transfers, trade, loans, internet banking | Business Data, Resiliency Team |
| Type of Attack | Subjective | Duration: 80% Magnitude: 20% |
SMEs, External Research Internal Loss Data, External Loss Data |
| Probability of Cyber Attack | Subjective | [5–20%] per application and per year | SMEs, External Research Internal Loss Data, External Loss Data |
| Dependent Revenue (per day) |
Objective | Internet Banking: $5–10m Cards, Loans: $10–20m |
Business Data, Annual Reports |
| Dependent Transactions (per day) |
Objective | Transfers: $70–80bn Trades: $4–6bn |
Business Data |
| Compensation Rate |
Subjective | Transfers: 0–10$ per $1mm trans. Trades: 0–300$ per $1mm trans. for a duration attack, 0–600$ per $1mm trans. for a magnitude attack |
Local model used based on Daily Penalty, Slowdown, Average TTR |
| Loss of Revenue Rate | Subjective | Duration Attack: 20% Magnitude Attack: 100% |
SMEs |
| Time To Recovery | Subjective | Duration Attack: 2–12 days Magnitude Attack: 0–2 days |
Resiliency Team, Business Impact Analysis, External Research |
Once every driver is assessed, distributions are compiled into a Bayesian network that is sampled through Monte Carlo simulation as described in the simple algorithm below.
REPEAT 1,000,000 times: • SET the cumulated loss to 0
• SAMPLE the Exposure from
its conditional distribution
• FOR each exposed unit
• SAMPLE the Occurrence
f the event from its conditional distribution
• IF the
occurrence is TRUE:
• SAMPLE the Impact
of the event from its conditional distribution
ADD the impact to the cumulated loss
|
The cumulated impact resulting from the simulation is used to estimate the distribution of potential losses over the next year. The graph below presents a possible representation of the results, showing in particular the different percentiles of the cumulated potential losses (for instance, the 99.9% percentile is around $60m).
