0
Global Aggregation
of Cyber Risks:
“Finding Cyber Sub-Prime”
Cyber Risk Wednesdays

1
0
0
1
0
1
0
1
0
0
1
0
1
0
1
0
1
0
1
...
Global Aggregation of Cyber Risks
• Push by Martin Senn to be
thought leader in cyber risk
management,
– Understand, not p...
Traditional Cyber Threats
“Cyber” just means interconnected IT, but that increasingly means everything
Common Terms:
• Int...
Traditional Cyber Threats
Common Terms:
• Intrusion, hack
• DDoS (distributed
denial of service)
• Anonymous
• Patriotic h...
Traditional Cyber Threats
Common Terms:
• Intrusion, hack
• IP Theft
• China
• Advanced Persistent Threat

Internet

Crimi...
Traditional Cyber Threats
Common Terms:
• Stuxnet
• Shamoon
• Iran, US, China
• Cyber war, cyber conflict

Internet
X
Crim...
Non-Traditional Cyber Threats
The Cloud

23 October 2013

7

1
0
0
1
0
1
0
1
0
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
0
1
0
1
0
1
0...
But This is All At the Level of
Individual Organization
What About the Systemic
Risks?
Mainstream cyber risk management is...
Cyber Sub-Prime
• Cyber is in the same place finance was prior
to 2008
• Examination of cyber risk pools
• Analysis of key...
Cyber Sub-Prime
Cyber is in the same place finance was prior to 2008
• Risk only examined one organization at a time
• Ris...
Overlapping Pools of Systemic Cyber Risk
1 A 0 1 1C
0 T 1 0 0
Y
0
0 0 0
1 L 1 1 1B
0A 0 0 0E
1N 1 1 1
R
0
0 0 0
• Electric...
Highest Hazard

Notional Quad Chart
Disruptive Tech
Every year, technology and business
processes push us further up and t...
Analysis: The Upside
• Few if any single shocks could affect cyberspace in
any way that could transfer into a strategic sh...
Analysis: The Downside
• Three separate vulnerabilities: interconnectedness and
complexity, lack of transparency, and lack...
Therefore
• Main concern is a failure of key multiple key
elements could lead to cascading failures
– Where is the next Le...
How?
• Either one shock that cascades completely
out of control or multiple shocks which
cascade and reinforce one another...
Three Recommendations for
Companies
1. Organizations can take basic and advanced
mitigations, depending on their maturity ...
Two Recommendations for
Governments and System-Wide Organizations

1. Far more focus on systemic rather than
organizationa...
Notional Chart of Upstream Risks

Mitigated by
• SLAs
• Contracts
• MOAs/MOUs
• Resilience

23 October 2013

Upstream
Infr...
Cyber Risk Wednesdays
Events and social receptions are scheduled every
THIRD Wednesday of every month.
•
•
•
•
•

November...
Global Aggregation
of Cyber Risks:
“Finding Cyber Sub-Prime”
Cyber Risk Wednesdays

1
0
0
1
0
1
0
1
0
0
1
0
1
0
1
0
1
0
1
...
Upcoming SlideShare
Loading in...5
×

Cyber Risk Wednesday: October 23, 2013

707

Published on

Join us every third Wednesday of the month for interactive discussions on the hottest topic in cyber.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
707
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Cyber Risk Wednesday: October 23, 2013"

  1. 1. Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  2. 2. Global Aggregation of Cyber Risks • Push by Martin Senn to be thought leader in cyber risk management, – Understand, not protect, from cyber risks – Not necessarily tied to immediate insurance products • Funded by Zurich Insurance for ~1-year effort – Under think tank, not commercial, agreement • Result in report on global pools of cyber risk, understandable to boards, other executives • Major launch event in 2Q2014 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 2 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  3. 3. Traditional Cyber Threats “Cyber” just means interconnected IT, but that increasingly means everything Common Terms: • Intrusion, hack • Cybercrime • Carders • Russia, East Europe • Stolen identity, credit cards, records • Extortion Internet Criminals Steal individual records with personal info to sell Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 3 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  4. 4. Traditional Cyber Threats Common Terms: • Intrusion, hack • DDoS (distributed denial of service) • Anonymous • Patriotic hackers Internet Criminals Hactivists Disrupt network or steal sensitive or embarrassing info Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Spies Militaries 4 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  5. 5. Traditional Cyber Threats Common Terms: • Intrusion, hack • IP Theft • China • Advanced Persistent Threat Internet Criminals Steal R&D, business plans or negotiating strategies Corporation X 23 October 2013 Hactivists Spies Militaries Global Aggregation of Cyber Risk Zurich and Atlantic Council 5 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  6. 6. Traditional Cyber Threats Common Terms: • Stuxnet • Shamoon • Iran, US, China • Cyber war, cyber conflict Internet X Criminals Disrupt network or systems or even upstream Internet – very rare Corporation X 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Hactivists Spies Militaries 6 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  7. 7. Non-Traditional Cyber Threats The Cloud 23 October 2013 7 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  8. 8. But This is All At the Level of Individual Organization What About the Systemic Risks? Mainstream cyber risk management is markedly similar to that for financial prior to 2008! 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 8 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  9. 9. Cyber Sub-Prime • Cyber is in the same place finance was prior to 2008 • Examination of cyber risk pools • Analysis of key factors • Recommendations 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 9 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  10. 10. Cyber Sub-Prime Cyber is in the same place finance was prior to 2008 • Risk only examined one organization at a time • Risks passed outside organization into unknown pools • Little if any governance of the system as a whole and complex interdependencies ignored • Led to catastrophic global failure, even for those organization which handled internal risks correctly! • We are heading for similar fate with global aggregation of cyber risk 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 10 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  11. 11. Overlapping Pools of Systemic Cyber Risk 1 A 0 1 1C 0 T 1 0 0 Y 0 0 0 0 1 L 1 1 1B 0A 0 0 0E 1N 1 1 1 R 0 0 0 0 • Electrical, finance • Conflicts, malware pandemics1 1 T 0 1 • Bandwidth and Internet infrastructure • States: China, Russia,0US 1 0 0 S I like IXPs, submarine cables, security • Non-states: Activists, 0 C 0 0 0 T 1 1 1 tokens Anonymous, organized crime 1 A 0 0 0 • Embedded devices: ICS, SCADA • Intrusion, disruption, theft of 0 1 C 0 1 1T • Some key companies: MSFT IP, espionage 0O 1 0 0E • Networking standards like BGP and DNS 1 0 1 1 • Internet governance C 0U 0 0 0 1 N 1 1 1R 0 C 0 0 0A 1 1 1 1 F 0 I 0 0 0 1 L 0 1 1T 0 1 1 0 01 1 0 0 1 10 0 1 1 0 01 China • Desktop, server, data 1 0 0 0 0 1 Counterfeit centers, networks, 1 0 1 1 1 0 security components, • Software: in-house, legacy, 0 1 0 0 1 0 software custom, commercial,1open 1 1 1 0 1 0 1 1 0 00 Global logistics chain source, 1 0 0 1 11 • Internet of everything and digital economy 0 1 1 0 00 largely w/o human intervention 1 1 0 1 11 • Embedded medical, human enhancement, 0 1 1 0 00 11 driverless cars, etc 0 1 0 0 01 Upstream Infrastructure Outsourced and Contract • China, India • Manufacturing • Professional: HR, legal, accounting, consultancy • Defense industrial base Supply Chain Counterparties and Partner • • • • Trusted interconnections • Dependence External Shocks Internal Enterprise Disruptive Tech
  12. 12. Highest Hazard Notional Quad Chart Disruptive Tech Every year, technology and business processes push us further up and to the right! Lowest Hazard Supply Chain External Shocks Upstream Infrastructure Mitigated government action, resilience, standards, regulations Outsourced and Contract Counterparties and Partner Internal Enterprise Mitigated by risk management, resilience contracts, SLAs, MOUs Most Control 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council Least Control 12 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  13. 13. Analysis: The Upside • Few if any single shocks could affect cyberspace in any way that could transfer into a strategic shock to the global economy • Defenders are excellent at responding • System has been extremely resilient day-to-day and year-to-year 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 13 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  14. 14. Analysis: The Downside • Three separate vulnerabilities: interconnectedness and complexity, lack of transparency, and lack of either local control or system-wide governance – Everything increasingly interdependent in unknowable ways – Tech and business models continue to push major risks away from management understanding and control – No system-wide governance – In the face of catastrophic failures, not clear who would be in charge or what levers they could use – Few backup paths for crisis communication or manual workarounds 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 14 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  15. 15. Therefore • Main concern is a failure of key multiple key elements could lead to cascading failures – Where is the next Lehman? The next subprime? Expected future: Organizations will suffer ever more frequent shocks like natural disasters … too severe to ever be able to sufficiently protect 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 15 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  16. 16. How? • Either one shock that cascades completely out of control or multiple shocks which cascade and reinforce one another • Examples: California earthquake, large cloud provider goes bust (Enron-style fraud, Lehman-style misunderstanding of risk, etc), major routing protocol failure or attack, slow deterioration of resilience and defenses over time, major GPS outage takes out global precision navigation and time signals 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 16 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  17. 17. Three Recommendations for Companies 1. Organizations can take basic and advanced mitigations, depending on their maturity and resources 2. However, since so much risk is external, complex, and interdependent then resilience is the main hope for companies 3. Board-level risk management including insurance and other risk transfer options 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 17 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  18. 18. Two Recommendations for Governments and System-Wide Organizations 1. Far more focus on systemic rather than organizational risk 2. Eventual goal for defense to be better than offense 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 18 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  19. 19. Notional Chart of Upstream Risks Mitigated by • SLAs • Contracts • MOAs/MOUs • Resilience 23 October 2013 Upstream Infrastructure Disruptive Tech Tight linkages More so over time Least Control Causal Upstream of all else Telco/Internet Energy Finance Supply Chain Outsourced and Contract Counterparties and Partner Info only Internal Enterprise Cascades farther downstream C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 19 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01 Over time, more business critical functions move upstream…. Mitigated by • Standards • Regulations • Governance • Resilience External Shocks A T L A N T I C Limited Control Mitigated by • Government actions • Resilience 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 Most Control Near Everywhere Distant Three Zones of Risk (?)
  20. 20. Cyber Risk Wednesdays Events and social receptions are scheduled every THIRD Wednesday of every month. • • • • • November 20 December 18 January 15 February 19 March 19 23 October 2013 Global Aggregation of Cyber Risk Zurich and Atlantic Council 20 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  21. 21. Global Aggregation of Cyber Risks: “Finding Cyber Sub-Prime” Cyber Risk Wednesdays 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 A T L A N T I C C O U N C I L 1 0 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0 0 1C 0 Y 0 1B 0E 1 R 0 1 0S 0 T 1 A 0 1T 0E 1 C 0 1R 0A 1 F 0 1T 01 10 01 00 10 01 11 00 11 00 11 00 01
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×