Week 1:
Market perspective
- Recommendations (of Larcker, Reiss & Tayan – 2017)
1. Integrate cybersecurity in the company’s risk framework (customer AND corporate
data)
2. Monitor if management and employees take cybersecurity seriously
3. Develop a data breach action plan (incl. board responsibilities)
i. GDPR gives rules to have this
4. Monitor data classification and security policies (incl. director communications,
documents, and conversations).
i. Classification: good way to secure
5. Terminate or reduce/restructure reward of board members and management in case
of cyber impact
i. Focusses only on negative & you not in control, you can always be a victim
6. Increase board cyber savviness (educate & recruit)
Cybersecurity
- Cybersecurity = the protection of cyber systems against cyber threats.
- Cyber threat = a threat that exploits a cyberspace.
o
- Cost benefit analysis
o
- Framework
- Should do: look at several aspects
- All 4 to balance
, - Spooks: governments using tools to protect national interest – including the risk of ending up
in the hands of crooks
- Crooks: botnet herders, malware writers, spam senders, bulk account compromise, targeted
attackers and cash out operators.
- Geeks: experts and researchers that report vulnerabilities – in order to enable fixing the
vulnerability.
- The swamp: focus on person rather than on property, e.g., hacktivism and hate campaigns
- Risk Management – ISO/IEC 27000:2018 – is a protocol for cyber protection. It is updated in
2022, in adaption to new risks. Some new controls were added, there are four theme clauses:
o Organizational
o People
o Physical
o Technology
Cyber Insurance
- Yes/No
o Allows organizations to transfer some of the financial risks associated with cyber
incidents to an insurer
o The financial losses might cost associated with remediation, investigators and crisis
communication
o Most cyber insurance companies are typically insurance companies offering a
broader range of insurance services.
- Trends
o Currently insurers reduce coverage in combination with increasing premiums
o Stop covering the costs of ransom payments
o Increasing minimum cyber security maturity levels (beyond having in place
reasonable security measures?)
o Educate insured organisations
- Going forward cyber-insurance providers will thrive by succeeding in:
o Rewarding security,
o generating knowledge and,
o punishing insecurity while,
o partnering with technology providers how have a deep access to policyholders’ IT
architecture.
Willingness to pay ransom
▪ It is not always legal to pay…
- Not surprisingly: “strong relationship between WTP and concern for data breach, with those
who were concerned about data breach being more willing to pay the ransom”
- 3 basic categories of attitude to paying the ransom:
o Those who would object on principle to giving money to a criminal (28% of
respondents) and those who did not value their files (25%) showed lowest WTP
o Those who would not trust the criminal (20%) or hope to recover their files through
an expert (18%) showed significantly higher WTP
o Those who would pay if the price were right (1%) had highest WTP
- Ransomware – six dilemma’s
1. Are you technically prepared (e.g., back-ups and zero trust approach)?
2. Do you have access to threat intelligence (e.g., open source decryption keys –
researchers and culprit intelligence – researchers & law enforcement authorities)?
3. Do you have a cyber insurance. And what does it really cover?
Market perspective
- Recommendations (of Larcker, Reiss & Tayan – 2017)
1. Integrate cybersecurity in the company’s risk framework (customer AND corporate
data)
2. Monitor if management and employees take cybersecurity seriously
3. Develop a data breach action plan (incl. board responsibilities)
i. GDPR gives rules to have this
4. Monitor data classification and security policies (incl. director communications,
documents, and conversations).
i. Classification: good way to secure
5. Terminate or reduce/restructure reward of board members and management in case
of cyber impact
i. Focusses only on negative & you not in control, you can always be a victim
6. Increase board cyber savviness (educate & recruit)
Cybersecurity
- Cybersecurity = the protection of cyber systems against cyber threats.
- Cyber threat = a threat that exploits a cyberspace.
o
- Cost benefit analysis
o
- Framework
- Should do: look at several aspects
- All 4 to balance
, - Spooks: governments using tools to protect national interest – including the risk of ending up
in the hands of crooks
- Crooks: botnet herders, malware writers, spam senders, bulk account compromise, targeted
attackers and cash out operators.
- Geeks: experts and researchers that report vulnerabilities – in order to enable fixing the
vulnerability.
- The swamp: focus on person rather than on property, e.g., hacktivism and hate campaigns
- Risk Management – ISO/IEC 27000:2018 – is a protocol for cyber protection. It is updated in
2022, in adaption to new risks. Some new controls were added, there are four theme clauses:
o Organizational
o People
o Physical
o Technology
Cyber Insurance
- Yes/No
o Allows organizations to transfer some of the financial risks associated with cyber
incidents to an insurer
o The financial losses might cost associated with remediation, investigators and crisis
communication
o Most cyber insurance companies are typically insurance companies offering a
broader range of insurance services.
- Trends
o Currently insurers reduce coverage in combination with increasing premiums
o Stop covering the costs of ransom payments
o Increasing minimum cyber security maturity levels (beyond having in place
reasonable security measures?)
o Educate insured organisations
- Going forward cyber-insurance providers will thrive by succeeding in:
o Rewarding security,
o generating knowledge and,
o punishing insecurity while,
o partnering with technology providers how have a deep access to policyholders’ IT
architecture.
Willingness to pay ransom
▪ It is not always legal to pay…
- Not surprisingly: “strong relationship between WTP and concern for data breach, with those
who were concerned about data breach being more willing to pay the ransom”
- 3 basic categories of attitude to paying the ransom:
o Those who would object on principle to giving money to a criminal (28% of
respondents) and those who did not value their files (25%) showed lowest WTP
o Those who would not trust the criminal (20%) or hope to recover their files through
an expert (18%) showed significantly higher WTP
o Those who would pay if the price were right (1%) had highest WTP
- Ransomware – six dilemma’s
1. Are you technically prepared (e.g., back-ups and zero trust approach)?
2. Do you have access to threat intelligence (e.g., open source decryption keys –
researchers and culprit intelligence – researchers & law enforcement authorities)?
3. Do you have a cyber insurance. And what does it really cover?
