Cyber Risk: Assets, Access and Attackers

PN

Patrick Naim, risk modelling expert.
Published Feb, 15, 2019



Introduction

This article is a proposal for the structured identification and assessment of cyber risks. It is one of the proposals submitted the Federal Reserve of Richmond in March and November 2019, in preparation of the Cyber Risk Definition and Classification for Financial Risk Management.

A common standard for reporting cyber events is missing, and as a consequence data on cyber incidents is scarce and there have been very few quantitative analyses of cyber risk, as reported for instance in the International Monetary Fund Working Paper (Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment). According to this paper, when they exist « available public and commercial datasets [...] are incomplete, have different coverage and use different definitions of cyber-attacks, which makes the analysis of cyber losses difficult. »

The SEC Commission Statement (2018) just mentioned, refers to the « Willis Fortune 1000 disclosure report » issued in 2013 as an example of a survey of cyber-attack disclosure, as described in the 10K forms or annual reports. The Willis report lists the following « exposures » disclosed by the Fortune 1000 firms:


Privacy/loss of confidential data
Reputation risk
Malicious acts
Liability
Business Interruption
Errors and malfunction
Cyber terrorism
Cyber regulatory risk
Outsourced vendor risk
Loss of intellectual property
Product or service failure
Social media risk
Actual cyber events


This Prévert-list inventory is a mix of events, causes, consequences attackers, resources at risk, etc. Although informative, this illustrates the difficulty of proposing a common taxonomy for cyber-risks.
Indeed, more than a taxonomy, what is lacking is a rationale behind the taxonomy, i.e. a way to represent the loss generation mechanism of cyber-risks and derive a taxonomy from this approach. Building the taxonomy in this manner would insure both possible evolutions and consistency.
This is the first aspect of our proposal we will review now.

The Cyber risk wheel

The cyber risk wheel is a representation of the mechanism representing both the risk generation and the loss generation. This means that this representation can be used both as a support for the identification of risks and the reporting of losses, and for the structured analysis of these risks.
This representation is based on 3 dimensions of a particular cyber risk:


Cyber Wheel

This representation highlights the conditions for a cyber risk to exist: it is necessary that an information or set of information represents a certain value for an attacker, and that this attacker can find a way to access this resource to steal or destroy it, in the event of sabotage.
The first dimension, which is at the centre of the wheel, is the asset, i.e. the value that an attacker can covet. With regard to banks and financial institutions, we can propose the following list:


Banking services
Card data
Customer data
Confidential business data
Trade secrets
Monetary assets


The second dimension defines the resource that need to be compromised to access the asset. We propose the following list :

Employees
Networks
Third parties


The third dimensions defines the attacker, i.e. the entity that will organise and perpetrate the attack.
We can use for instance:

Criminal networks
Hacktivists
Competitors
Foreign governments


Of course, these lists can be completed and are subject to change.
For instance, « Reputation » could be an asset added to the list. Technological developments, particularly in payment methods and data analysis, may lead to the emergence of new assets that have not yet been identified. For example, in a recent 2019 article, the MIT technology review mentions new trends in cyber attacks. Including some of them in the cyber risk wheel, such as « hacking smart contracts » or  « attacking from the computing cloud » would require to add new items to the previous lists. « Smart contracts » may well be coveted by criminals, and hence could be an additional asset in the wheel. « The computing cloud providers » could be another access point to assets.

Application to Risk Identification

According to the rationale we just proposed, the various cyber scenarios can be defined by combining three criteria: the attackers, the access and the assets. Who is attacking what and how will define the storyline of the cyber-risk scenario.
Below are the main scenarios that can be identified using the proposed decomposition.


Asset    Access    Attacker    Scenario
Card Data
Third Party Criminals Merchant or Processor Card Compromise
Card Data Employee
Criminals Internal Card Compromise
Card Data Networks Criminals External Card Compromise
Customer Data Employee Activists Internal Customer Data Compromise
Customer Data Networks
Activists Cyber Attack – Customer Data Compromise
Application Networks Criminal, Activists Cyber Attack – Critical Application Disruption
Application Networks Criminal, Activists
Cyber attack – Data alteration
Funds Networks Criminals Cyber Attack – Fund misappropriation


This list of scenarios is not necessarily comprehensive, but it works well when tested against some recent events, and in particular the list of recent attacks against Central Banks documented in the IMF working paper already mentioned.

Application to Risk Measurement

One of the main interests of the proposed approach is that the scenarios identified can directly be structured using the Exposure, Occurrence and Impact method.
In theory, the decomposition of a cyber risk scenario into Asset, Access and Attacker, would directly result in an Exposure, Occurrence, Impact decomposition:

However, in practice, it is sometimes easier to consider that the Assets are directly exposed to the risk, and that the Access points are used only to defined the probability of Occurrence.

Let us consider the Internal Card Compromise as a first example.

Asset Card Data
Access Employee
Attacker Criminals


In that case, the Access points are the Employees having access to large volume of unencrypted card data. These people can be listed and identified, therefore resulting in a proper assessment of the Exposure.
For this scenario, we can use the following XOI decomposition

Exposure
(Access)
Number of Employees
Occurrence
(Attacker)
Threat Level of Criminals
Impact
(Asset)
Card Data volume


    On the other hand, let us consider now the Cyber Attack – Critical Application Disruption scenario
  
   

Asset Bank Service
Access Network
Attacker Criminals, Activists


In that case, evaluating all the possible ways to implement for instance a Denial of Service is not really possible. Therefore, it is preferred in that case to consider that:


Exposure
(Access)
Bank Service
Occurrence
(Attacker)
Threat Level of Criminals
Vulnerability of Access
Impact
(Asset)
Business dependent
of the Service.


Example - Cyber-attack on Critical Application

This scenario occurs in case of an external attack that makes a critical application or a group of those unavailable and limits or stops operations. This scenario focuses on significant attacks, either in duration or magnitude.

Then, this story can be translated in the following graph as shown below:


CYA Graph

Once this qualitative work is performed, drivers are assessed individually, through various data sources.
Subject matter experts, external research, internal and external loss data are useful inputs that allow scaling and assessing of drivers.
The table below presents some hypothetical value ranges for each driver.


DRIVER    TYPE    ASSESSMENT    SOURCE
Number of Critical Applications Objective 5 applications: Cards, transfers, trade, loans, internet banking Business Data, Resiliency Team
Type of Attack Subjective Duration: 80%
Magnitude: 20% 
SMEs, External Research
Internal Loss Data, External Loss Data
Probability of Cyber Attack Subjective [5–20%] per application and per year SMEs, External Research
Internal Loss Data, External Loss Data
Dependent Revenue (per day)
Objective Internet Banking: $5–10m
Cards, Loans: $10–20m
Business Data, Annual Reports
Dependent Transactions
(per day)
Objective Transfers: $70–80bn
Trades: $4–6bn
Business Data
Compensation Rate
Subjective Transfers: 0–10$ per $1mm trans.
Trades: 0–300$ per $1mm trans. for a duration attack, 0–600$ per $1mm trans. for a magnitude attack
Local model used based on Daily Penalty, Slowdown, Average TTR
Loss of Revenue Rate Subjective Duration Attack: 20%
Magnitude Attack: 100%
SMEs
Time To Recovery Subjective Duration Attack: 2–12 days
Magnitude Attack:  0–2 days
Resiliency Team, Business Impact Analysis, External Research

Once every driver is assessed, distributions are compiled into a Bayesian network that is sampled through Monte Carlo simulation as described in the simple algorithm below.



REPEAT 1,000,000 times:

•  SET the cumulated loss to 0
•  SAMPLE the Exposure from its conditional distribution
•  FOR each exposed unit
•  SAMPLE the Occurrence f the event from its conditional distribution
•  IF the occurrence is TRUE:
•  SAMPLE the Impact of the event from its conditional distribution

ADD the impact to the cumulated loss


The cumulated impact resulting from the simulation is used to estimate the distribution of potential losses over the next year. The graph below presents a possible representation of the results, showing in particular the different percentiles of the cumulated potential losses (for instance, the 99.9% percentile is around $60m).


CYA Results