Lero researchers create tool to assess cyber risk
A new cyber risk tool was created by researchers at Lero, the Science Foundation Ireland (SFI) Research Centre for Software, to help large organisations identify, assess, and mitigate cyber risks, and enable insurance companies to design appropriate insurance products.
The new method of assessment has been developed by Lero researchers working in the emerging risk group at University of Limerick’s Kemmy Business School. It combines risk matrix and bow-tie models to produce a rating based on the likelihood of a cyber-threat occurring and the potential severity of the resulting consequence.
Tested on a city hospital in mainland Europe, the framework can not only offer a risk score (threat and consequence), but it can pinpoint steps that can be taken to improve the security measures. Likewise, it affords an insurance company a robust quantitative and qualitative assessment approach.
Team leader Dr Barry Sheehan points out cybercrime is estimated to have cost the global economy just under €1 trillion in 2020, and losses continue to grow. “Cyber-attacks pose a growing threat to global commerce that is increasingly reliant on digital technology to conduct business,” said Sheehan. “Traditional risk assessment and underwriting practices face serious shortcomings when encountered with cyber threats.”
“Our cyber-risk classification and assessment framework, QBowtie, is designed to demonstrate the significance of proactive and reactive barriers in reducing companies’ exposure to cyber risk and quantify the risk”, Dr Sheehan explained in a paper titled ‘A quantitative bow-tie cyber risk classification and assessment framework’, recently published in the Journal of Risk Research.
“The QBowtie model can accommodate both historical data and expert opinion and previously known frameworks to score the threats, barriers and escalators for the framework,” said Sheehan. “It also provides a practical framework that allows insurers to assess risks, visualise areas of concern and record the effectiveness of implementing control barriers.”
According to Dr Sheehan, the purpose of the tool is to accurately evaluate an organisation’s exposure to cyber risks. “While we studied the exposure of a hospital, healthcare settings would be infrequent targets for cyber-attacks although, as we have seen in Ireland, there are exceptions. This tool would not have prevented such an attack. Instead, it would provide a more robust methodology for cyber risk assessment, which will allow insurance companies, for example, to more accurately assess risk, supporting more granular pricing. This means that the premiums of companies purchasing cyber insurance products will more accurately reflect their cyber risk.”
Lero’s Prof Finbarr Murphy, a co-author of the study and Dean of UL’s Kemmy Business School, said cyber risk requires innovative assessment methods to provide more accurate management tools and risk transfer pricing. This will enable insurance companies to classify and quantify companies’ cyber risk, helping guide the creation of insurance products and support underwriting decisions.
“Currently, many companies are significantly exposed and vulnerable to losses and costs associated with cyber threats and crime,” added Sheehan. “It is projected that the cyber insurance market will grow significantly due to growing cyber awareness and the introduction of new regulations. Today, total global premiums are around $2 billion and are predicted to reach $20 billion by 2025.”
Dr Sheehan believes the QBowtie framework can be developed into a fully quantitative cyber-risk classification method as more data becomes available through regulatory disclosure requirements, insurers claims’ experience and data sharing.