Lloyd's Risk Index 2013 is getting a fair bit of coverage in the information/IT security press since it ranks cyber risk the third most significant business risk this year, up from twelfth and nineteenth places in 2011. It is lower than the risks of high taxation (which I guess refers to the political risk of higher tax rates being introduced, since tax rates are known and have a probability of close to 1) and loss of customers (which is of course bad news for any business in terms of the impact, and is more likely when times is hard).
The following chunk caught my eye within page 11 on cyber risks:
"According to a report published in April 2013 by the Insurance Information Institute, employee negligence is responsible for 39% of data breaches, system glitches for 24% and malicious or criminal attacks for only 37%. That leaves nearly two-thirds of incidents caused by issues which should reasonably be within a business’ control."
It's not entirely clear what they mean. The first and third proportions stated are both close to one third. Possibly they consider 'malicious and criminal attacks' to be not within the control of the organization - which is nonsense. All organizations subject to 'malicious and criminal attacks' (meaning practically everyone) should be well on top of preventive, detective and corrective controls against malware, hacks, frauds, social engineering and so on. Likewise with 'employee negligence' which is very much within management's domain of influence. Various policies and procedures, plus training and awareness, plus data entry validation and other technical controls all address 'employee negligence'. It seems to me that organizations can and should address all significant information security risks, not just the two-thirds stated. Not to do so represents a governance failure.
I'm not even entirely sure what "data breaches", "system glitches" and "malicious or criminal attacks" are, in this context, although we can all guess. Perhaps the original report from which this information was gleaned is more specific.
Anyway, the report recommends "... spending money upfront on risk management – and ensuring recommendations are implemented throughout a company – might go a long way to preventing a cyber disaster before it starts". Hear hear! It's a shame they didn't go explain what an organization ought to do to prevent "a cyber disaster" but that's no surprise given that it was a general business survey.
PS I can't find the number of organization's surveyed in the report - a fundamental parameter, I would have thought, since it materially affects the margins of error (which aren't stated). The geographical spread does at least suggest a reasonably large survey.