Risk Insider: Jack Hampton

Cyber Risk: It’s Like Living on Mount Etna

By: | May 3, 2016

John (Jack) Hampton was a Professor of Business at St. Peter’s University, a core faculty member at the International School of Management (Paris), and a Risk Insider at Risk and Insurance magazine where he was named a 2018 All Star. He was Executive Director of the Risk and Insurance Management Society (RIMS), dean of the schools of business at Seton Hall and Connecticut State universities, and provost of the College of Insurance and SUNY Maritime College in New York City.

Everybody should have a favorite volcano and mine is Mount Etna in Sicily. A long time ago I became intrigued with the risk it poses for its neighbors.

Five distinct, active craters. A major eruption every two years throughout recorded history. Occasional destruction of entire villages.

A Risk & Insurance® webinar on April 27, Maximizing ROI in Mitigating Cyber Risk conjured up a question. Is modern cyber risk the electronic equivalent of an active volcano? If yes, what do we do about living on it?

The webinar examined how organizations can maximize the return on investment from cyber risk mitigation. That is, how can we invest capital to achieve a specific financial goal?

The situation is straightforward. If we operate on Mount Etna, we will never control the volcano. We either get off or prepare for the year 1669 when an eruption wiped out parts of Catania and lava streams reached the Mediterranean Sea.

The sponsor was the Society of Actuaries. Thus, we could expect quantitative solutions to cyber problems. That was not what happened.

For starters, the speakers separated the information technology viewpoint from enterprise risk management. Organizations invest in computers and networks to earn a return on capital.

Time value of money paints the picture of the wisdom of the investment. This does not happen with cyber security decisions. The takeaway from the webinar was that quantitative tools are not at the level we need in an ERM context. In my view, they never will be.

The situation is straightforward. If we operate on Mount Etna, we will never control the volcano. We either get off or prepare for the year 1669 when an eruption wiped out parts of Catania and lava streams reached the Mediterranean Sea.

With cyber risk we are stuck about halfway up the mountain. We will be ducking lava flows for many years.

Where can we take refuge?

Business analytics can help understand the costs and opportunities of cyber risk mitigation. The webinar recommended The National Institute of Standards and Technology (NIST) framework to help with cyber security decisions:

Identify. What are the things that are at risk? Include assets, data, computer systems and capabilities.

Protect. How do we safeguard those things? Include “hard” techniques like firewalls, encryption, and segregation. Do not forget “soft” approaches to reduce intentional or careless behaviors of employees, customers, vendors and authorized users.

Detect and Respond. Spend big money to hire people who could otherwise be wealthy beyond their wildest dreams if they took up hacking and avoided jail. Turn them loose to spot system weaknesses and block cyber security losses.

Recover. This may be the most important item on the NIST list. Assume the unexpected. Develop a contingency plan. Create a crisis team. Simulate an event. Assess your ability to restore assets, data, and capabilities. Spend the money to fix that which needs to be fixed.

Now we go back to the return on investment. Measure it partly in financial terms with discounted cash flow techniques. Extend the analysis to incorporate the negative consequences of loss of markets, damage to reputation, and downgrading of stock value.

The common lesson of Mount Etna and cyber risk is that we cannot control the “mountain.” We should focus on our ability to survive an “eruption.”

This means we do not pursue the maximum return on investment. Instead, we should seek the maximum return on creating resilience after a cyber event.

More from Risk & Insurance