This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.
Author: Sander Zeijlemaker, Cybersecurity Research Affiliate, MIT Sloan (CAMS), Managing Director, Disem Institute, Michael Siegel, Senior Researcher and Director, MIT CAMS, Daniel Goldsmith, Managing Director, Julius Education, Shaharyar Khan, Research Affiliate , MIT CAMS , System Engineer, Shell
- Living in an advanced digital society means that organizations must have a thorough understanding of cybersecurity in order to take effective action.
- The dynamic nature of cyber risk means boards need to take a multi-faceted approach to mitigating any potential impact.
- Leaders can develop better foresight to manage cyber risk through exploratory and interactive technology solutions, such as MIT CAMS.
We live in an advanced digital society, in which technological developments are rapidly changing – with powerful networks, increasing interconnectedness and highly automated concepts such as e-health, smart cities and the fourth industrial revolution playing an increasingly important role. most important.
This rise of these technologies means that cybersecurity is an extremely important and growing prerequisite for a successful functioning society.
Our new digital reality demands that business leaders adequately assess and govern cyber risk and executive decision makers are required to have a solid understanding of cyber risk concepts and issues in order to take effective action.
However, both the dynamic nature of cyber risk and exponential growth in cyberattacks can introduce challenges in decision-making.
To this end, the World Economic Forum and its partners, together with the National Association of Corporate Directors (NACD), Internet Security Alliance (ISA) and PwC, have published six Board Governance Principles for Cyber Risk to enable organizations to better manage and understand how to navigate strategic and operational choices related to cyber risks.
A key principle of this guide is that boards should “align cyber risk management with business needs” in all aspects of decision-making, including innovation, mergers and acquisitions, product development, etc
Exposure to cyber risk threatens customer reputation and trust
Executives routinely face tough decisions in managing cyber risk, as exposure to cyber risk can threaten reputation, customer trust, and competitive positioning, potentially leading to fines and lawsuits.
In this context, leaders must simultaneously deal with changing organizational priorities, changing budgets, technologies and workforces, as well as changing adversary tactics and emerging security events, among others. .
This complexity as a whole is called the dynamic nature of cyber risk.
However, executive decision makers are often overwhelmed with complexity and pressure to act when dealing with cyber risk issues and in such situations the risk of security blind spots exist.
Scientific research indicates that 56% of experienced security specialists and managers make suboptimal decisions and that these suboptimal decisions can lead to up to 200% higher cost base.
Many approaches are available to support business leaders and executives in their role of defining and implementing a sustainable cybersecurity and cyber resilience strategy.
Examples include periodic risk assessments using industry-recognized frameworks – such as the NIST, C2M2 and ISO 27001 cybersecurity framework – or running cyber event simulations and exercises.
Risk assessment is the process of identifying cyber risks and evaluating the consequences of those risks when they occur.
Cyber event simulations and drills are techniques that mimic cyber attacks in a controlled manner. Often, they appear as tabletop drills or approved preset attacks against the defender’s infrastructure.
While these activities are helpful in establishing a baseline for cyber risk management, the dynamic nature of cyber risk is not taken into account. They can best be described as a one-dimensional approach, which results in decision makers frequently underestimating risk.
In their most advanced form, these activities can capture the situation in near real time, while business leaders and executives also need to see what the future outcome of their planned decisions will be.
Therefore, decision support systems for cyber risk management are needed. These systems require dealing with multi-dimensional dynamic issues, such as the dynamic nature of cyber risk, and non-linear variables, such as the exponential increase in cyber attacks, so that they can represent the organizations that are being managed.
Forward-looking decision support system for cyber risk management
MIT CAMS developed a cyber risk dashboard that provides the means to make forward-looking projections on several critical performance indicators relevant to an organization’s cybersecurity strategy, as there was a lack of solutions that capture the dynamic nature cyber risk.
The MIT CAMS dashboard takes into account the dynamic nature of cyber risk, as it is supported by scientifically based computer modeling. Simulation is based on control theory and uses stocks and flows determined by differential equations to represent the actions of people, processes, and technology in an organization.
It takes into account the dynamic effects as well as the interdependence of different security efforts, enabling strategic and effective decision-making in cyber risk management.
The dashboard focuses on a highly innovative approach that allows leaders to simulate the impact of their decisions before making big moves. investments. This exists to determine the areas that organizations want to optimize for prioritization.
An anonymized exploratory case study leveraging the CAMS dashboard was conducted at a Fortune-500 company called Smart Wealth Management Inc.
As part of the case study, common managerial challenges such as resource allocation and budget prioritization were selected as levers to analyze their impact on cyber risk management decisions and cybersecurity more broadly. strategy.
This was done because the CAMS dashboard mimics a real-life decision-making environment in a safe and isolated test environment, or sandbox. This empowers leaders to explore and experiment with a wide range of strategic decisions without any real cyber impact on the organization.
Poor cyber risk management can negatively impact an organization
An important lesson from the case study is that poor cyber risk management decisions can impact and cripple the entire organization. To be effective, interventions must take into account the interdependence of decisions and the interactions between the different mechanisms and departments that prevail in the organization.
Another important lesson from the case study is that traditional approaches can be complemented by the CAMS dashboard.
In our case study, we used Smart Wealth Management’s existing cyber risk reports and assessments to populate the model parameters for simulation and analysis.
This approach has lasting benefits for leaders because they can:
- Visualize how their strategic choices will evolve in real life through organization-specific simulations.
- Observe how strategic choices can help maintain the organization’s risk appetite.
- Prioritize cyber budgets and resource allocation to ensure rapid risk response.
- Identify counterintuitive strategies that maximize the benefits of cyber risk management decisions.
Leaders must do more to manage and mitigate cyber risks
The continued exponential growth of cyberattacks further pushes executive decision-makers to stay one step ahead.
Reacting after the fact can be very costly and increase the need for ex post regulatory assessment and sanctions. We see and understand that cyber risk is dynamic in nature, and now we must act accordingly this.
What is the World Economic Forum doing on cybersecurity?
The World Economic Forum’s Center for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The center is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.
Since its launch, the center has had an impact on the entire cybersecurity ecosystem:
- Train a new generation of cybersecurity experts
Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, offer free training that is accessible worldwide through the Cybersecurity Learning Center.
- Building a global response to cybersecurity risks
The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, the European Network and Information Security Agency and the National Institute for Standards and US technology, identifies future global risks coming generation technology.
- Improving cybersecurity in the aviation industry
Through the Cyber resilience in the aviation industry initiative, the center has improved cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
- Making the global electricity ecosystem more cyber-resilient
The center and platform for shaping the future of energy, materials and infrastructure has brought together leaders from over 50 companies, governments, civil society and academia to develop a clear and cohesive cybersecurity vision for the industry electricity.
- The Advice on the connected world agreed on IoT security requirements for consumer devices to protect them from cyber threats, calling on the world’s largest manufacturers and suppliers to take action for better IoT security.
- The Forum is also a signatory to the Paris Call for Trust and Security in Cyberspacewhich aims to ensure worldwide digital peace and security.
contact us for more information on how to get involved.
Through exploratory and interactive technology solutions, leaders can develop better foresight to manage the economics of cyber risk and alignment with business needs.
The CAMS dashboard is a leading example of this direction.