With the annual World Economic Forum meeting in Switzerland just days away, the organization and its partners have released a new framework designed to help businesses calculate the impact of cyber-threats.
The framework, called "cyber value-at-risk", was proposed in a new report entitled 'Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats' and was created in collaboration with Deloitte. The idea behind the framework is to help organizations answer questions about their susceptibility to cyber attacks, how valuable their key assets are and who might be after them.
|Aerial photo from the futuristic and stylish Intercontinental Hotel in Davos, Switzerland. The Annual Meeting of the World Economic Forum will take place in Davos from January 21 to 24, 2015. (Image Credit: World Economic Forum)|
"The goal of cyber value-at-risk is to standardize and unify different factors into a single normal distribution that can quantify the value at risk in case of a cyberattack," according to the report. "The effort should both be specific to the organization and reflect industry-wide trends. Once there is a statistical model to measure cyber risks, it can be incorporated into a broader risk strategy of a company."
The framework includes three principle components: the assets under threat, profile of the attacker based on who the attacker is and their motivation and information about vulnerabilities and defenses in the enterprise.
"The components, some of which can be represented by both random variables (a variable subject to change due to chance, such as frequency of attacks, general security trends, maturity of security systems in the organization, etc.) are put into a stochastic model (a statistical tool to estimate probability distribution, which has one or more random variables over a period of time)," the report continues. "The statistical process will yield a probability distribution."
"Continuous cyberattacks on global organizations are showing that we are at a crossroads," said Alan Marcus, senior director of the information and communication technology industries for the World Economic Forum, in a statement. "The same technologies many organizations have become so dependent on can also threaten their very core. This is why we are launching a Future of the Internet initiative in Davos, including this critical cyber value-at-risk framework."
The challenge cybersecurity poses is also mentioned in the World Economic Forum's 10th annual Global Risks report, which notes that the Internet of Things will bring not only its share of innovations to the business world, but new risks as well.
"Analytics on large and disparate data sources can drive breakthrough insights but also raise questions about expectations of privacy and the fair and appropriate use of data about individuals," the Risks report notes. "Security risks are also intensified. There are more devices to secure against hackers, and bigger downsides from failure: hacking the location data on a car is merely an invasion of privacy, whereas hacking the control system of a car would be a threat to life. The current Internet infrastructure was not developed with such security concerns in mind. "
"The IoT is likely to disrupt business models and ecosystems across a range of industries," the report continues. "While this will deliver innovation, the prospect of many large players across multiple industries being forced to change so radically at the same time raises potential systemic risks such as large scale disruption in labour markets and volatility in financial markets. A major public security failure could also prevent the IoT from becoming truly widespread."
The report also notes that the distributed nature of the Internet requires global cooperation when it comes to Internet governance. Two kinds of issues exist: technical matters related to the Internet's infrastructure, and overarching matters such as cybercrime, privacy and Net neutrality.
"Responsibility for the technical infrastructure of the Internet is dispersed among several organizations, including the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), the Regional Internet Registries (RIRs), the root servers’ operators, and the Internet Corporation for Assigned Names and Numbers (ICANN)," according to the report. "The solutions they propose – policy models, standards, specifications or best practices – spread through voluntary adoption or ad hoc conventions, regulations, directives, contracts or other agreements. No such systems exist for developing and implementing solutions to the overarching issues. Consequently, governments are feeling pressure to enact national measures to deal with their citizens’ data and privacy concerns."
To improve the situation, the World Economic Forum is starting a multi-year initiative to bring leaders in the public and private sector together with the technical community and others to address these issues, according to the report.
"Twenty-five years after the fall of the Berlin Wall, the world again faces the risk of major conflict between states," said Margareta Drzeniek-Hanouz, lead economist for the World Economic Forum, in a statement. "However, today the means to wage such conflict, whether through cyberattack, competition for resources or sanctions and other economic tools, is broader than ever. Addressing all these possible triggers and seeking to return the world to a path of partnership, rather than competition, should be a priority for leaders as we enter 2015."