Cover
About the Authors
1. ANDREW COBURN
2. ÉIREANN LEVERETT
3. GORDON WOO
Acknowledgments
CHAPTER 1: Counting the Costs of Cyber Attacks
1. 1.1 ANATOMY OF A DATA EXFILTRATION ATTACK
2. 1.2 A MODERN SCOURGE
3. 1.3 CYBER CATASTROPHES
4. 1.4 SOCIETAL CYBER THREATS
5. 1.5 CYBER RISK
6. 1.6 HOW MUCH DOES CYBER RISK COST OUR SOCIETY?
7. ENDNOTES
CHAPTER 2: Preparing for Cyber Attacks
1. 2.1 CYBER LOSS PROCESSES
2. 2.2 DATA EXFILTRATION
3. 2.3 CONTAGIOUS MALWARE INFECTION
4. 2.4 DENIAL OF SERVICE ATTACKS
5. 2.5 FINANCIAL THEFT
6. 2.6 FAILURES OF COUNTERPARTIES OR SUPPLIERS
7. ENDNOTES
CHAPTER 3: Cyber Enters the Physical World
1. 3.1 A BRIEF HISTORY OF CYBER-PHYSICAL INTERACTIONS
2. 3.2 HACKING ATTACKS ON CYBER-PHYSICAL SYSTEMS
3. 3.3 COMPONENTS OF CYBER-PHYSICAL SYSTEMS
4. 3.4 HOW TO SUBVERT CYBER-PHYSICAL SYSTEMS
5. 3.5 HOW TO CAUSE DAMAGE REMOTELY
6. 3.6 USING COMPROMISES TO TAKE CONTROL
7. 3.7 OPERATING COMPROMISED SYSTEMS
8. 3.8 EXPECT THE UNEXPECTED
9. 3.9 SMART DEVICES AND THE INTERNET OF THINGS
10. ENDNOTES
CHAPTER 4: Ghosts in the Code
1. 4.1 ALL SOFTWARE HAS ERRORS
2. 4.2 VULNERABILITIES, EXPLOITS, AND ZERO DAYS
3. 4.3 COUNTING VULNERABILITIES
4. 4.4 VULNERABILITY MANAGEMENT
5. 4.5 INTERNATIONAL CYBER RESPONSE AND DEFENSE
6. ENDNOTES
CHAPTER 5: Know Your Enemy
1. 5.1 HACKERS
2. 5.2 TAXONOMY OF THREAT ACTORS
3. 5.3 THE INSIDER THREAT
4. 5.4 THREAT ACTORS AND CYBER RISK
5. 5.5 HACKONOMICS
6. ENDNOTES
CHAPTER 6: Measuring the Cyber Threat
1. 6.1 MEASUREMENT AND MANAGEMENT
2. 6.2 CYBER THREAT METRICS
3. 6.3 MEASURING THE THREAT FOR AN ORGANIZATION
4. 6.4 THE LIKELIHOOD OF MAJOR CYBER ATTACKS
5. ENDNOTES
CHAPTER 7: Rules, Regulations, and Law Enforcement
1. 7.1 CYBER LAWS
2. 7.2 US CYBER LAWS
3. 7.3 EU GENERAL DATA PROTECTION REGULATION (GDPR)
4. 7.4 REGULATION OF CYBER INSURANCE
5. 7.5 A CHANGING LEGAL LANDSCAPE
6. 7.6 COMPLIANCE AND LAW ENFORCEMENT
7. 7.7 LAW ENFORCEMENT AND CYBER CRIME
8. ENDNOTES
CHAPTER 8: The Cyber-Resilient Organization
1. 8.1 CHANGING APPROACHES TO RISK MANAGEMENT
2. 8.2 INCIDENT RESPONSE AND CRISIS MANAGEMENT
3. 8.3 RESILIENCE ENGINEERING
4. 8.4 ATTRIBUTES OF A CYBER-RESILIENT ORGANIZATION
5. 8.5 INCIDENT RESPONSE PLANNING
6. 8.6 RESILIENT SECURITY SOLUTIONS
7. 8.7 FINANCIAL RESILIENCE
8. ENDNOTES
CHAPTER 9: Cyber Insurance
1. 9.1 BUYING CYBER INSURANCE
2. 9.2 THE CYBER INSURANCE MARKET
3. 9.3 CYBER CATASTROPHE RISK
4. 9.4 MANAGING PORTFOLIOS OF CYBER INSURANCE
5. 9.5 CYBER INSURANCE UNDERWRITING
6. 9.6 CYBER INSURANCE AND RISK MANAGEMENT
7. ENDNOTES
CHAPTER 10: Security Economics and Strategies
1. 10.1 COST-EFFECTIVENESS OF SECURITY ENHANCEMENTS
2. 10.2 CYBER SECURITY BUDGETS
3. 10.3 SECURITY STRATEGIES FOR SOCIETY
4. 10.4 STRATEGIES OF CYBER ATTACK
5. 10.5 STRATEGIES OF NATIONAL CYBER DEFENSE
6. ENDNOTES
CHAPTER 11: Ten Cyber Problems
1. 11.1 SETTING PROBLEMS
2. ENDNOTES
CHAPTER 12: Cyber Future
1. 12.1 CYBERGEDDON
2. 12.2 CYBERTOPIA
3. 12.3 FUTURE TECHNOLOGY TRENDS
4. 12.4 GETTING THE CYBER RISK FUTURE WE WANT
5. ENDNOTES
References
Index
End User License Agreement

List of Tables

Chapter 2
1. TABLE 2.1 Data potentially at risk of exfiltration, with suggested data classification policy.
2. TABLE 2.2 Data breach loss severity scale for number of personal records (PII, PCI, PHI) in data exfiltration, with statistics for United States, 2012 to mid-2018.
3. TABLE 2.3 Examples of contagious malware outbreaks ranked by global impact, past 30 years.
4. TABLE 2.4 Examples of different types of payloads of contagious malware, ranked by the severity of the consequences it can potentially inflict on the host system.
5. TABLE 2.5 Examples of ransom payments reported to have been paid by large organizations hit by cyber extortion attacks.
6. TABLE 2.6 Intensity of distributed denial of service attacks that will disable servers of given volumes, if unprotected.
7. TABLE 2.7 Increasing magnitude of DDoS activity year on year.
Chapter 5
1. TABLE 5.1 Prices of commodities available on dark web black market sites.
2. TABLE 5.2 Skill level gradings for cyber hackers.
Chapter 6
1. TABLE 6.1 Selected examples of scenarios that would cause MediaMark to have a loss of more than $50 million, with the odds of that scenario occurring in a given year.
Chapter 9
1. TABLE 9.1 Coverages available in cyber insurance products, and how common they are in products being offered across the market.
2. TABLE 9.2 Examples of published scenarios of probable maximum loss: hypothetical stress test scenarios used by insurance companies to assess potential cyber catastrophes that would cause large numbers of their policy holders to make insurance claims.
3. TABLE 9.3 Company-specific cyber risk rating variables collected on cyber insurance underwriting questionnaires. Compilation from 32 questionnaires collected 2017.
Chapter 10
1. TABLE 10.1 Bug vulnerability classification.

List of Illustrations

Chapter 1
1. FIGURE 1.1 Trading interconnectivity of major companies in the global economy. Cyber losses can cascade through the economy to create a multiplier effect for economic costs. Oracle, a market-leading provider of databases, is highlighted to illustrate an example of the key role played by providers of information technology in the global economy.
2. FIGURE 1.2 Global cyber risk: likelihood of loss occurring from cyber attacks.
3. FIGURE 1.3 Cyber catastrophes, their potential impacts, and their estimated likelihoods.
Chapter 2
1. FIGURE 2.1 Costs of US data breaches by size of breach (2012–2017).
2. FIGURE 2.2 WannaCry infections across the world and business impacts, May 2017.
3. FIGURE 2.3 Examples of losses caused to businesses by NotPetya malware, June 2017.
4. FIGURE 2.4 Classes of cloud services – equivalent or similar services being provided by the Big Four cloud service providers.
5. FIGURE 2.5 Geographical architecture of the Big Four cloud service providers, with major regional centers identified, serving local markets.
6. FIGURE 2.6 Regions and services provided by each of the Big Four cloud service providers, identifying the potential for cascading outages across both dimensions. The AWS S3 outage of February 28, 2017 is plotted for reference.
7. FIGURE 2.7 Duration of cloud service outages reported in a single year (2017 statistics for 100,000 events) extrapolated for likelihood of longer outage events per year.
Chapter 5
1. FIGURE 5.1 State-sponsored cyber teams: a selection.
Chapter 7
1. FIGURE 7.1 World map of data privacy regulation.
Chapter 9
1. FIGURE 9.1 Leading cyber insurance companies by market share (admitted market US 2017).

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Names: Coburn, Andrew (Andrew W.), author. | Leverett, Eireann, author. | Woo, G., author.

Title: Solving cyber risk: protecting your company and society / Andrew Coburn, Eireann Leverett, Gordon Woo.

Subjects: LCSH: Computer security. | Data protection.

Classification: LCC QA76.9.A25 (ebook) | LCC QA76.9.A25 C577 2019 (print) | DDC 005.8—dc23

LC record available at https://lccn.loc.gov/2018035611

Cover Design: Wiley
Cover Image: © iStock.com/scyther5

About the Authors

The three authors worked together on the development of the leading cyber risk analysis model being used by the insurance industry today, and in the development of scenarios for regulating cyber risk. They are each specialists in different fields of risk and cyber technology.

ANDREW COBURN

Andrew is a specialist in risk, and is the architect of the Cyber Solutions risk model marketed by Risk Management Solutions, Inc. (RMS), the leading cyber risk model being used in the insurance industry today. He is a senior vice president of RMS and one of the main contributors to the creation of commercial catastrophe risk models over the past 25 years. His previous books include Earthquake Protection (John Wiley & Sons). He is also a Director of the Cambridge Centre for Risk Studies (CCRS), based in the business school of the University of Cambridge, where he has coordinated the cyber risk research program and been the lead author on a number of CCRS cyber risk publications, which have been highly cited. Cyber risk scenarios developed at the CCRS have been adopted as stress tests by industry regulators. He is a frequent speaker at conferences on risk and financial services.

ÉIREANN LEVERETT

Éireann is an ethical hacker with many years of experience in cyber security and the impacts of computer security failures and accidents. He is the founder of Concinnity Risks Ltd and a Senior Researcher on Cyber Risk at the Cambridge Centre for Risk Studies (CCRS) at the University of Cambridge. He has experience of compromising the security of organizations, and assisting them to improve their security postures through a variety of short- and long-term methods. While his background is in artificial intelligence (AI) and computer security, he has increasingly taken an interest in a risk-centric view of computer security, and how markets can help or hinder progress in defending the internet. He is a member of the Forum of Incident Response and Security Teams (FIRST; https://www.first.org), and regularly speaks at incident response and hacker conferences.

GORDON WOO

Gordon is a catastrophist with Risk Management Solutions, Inc. (RMS), focusing mainly on complex man-made insurance risks such as terrorism and cyber risk. Profiled in Newsweek magazine, he was described as one of the world's leading catastrophists. He has 30 years of experience in catastrophe risk consultancy, advising financial institutions, governments, and major corporations. He was educated at Cambridge University, with degrees in mathematics, theoretical physics, and computer science. He is a visiting professor at University College London, and an adjunct professor at Nanyang Technological University, Singapore. He is the author of the books The Mathematics of Natural Catastrophes and Calculating Catastrophe, published by Imperial College Press.

Acknowledgments

The authors are fortunate to be supported by some great teams who have helped them carry out much of the work presented in this book. We have tried to acknowledge individual contributions wherever possible, but we would like to acknowledge specifically the inputs of:

Cambridge Centre for Risk Studies

We have had the support of some of the best and brightest at the Cambridge Centre for Risk Studies, a world-leading research center at Judge Business School, University of Cambridge. We are particularly grateful to the Executive Directors: Simon Ruffle, Professor Danny Ralph, and Dr Michelle Tuveson, and to the cyber risk research team: Dr Jennifer Daffron at stroke, Jennifer Copic, Tamara Evan, Kayla Strong, Andrew Smith (Drew to his risk colleagues), Kelly Quantrill, James Bourdeau, Tim Douglas, and Dr Andy Skelton. We are particularly indebted to Olivia Majumdar for her help in getting this book under way.

We are also indebted to the companies that have sponsored the research into cyber risk at the Cambridge Centre for Risk Studies, including Lockheed Martin, Lloyd's of London (with particular thanks to Trevor Maynard for his support and encouragement), AXA XL, Pool Re, Citigroup, American International Group (AIG), Risk Management Solutions, Inc. (RMS), and all the other supporters that have included cyber risk within the range of multi-threat risk research.

Risk Management Solutions, Inc.

We very much appreciate the support of our colleagues at RMS in the cyber model development team, particularly the business leadership of Dr Mohsen Rahnama, Peter Ulrich, Adam Sandler, Tom Harvey, and Kathleen Maloney, and the model development team, ably led by Dr Christos Mitas, Dr Hichem Boudali, Chris Vos, John Agorgianitis, Dr Malik Awan, and Simon Arnold. We appreciate the RMS team allowing us to use data from the RMS Cyber Loss Experience Database in various chapters of the book. We are of course particularly grateful to Dr Robert Muir Wood, who has created a culture of curiosity and innovation at the company, from which we all benefit. We are grateful to Hemant Shah, founder of RMS, for his support of research, tolerance of enquiry, and vision for new risk management frameworks, and to Karen White, CEO, for her emphasis on cyber risk analytics in the future of the organization.

We are also grateful to all the RMS clients who have worked with us over the past few years, helping us understand the nature of cyber risk from their experience, perspectives, and claims data.

Cambridge Computer Laboratory, University of Cambridge

We also gratefully acknowledge the inputs and assistance of our colleagues at the Cambridge Computer Laboratory and Cambridge Cybercrime Centre, including Director Dr Richard Clayton, Graham Rymer, Professor Frank Stajano, Professor Ross Anderson, Rob Watson, Dr Alice Hutchings, Professor Jon Crowcroft, and Professor Ian Leslie.

There are a number of hackers and members of the incident response community who contributed to these ideas either directly or indirectly, and either as individuals or as companies doing good work. In no particular order, we thank Sid Rao, Reid Wightman, Matt Erasmus, Erin Burns, Louise Stanhope, Baiba Kaskina, Silje Endsjo, Thomas Dullien, Marion Marschalek, Marie Moe, Alexandre Dulaunoy, Raphael Vinot, Thais Moreira Hamasaki, Aristotle Tzafalias, Arrigo Triulzi, Bruce Stenning, Aaron Kaplan, Thomas Schreck, and Jens Wiesner, with special thanks to Colin Cassidy for going on the full journey.

Finally, but by no means least, we would like to acknowledge the support (and tolerance) of our partners and families in the writing and production of the book. Many thanks, Helen (enjoyed the drinks on the riverbank boring you about hackonomics); Fatma and Mehmet (penguins); and Victoria.

Solving Cyber Risk

Protecting your company and society

About the Authors

ANDREW COBURN

ÉIREANN LEVERETT

GORDON WOO

Acknowledgments