Insurer IAG has specified a financial amount that a breach or ransomware attack will cause on its business. This amount is modeled to understand how much planned InfoSec investments might offset its losses.
Ian Cameron who is head of cyber security and governance told IBM Think 20918 that was held in Sydney that the “value-at-risk modeling” project shows the company’s actuarial expertise to put a number on different levels and types of security threats.
Cameron said, “Because we’re an insurance company, we can use actuarial methods to price or model what the costs of a loss event would be.”
He added saying, “If we have a major data breach or a major ransomware attack, we’ve done some really great work in the past 12 months to model the net cost of losses to our organization in terms of the loss of productivity, the cost of advertising to address the concerns of our customers, the legal costs, and the costs of regulatory oversight.
We’ve been able to work out the distribution of loss from a small event to a very big event.”
Last year, organizations hit by the Petya malware reported hundreds of millions of dollars lost and also reported loss of sales.
Cameron believes that IAG has to take their modeling “one step further” and should use “what if” as their basis and plan all scenarios around the impact that different security investments might have in reducing the loss caused by a cyber-breach.
Cameron further asked, “What if we had all this extra security in place?”
He added saying, “We’ve been able to calculate what security controls are really going to be most effective in bringing that cost of impact [of an incident] down.
“This is fairly novel and it does take some investment to achieve.”
He ended his argument by saying, “So i think the key message is really to start with an honest discussion with the business around what the threats are, and have a really good educative discussion around what the likelihoods and the impacts will be, and that will then better arm you to understanding the solution and level of security that needs to be applied.”