Welcome to the SecAware blog

I spy with my beady eye ...

20 Feb 2016

Zurich Insurance global cyber risk reports

Zurich Insurance published a web page with a bunch of graphs projecting the global costs and benefits of cybersecurity under various scenarios ... but what do they mean? What is the basis for analysis? I find the graphs confusing, almost devoid of meaning like so many infographics, a triumph of marketing gloss over substance. The page succeeded, however, in catching my beady eye.

Although Zurich neglected to provide a working hyperlink, Google led me inexorably to the research paper from which the graphs were plucked: Risk Nexus: Overcome by Cyber Risks? Economic Benefits and Costs of Alternate Cyber Futures is a report by the Zurich Insurance Group and the Atlantic Council's Brent Scowcroft Center on International Security plus the Pardee Center for International Futures at the University of Denver, a follow-up to their 2014 report: Beyond Data Breaches: Global Aggregations of Cyber Risk.   

Apart from casually referring to "cyberspace" as 'the internet and associated IT', the reports are littered with undefined/vague cyber terms such as "cyber risks", "cyber attacks", "cyber crime", "cyber incidents", "cyber shocks" and "cyber futures". You might be comfortable with "cyber" but replacing it with "Internet-related" suits me better since they are not talking about information or IT security in general, nor about cyberwar in particular - two other common cyber-interpretations.

The 2014 report

The 2014 report conjured up and considered a potential disaster scenario involving a major Internet-related incident at a large communications technology firm triggering cascading failures affecting the global economy, in other words a systemic risk with global repurcussions:
"Early on, we nicknamed this project ‘cyber sub-prime’ because we intended it to expose the global aggregations of cyber risk as analogous to those risks that were overlooked in the U.S. sub-prime mortgage market. Problems in that segment spread far beyond the institutions that took the original risks, and proved severe enough to administer a shock that reverberated throughout the entire global economy. At first, the term ‘cyber sub-prime’ was just a quirky nickname, but it soon became a useful analogy, helping us to gain additional insights into cyber risks based on extended parallels with the financial sector."
While there is value in drawing lessons from the global financial crisis, I wonder if maybe the research team has been blinkered into that particular mode of thinking or world view, ignoring other possible futures such as, say, terrorism or more gradual as opposed to sudden crises, overpopulation for example? 

Anyway, the report recommended "several concrete steps that must be taken to overcome these inevitable shocks of the future and prevent what could be called a 'cyber sub-prime' meltdown.  Recommendations to be resilient to cyber shocks include:
  • Putting the private sector at the center of crisis management, since government management of cyber risk lacks the agility needed
  • Developing plans within organizations that have system-wide responsibility that ensure the stability of the system as a whole, rather than risks to an individual organization
  • Creating redundant power and telecommunications suppliers and alternate ISPs connect to different peering points
  • Investing in trained teams ready to respond with defined procedures
  • Conducting simulations of the most likely and most dangerous cyber risks to better prepare"
I appreciate what they are getting at in the first bullet but I'm not sure I agree with it. The private sector may arguably be more 'agile' in managing Internet-related risks, but overall is it doing any better in fact? I see little evidence that the private sector is any more highly protected than the government sector, particularly given differences in the nature of their respective risks. Even if that's true, why did they ignore or discount the obvious strategic option of improving government sector Internet-related security, I wonder? Perhaps the fact that the research was funded by a private-sector insurance company has something to do with it ... 

Their other points about considering systemic risk and developing more resilient infrastructures, effective incident response and training exercises involving simulations are fine by me, conventional and widely supported. The possibility of complete, permanent failure of the Internet is but one of several extreme disaster scenarios that I recommend clients consider for information risk and business continuity management purposes. My key point is not to plan too narrowly for any one particular scenario (or in fact any of the unbounded set of credible situations that could lead to such an outcome, such as an all-out cyberwar) but to use a wide variety of diverse scenarios to develop more comprehensive resilience, recovery and contingency arrangements in a far more general sense. Preparing for the worst case has benefits under less extreme conditions too, while there are far too many scary possibilities to risk being unprepared for what actually transpires.

As to whether those five bullets constitute "concrete steps", I guess it's a matter of perspective or terminology. The report stops well short of providing pragmatic action plans and allocating responsibilities. Not so much rock-hard concrete as sloppy mud! [In contrast, take a look at the ICAO Global Aviation Safety Plan, a strategic approach to ensure continued safety in the global aviation industry, laying out specific actions, responsibilities and timescales: now that's what I call concrete!]

The 2015 report

The risk and economic modeling study evidently continued, leading to last year's report.  I'll leave you to cast a cynical eye over the latest report. I'm too jaded to take it seriously.


  1. It's exceedingly refreshing to see a critical evaluation of just about any of this stuff.

  2. Right on the button, Cody. A lot of it is written or spun by marketers, bandied about by journalists, and all too often becomes part of the folklore. Time for a few reality checks, I reckon.