SlideShare a Scribd company logo

2016-10-21 CAS Annual Meeting Slides

Download as PPTX, PDF
M
Michael Solomon

The document provides an overview of a presentation on evolving cyber risk from a multidisciplinary perspective. It discusses emerging cyber risks like hacking of industrial control systems, medical devices, and driverless cars. It acknowledges that emerging risks are difficult to anticipate because they involve things we are unaware of or combinations of known risks in new ways. Emerging risks often have complex and opaque relationships that challenge traditional risk modeling approaches. The presentation emphasizes some cognitive and group biases that can cause emerging risks to be overlooked or underestimated. It concludes by noting the importance of considering alternative perspectives to account for the context-dependence of risk.

1 of 43
Evolving Cyber Risk- A Multidisciplinary Perspective Dr. Kathleen Locklear, MBA, D.Mgt. Michael Solomon, FCAS, MAAA, CERA
ADMINISTRATIVE ITEMS
Antitrust Notice • The Casualty Actuarial Society is committed to adhering strictly to the letter and spirit of the antitrust laws. Seminars conducted under the auspices of the CAS are designed solely to provide a forum for the expression of various points of view on topics described in the programs or agendas for such meetings. • Under no circumstances shall CAS seminars be used as a means for competing companies or firms to reach any understanding – expressed or implied – that restricts competition or in any way impairs the ability of members to exercise independent business judgment regarding matters affecting competition. • It is the responsibility of all seminar participants to be aware of antitrust regulations, to prevent any written or verbal discussions that appear to violate these laws, and to adhere in every respect to the CAS antitrust compliance policy.
Other “Housekeeping” • Information presented today reflects the opinions of the presenters and its not intended to, nor should be, imputed to any of their employers.
Introduction to Session • Learning Objectives – Understanding emerging risk in the cyber space • Deconstructing “emerging risk” • Cognitive/perceptual “ blind spots” and how those may impact decision making • Applications/implications for insurance – Capacity – SIRs/Deductibles – Rethinking emerging risk in the cyber arena
Introduction to Dr. Kathleen Locklear • Adjunct Professor at University of Maryland, University College – Dissertation: “Emerging Risk: A Systems Thinking and Complexity Approach” – Research Interests: emerging risk, systems thinking, complexity theory, risk perception • Senior Director, Global Insurance – Teva Pharmaceuticals – Worlds largest generics pharma producer; $ 19.7 B revenue (FY 2015) • RIMS Strategic Risk Management Committee Member
Introduction to Michael Solomon • FCAS, MAAA, CERA • 1st Prize, Society of Actuaries/ Casualty Actuarial Society Joint Risk Section Cybersecurity call for Essays • 1st Prize, Professionally Speaking Toastmasters public speaking competition • CAMAR Vice President • Member, Committee for P&C focused ERM Seminars • Member, CAS/ CIA/ SOA Impairment Project Oversight Group
INTRODUCTION
Some Cyber Losses
Evaluating Coverage- Current Practice and Thinking • Pricing • Terms/Conditions – SIRs/ Deductibles – Limits – Scope of Cover – Covered Events – Coverage Triggers
Emerging Risk
“We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” United States Secretary of Defense, Donald Rumsfeld Press Briefing, February 12, 2002
Category 1~ Framing the Problem • Things we don’t know… but we’re aware of it! – Emerging Risk as an “information gap” – Solutions: • Ask others • Fill in the data points, gaps
Category 2~ Framing the Problem • Things we don’t know… and we’re unaware of it! – Much more difficult – NOT merely an information gap that can be filled – Emergent nature presents specific challenges and limitations
Category 2~ A Closer Look (Things we don’t know… and we’re unaware of it!) • Emerging risk~ “A novel manifestation of risk, of a type that has not been experienced before” (Locklear, 2011) – Pure- never experienced before, at all, by anyone • example: nanotechnology, fracking, genetically modified crops – Hybrid- blends together known risk types in new ways (combinations) to produce outcomes that haven’t been experienced before • Example: Zoonotic disease + global warming = (zika?) • Example: Overstressed power grids + greater dependence on telecommunications + {X Factor} = ???
Challenges of Emerging Risk • ‘Relational Complexity’: Growing difficulty in determining relationships among causal factors, making risk more ‘opaque’ – Richardson, Cilliers & Lissack (2001) • Under these conditions, causes and effects no longer have simple, linear connections • It’s more difficult to ascertain interactions between elements • Implication: Challenges for appropriately pricing and structuring insurance where “cause” (i.e.- “trigger, for insurance) is not always apparent
Challenges of Emerging Risk • Amplification/Cascade potential: Seemingly simple root causes can trigger events which cascade through a network and are amplified to produce an extreme event – Example: August 2003 mega-power outage • Ohio, Maryland, New York, Toronto • Overstressed lines failed in Ohio after contacting overgrown tree limbs (Holbrook, 2010) • Expected outcome was a minor, local outage • Implication: Appropriate pricing for insurance, as well as capacity, are challenged when a seemingly minor event is amplified
Challenges of Emerging Risk • Emerging risk is often opaque, clouded within a complex web of causal factors, until it escalates into an extreme event – In an environment of great complexity, emerging risk may remain “hidden” (latent) – Modern structures, like the “Internet of Things” provide rich environments for this period of latency – Implication: Insurance/risk management need to use different tools • Environmental scanning can help identify early “signals of change” (Ashley & Morrison, 1997) which if overlooked, ignored or downplayed, can allow emerging risk to continue along its development trajectory
Challenges of Emerging Risk • May involve rapid and widespread deployment of new/novel technology/modalities • By the time an issue is identified, the problem is already extensive
“Classic” Example of Emerging Risk • Asbestos (“Emerged” risk) – Naturally occurring, used as far back as ancient Greece – Industrial revolution, insulator for furnaces – Subsequently used far and wide – Then problems grew apparent (1960’s) – Extensive litigation, ongoing abatement problems – Classic illustration of unexpected impact for insurers – NOTE: Hind-sight is 20/20!
Challenges of Emerging Risk • Lack of historical data OR data that is not entirely relevant – The capabilities of traditional risk management tools (quantitative, predictive) are being stretched when applied to emerging risk • Traditional modeling does not “fit” the challenges of “unknown-unknowns” • Implications: In order to optimize approaches, including insurance, “non traditional” tools may be needed – Environmental scanning, systems thinking
Our “Human” Challenges • Tendency to focus within the “comfort zone” – Risks that are well known, well understood – Lots of data available for analysis – “Pure” risks that either happen, or don’t (e.g.- fire), with no up-side potential • We tend to heavily value corroborating factual information and discount outliers, non-conforming information
More “human” challenges • Recent movie “Everest” • Roberto, M. A. (2002). Lessons from Everest: The interaction of cognitive bias, psychological safety, and system complexity. California Management Review, 45(1), 136-158.
“Human”challenges- Lessons from the movie ‘Everest’ • Commitment escalation- continuing to invest resources, commitment to a course of action that increasingly appears questionable at best (Staw, 1987) – Led climbers to ignore rules and place themselves in increasing danger • Recency bias- tendency to focus on more recent events – Hindered the judgment of the expedition leaders who had experienced good weather on Everest during the prior recent years, causing them to underestimate the severity of the storm despite historical data that showed the conditions on May 10, 1996 were anything but abnormal.
More “human” challenges • Groupthink – Defective decision making that occurs when conformity pressures of a group lead to faulty decisions, made in an effort to preserve group harmony. – Defective ‘groupthink’ decision making is characterized by the following attributes: poor information searching; selective bias in information processing; incomplete surveying of objectives and alternatives; failure to re-examine choices and rejected alternatives; and failure to develop contingency plans (Janis & Manning, 1977, p. 132). • “a disease of insufficient search for information, alternatives and modes of failure” (McCauley, 1998, p. 144)
Something to Consider: Lessons from the Black Swan (Taleb, 2007) • Extreme outlier (unpredictable) • Thought not to exist (improbable) • Outside the boundaries of “normal” expectations • It can’t be… therefore it isn’t
Futurist thinking- Emerging risk in the cyber realm
CONCEPTUALIZING EMERGING CYBER RISK • “FOOD FOR THOUGHT” • SCADA • HACKING OF MEDICAL DEVICES • HACKING OF DRIVERLESS CARS
Hacking in action- Use of smart phones • Max Cornelisse, Netherlands – hacking train schedule board – turning building lights on/off – raising/lowering drawbridge – changing digital highway road sign – Videos available on YouTube – Real, not real?
SCADA • Supervisor Control and Data Acquisition – Refers to industrial control systems (ICS) • Computer systems that monitor and control industrial, infrastructure or facility-based processes • System collects data from various sensors at factory, plant or other remote locations • Sends data to central computer that manages and controls the data
Possible SCADA Hacking Scenarios • Power outages (blackouts, across grids) • Waste water mixed with drinking water • Disruption of manufacturing lines • Transportation disruption/shut down • NOTEWORTHY – Potential for impact far away from the compromised source itself – Amplification of impact – Cascade effect
Actual SCADA Incidents • Thirteen assembly lines shut down at Daimler-Chrysler, Zotob worm, 2005 • Springfield, Illinois public water supply pump burned out after being cycled on and off repeatedly (November 2011) through an IP address in Russia
Actual SCADA Incidents • Ohio Davis-Besse nuclear power plant safety monitoring system off line for 5 hours, January 2003, Slammer worm • Brisbane hacker used radio transmissions to create raw sewage overflows on Sunshine coast (2000) • CSX Transportation computers infected by virus (August 2003) halting train traffic in Washington, D.C.
Emerging threats to critical infrastructure • A computer virus attacked a turbine control system at a U.S. power plant – A third party technician had unknowingly used an infected USB drive on the network – Plant was down for three weeks
Insulin Pump Hacking • “J&J Warns Insulin Pump Vulnerable to Cyber Hacking” – October 4, 2016, Wall Street Journal • OneTouch Ping uses unencrypted radio signal • Hacker in close proximity could use equipment to detect signal and program the device
Driverless CarTechnology • Apps to unlock doors, start cars – “Now is the transitional period, and it’s kind of ugly. They’re old- school industries. They were mechanic or electronic kinds of systems, and now they’re software-based companies—and they haven’t realized they’re software-based companies, and that’s sort of the problem.” • Craig Smith, founder of Open Garages http://www.vocativ.com/332734/driverless-car-hack/ (June 29, 2016) • DECISION ALGORYTHMS TO AVOID CRASHES – SACRIFICE DRIVER TO SAVE GROUPS OF PEOPLE
Concluding thoughts- • Some lessons from Super Storm Sandy… on a personal note
Before … Mantoloking, NJ
After …
Super Storm Sandy • Worth thinking about – Some flood zone maps haven’t been updated in over 30 years • NYC FEMA map last updated 1983 – Unintended consequences of coastal replenishment after other storms? (emerging risk) – “Only” a Cat 1 storm and not a classic “named storm”
Conclusion • “The task is not to get it right but to get it less wrong, not to disprove existing understandings but to recognize their context-dependence, not to discover what is, but to construct from conflicting understandings previously unconceived alternative understandings.” Grobstein, 2010
Concluding Q&A
Suggested Readings • Ariely, D. (2008). Predictably irrational: The hidden forces that shape our decisions. New York: Harper Collins. • Bazerman, M.H. & Watkins, M.D. (2004). Predictable Surprises: The disasters you should have seen coming and how to prevent them. Boston: Harvard Business School Press. • Friedman, T.L. (2005). The world is flat: A brief history of the twenty-first century (1st ed.). New York, NY: Farrar, Straus and Giroux. • Haeckel, S.H. (2004). Peripheral vision: Sensing and acting on weak signals- Making meaning out of apparent noise. Long Range Planning, 37(2), 181-189. • Hubbard, D.W. (2010). How to measure anything: Finding the value of intangibles. Hoboken, NJ: John H. Wiley & Sons. • Taleb, N.N. (2007). The black swan. New York, NY: Random House

Recommended

Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...
Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...
Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...Sociotechnical Roundtable
 
Ieaust -aug15_couch-complexity_-_slides_fp_2w
Ieaust -aug15_couch-complexity_-_slides_fp_2wIeaust -aug15_couch-complexity_-_slides_fp_2w
Ieaust -aug15_couch-complexity_-_slides_fp_2wGraeme Couch
 
Ryschk wow
Ryschk wowRyschk wow
Ryschk wowNASAPMC
 
AI Fables, Facts and Futures: Threat, Promise or Saviour
AI Fables, Facts and Futures: Threat, Promise or SaviourAI Fables, Facts and Futures: Threat, Promise or Saviour
AI Fables, Facts and Futures: Threat, Promise or Saviour
University of Hertfordshire
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
Andrew White
 
MapReduce
MapReduceMapReduce
MapReduceAbe Arredondo
 
Gypsy lingerie
Gypsy lingerieGypsy lingerie
Gypsy lingerie
Monica Hoell
 
Geochemical_conditions_and_environmental
Geochemical_conditions_and_environmentalGeochemical_conditions_and_environmental
Geochemical_conditions_and_environmentalMiltiadis Nimfopoulos
 

Recommended

Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...
Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...
Complex Systems Failure: Designing Reliability Teams - 2012 STS Roundtable Pr...Sociotechnical Roundtable
 
Ieaust -aug15_couch-complexity_-_slides_fp_2w
Ieaust -aug15_couch-complexity_-_slides_fp_2wIeaust -aug15_couch-complexity_-_slides_fp_2w
Ieaust -aug15_couch-complexity_-_slides_fp_2wGraeme Couch
 
Ryschk wow
Ryschk wowRyschk wow
Ryschk wowNASAPMC
 
AI Fables, Facts and Futures: Threat, Promise or Saviour
AI Fables, Facts and Futures: Threat, Promise or SaviourAI Fables, Facts and Futures: Threat, Promise or Saviour
AI Fables, Facts and Futures: Threat, Promise or Saviour
University of Hertfordshire
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
Andrew White
 
MapReduce
MapReduceMapReduce
MapReduceAbe Arredondo
 
Gypsy lingerie
Gypsy lingerieGypsy lingerie
Gypsy lingerie
Monica Hoell
 
Geochemical_conditions_and_environmental
Geochemical_conditions_and_environmentalGeochemical_conditions_and_environmental
Geochemical_conditions_and_environmentalMiltiadis Nimfopoulos
 
5033008(2)
5033008(2)5033008(2)
5033008(2)Dusth CamCham
 
Social Studies The Holy Land
Social Studies The Holy LandSocial Studies The Holy Land
Social Studies The Holy Land
westonhamilton
 
Modulo iv actividad 1 1 examen mixto
Modulo iv actividad 1 1 examen mixtoModulo iv actividad 1 1 examen mixto
Modulo iv actividad 1 1 examen mixto
Reyni Rallp
 
DHANANJAY PRATAP SINGH resume (1)
DHANANJAY PRATAP SINGH resume (1)DHANANJAY PRATAP SINGH resume (1)
DHANANJAY PRATAP SINGH resume (1)DHANANJAY PRATAP SINGH
 
Moar draws
Moar drawsMoar draws
Moar draws
FokkusuES
 
Holy Land Photos
Holy Land PhotosHoly Land Photos
Holy Land Photos
sromer
 
Alcance del proyecto
Alcance del proyectoAlcance del proyecto
Alcance del proyecto
John William Watson López
 
Modulo 3 activida 5 teoría de la evaluación cognoscitiva
Modulo 3 activida 5 teoría de la evaluación cognoscitivaModulo 3 activida 5 teoría de la evaluación cognoscitiva
Modulo 3 activida 5 teoría de la evaluación cognoscitiva
Reyni Rallp
 
Evaluación de aprendizaje
Evaluación de aprendizajeEvaluación de aprendizaje
Evaluación de aprendizaje
Omarvillagarcia
 
Clients developing_chunghwa telecom
Clients developing_chunghwa telecomClients developing_chunghwa telecom
Clients developing_chunghwa telecom
Paul Yang
 
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकरप्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
shriniwas kashalikar
 
V Suresh Kumaar's CV
V Suresh Kumaar's CVV Suresh Kumaar's CV
V Suresh Kumaar's CVVadamudulu Hyderabad)
 
Didactalia
DidactaliaDidactalia
Didactalia
pilarbedoyaorozco
 
Organizacion
OrganizacionOrganizacion
Organizacion
silvia rueda
 
Reducing Accident in OG Industry.pdf
Reducing Accident in OG Industry.pdfReducing Accident in OG Industry.pdf
Reducing Accident in OG Industry.pdf
DianValarbi
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
Aaron Rinehart
 
CCNA_Security_01.ppt
CCNA_Security_01.pptCCNA_Security_01.ppt
CCNA_Security_01.ppt
veracru1
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
Dale Butler
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
Scenario Methodology for Planning Future Activities
Scenario Methodology for Planning Future ActivitiesScenario Methodology for Planning Future Activities
Scenario Methodology for Planning Future Activities
Prof. David E. Alexander (UCL)
 

More Related Content

Viewers also liked

Social Studies The Holy Land
Social Studies The Holy LandSocial Studies The Holy Land
Social Studies The Holy Land
westonhamilton
 
Modulo iv actividad 1 1 examen mixto
Modulo iv actividad 1 1 examen mixtoModulo iv actividad 1 1 examen mixto
Modulo iv actividad 1 1 examen mixto
Reyni Rallp
 
Moar draws
Moar drawsMoar draws
Moar draws
FokkusuES
 
Holy Land Photos
Holy Land PhotosHoly Land Photos
Holy Land Photos
sromer
 
Alcance del proyecto
Alcance del proyectoAlcance del proyecto
Alcance del proyecto
John William Watson López
 
Modulo 3 activida 5 teoría de la evaluación cognoscitiva
Modulo 3 activida 5 teoría de la evaluación cognoscitivaModulo 3 activida 5 teoría de la evaluación cognoscitiva
Modulo 3 activida 5 teoría de la evaluación cognoscitiva
Reyni Rallp
 
Evaluación de aprendizaje
Evaluación de aprendizajeEvaluación de aprendizaje
Evaluación de aprendizaje
Omarvillagarcia
 
Clients developing_chunghwa telecom
Clients developing_chunghwa telecomClients developing_chunghwa telecom
Clients developing_chunghwa telecom
Paul Yang
 
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकरप्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
shriniwas kashalikar
 
Didactalia
DidactaliaDidactalia
Didactalia
pilarbedoyaorozco
 
Organizacion
OrganizacionOrganizacion
Organizacion
silvia rueda
 

Viewers also liked (14)

5033008(2)
5033008(2)5033008(2)
5033008(2)
 
Social Studies The Holy Land
Social Studies The Holy LandSocial Studies The Holy Land
Social Studies The Holy Land
 
Modulo iv actividad 1 1 examen mixto
Modulo iv actividad 1 1 examen mixtoModulo iv actividad 1 1 examen mixto
Modulo iv actividad 1 1 examen mixto
 
DHANANJAY PRATAP SINGH resume (1)
DHANANJAY PRATAP SINGH resume (1)DHANANJAY PRATAP SINGH resume (1)
DHANANJAY PRATAP SINGH resume (1)
 
Moar draws
Moar drawsMoar draws
Moar draws
 
Holy Land Photos
Holy Land PhotosHoly Land Photos
Holy Land Photos
 
Alcance del proyecto
Alcance del proyectoAlcance del proyecto
Alcance del proyecto
 
Modulo 3 activida 5 teoría de la evaluación cognoscitiva
Modulo 3 activida 5 teoría de la evaluación cognoscitivaModulo 3 activida 5 teoría de la evaluación cognoscitiva
Modulo 3 activida 5 teoría de la evaluación cognoscitiva
 
Evaluación de aprendizaje
Evaluación de aprendizajeEvaluación de aprendizaje
Evaluación de aprendizaje
 
Clients developing_chunghwa telecom
Clients developing_chunghwa telecomClients developing_chunghwa telecom
Clients developing_chunghwa telecom
 
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकरप्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
प्रेम आणि नामस्मरण दो. श्रीनिवास कशाळीकर
 
V Suresh Kumaar's CV
V Suresh Kumaar's CVV Suresh Kumaar's CV
V Suresh Kumaar's CV
 
Didactalia
DidactaliaDidactalia
Didactalia
 
Organizacion
OrganizacionOrganizacion
Organizacion
 

Similar to 2016-10-21 CAS Annual Meeting Slides

Reducing Accident in OG Industry.pdf
Reducing Accident in OG Industry.pdfReducing Accident in OG Industry.pdf
Reducing Accident in OG Industry.pdf
DianValarbi
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
Aaron Rinehart
 
CCNA_Security_01.ppt
CCNA_Security_01.pptCCNA_Security_01.ppt
CCNA_Security_01.ppt
veracru1
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
Dale Butler
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
Scenario Methodology for Planning Future Activities
Scenario Methodology for Planning Future ActivitiesScenario Methodology for Planning Future Activities
Scenario Methodology for Planning Future Activities
Prof. David E. Alexander (UCL)
 
Crowd fencing
Crowd fencingCrowd fencing
Crowd fencing
Kyoung-Sook Kim
 
Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...
Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...
Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...
NordForsk
 
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy WebinarBeyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
ITSM Academy, Inc.
 
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy WebinarBeyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Karen Skiles
 
files_maf_gorvett.ppt-managementt_risiko
files_maf_gorvett.ppt-managementt_risikofiles_maf_gorvett.ppt-managementt_risiko
files_maf_gorvett.ppt-managementt_risiko
frymelda
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
Ian MacVicar
 
The Future of Risk Analysis
The Future of Risk AnalysisThe Future of Risk Analysis
The Future of Risk Analysis
Eric Garland
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
laurieannwilliams
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewali raza
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
PECB
 
Transparency, Veillance and emotiveillance
Transparency, Veillance and emotiveillance Transparency, Veillance and emotiveillance
Transparency, Veillance and emotiveillance
Andrew_McStay
 
NASA Discovery Strategic Foresight Helping Aviation Find Problems Worth Solving
NASA Discovery Strategic Foresight Helping Aviation Find Problems Worth SolvingNASA Discovery Strategic Foresight Helping Aviation Find Problems Worth Solving
NASA Discovery Strategic Foresight Helping Aviation Find Problems Worth Solving
Dr. Pankaj Dhussa
 

Similar to 2016-10-21 CAS Annual Meeting Slides (20)

Reducing Accident in OG Industry.pdf
Reducing Accident in OG Industry.pdfReducing Accident in OG Industry.pdf
Reducing Accident in OG Industry.pdf
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
 
CCNA_Security_01.ppt
CCNA_Security_01.pptCCNA_Security_01.ppt
CCNA_Security_01.ppt
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
 
Scenario Methodology for Planning Future Activities
Scenario Methodology for Planning Future ActivitiesScenario Methodology for Planning Future Activities
Scenario Methodology for Planning Future Activities
 
Crowd fencing
Crowd fencingCrowd fencing
Crowd fencing
 
Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...
Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...
Fred størseth. new strains of society hidden, dynamic and emergent vulnerabil...
 
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy WebinarBeyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
 
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy WebinarBeyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy Webinar
 
files_maf_gorvett.ppt-managementt_risiko
files_maf_gorvett.ppt-managementt_risikofiles_maf_gorvett.ppt-managementt_risiko
files_maf_gorvett.ppt-managementt_risiko
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
 
The Future of Risk Analysis
The Future of Risk AnalysisThe Future of Risk Analysis
The Future of Risk Analysis
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Transparency, Veillance and emotiveillance
Transparency, Veillance and emotiveillance Transparency, Veillance and emotiveillance
Transparency, Veillance and emotiveillance
 
NASA Discovery Strategic Foresight Helping Aviation Find Problems Worth Solving
NASA Discovery Strategic Foresight Helping Aviation Find Problems Worth SolvingNASA Discovery Strategic Foresight Helping Aviation Find Problems Worth Solving
NASA Discovery Strategic Foresight Helping Aviation Find Problems Worth Solving
 

2016-10-21 CAS Annual Meeting Slides

  • 1. Evolving Cyber Risk- A Multidisciplinary Perspective Dr. Kathleen Locklear, MBA, D.Mgt. Michael Solomon, FCAS, MAAA, CERA
  • 3. Antitrust Notice • The Casualty Actuarial Society is committed to adhering strictly to the letter and spirit of the antitrust laws. Seminars conducted under the auspices of the CAS are designed solely to provide a forum for the expression of various points of view on topics described in the programs or agendas for such meetings. • Under no circumstances shall CAS seminars be used as a means for competing companies or firms to reach any understanding – expressed or implied – that restricts competition or in any way impairs the ability of members to exercise independent business judgment regarding matters affecting competition. • It is the responsibility of all seminar participants to be aware of antitrust regulations, to prevent any written or verbal discussions that appear to violate these laws, and to adhere in every respect to the CAS antitrust compliance policy.
  • 4. Other “Housekeeping” • Information presented today reflects the opinions of the presenters and its not intended to, nor should be, imputed to any of their employers.
  • 5. Introduction to Session • Learning Objectives – Understanding emerging risk in the cyber space • Deconstructing “emerging risk” • Cognitive/perceptual “ blind spots” and how those may impact decision making • Applications/implications for insurance – Capacity – SIRs/Deductibles – Rethinking emerging risk in the cyber arena
  • 6. Introduction to Dr. Kathleen Locklear • Adjunct Professor at University of Maryland, University College – Dissertation: “Emerging Risk: A Systems Thinking and Complexity Approach” – Research Interests: emerging risk, systems thinking, complexity theory, risk perception • Senior Director, Global Insurance – Teva Pharmaceuticals – Worlds largest generics pharma producer; $ 19.7 B revenue (FY 2015) • RIMS Strategic Risk Management Committee Member
  • 7. Introduction to Michael Solomon • FCAS, MAAA, CERA • 1st Prize, Society of Actuaries/ Casualty Actuarial Society Joint Risk Section Cybersecurity call for Essays • 1st Prize, Professionally Speaking Toastmasters public speaking competition • CAMAR Vice President • Member, Committee for P&C focused ERM Seminars • Member, CAS/ CIA/ SOA Impairment Project Oversight Group
  • 10. Evaluating Coverage- Current Practice and Thinking • Pricing • Terms/Conditions – SIRs/ Deductibles – Limits – Scope of Cover – Covered Events – Coverage Triggers
  • 12. “We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” United States Secretary of Defense, Donald Rumsfeld Press Briefing, February 12, 2002
  • 13. Category 1~ Framing the Problem • Things we don’t know… but we’re aware of it! – Emerging Risk as an “information gap” – Solutions: • Ask others • Fill in the data points, gaps
  • 14. Category 2~ Framing the Problem • Things we don’t know… and we’re unaware of it! – Much more difficult – NOT merely an information gap that can be filled – Emergent nature presents specific challenges and limitations
  • 15. Category 2~ A Closer Look (Things we don’t know… and we’re unaware of it!) • Emerging risk~ “A novel manifestation of risk, of a type that has not been experienced before” (Locklear, 2011) – Pure- never experienced before, at all, by anyone • example: nanotechnology, fracking, genetically modified crops – Hybrid- blends together known risk types in new ways (combinations) to produce outcomes that haven’t been experienced before • Example: Zoonotic disease + global warming = (zika?) • Example: Overstressed power grids + greater dependence on telecommunications + {X Factor} = ???
  • 16. Challenges of Emerging Risk • ‘Relational Complexity’: Growing difficulty in determining relationships among causal factors, making risk more ‘opaque’ – Richardson, Cilliers & Lissack (2001) • Under these conditions, causes and effects no longer have simple, linear connections • It’s more difficult to ascertain interactions between elements • Implication: Challenges for appropriately pricing and structuring insurance where “cause” (i.e.- “trigger, for insurance) is not always apparent
  • 17. Challenges of Emerging Risk • Amplification/Cascade potential: Seemingly simple root causes can trigger events which cascade through a network and are amplified to produce an extreme event – Example: August 2003 mega-power outage • Ohio, Maryland, New York, Toronto • Overstressed lines failed in Ohio after contacting overgrown tree limbs (Holbrook, 2010) • Expected outcome was a minor, local outage • Implication: Appropriate pricing for insurance, as well as capacity, are challenged when a seemingly minor event is amplified
  • 18. Challenges of Emerging Risk • Emerging risk is often opaque, clouded within a complex web of causal factors, until it escalates into an extreme event – In an environment of great complexity, emerging risk may remain “hidden” (latent) – Modern structures, like the “Internet of Things” provide rich environments for this period of latency – Implication: Insurance/risk management need to use different tools • Environmental scanning can help identify early “signals of change” (Ashley & Morrison, 1997) which if overlooked, ignored or downplayed, can allow emerging risk to continue along its development trajectory
  • 19. Challenges of Emerging Risk • May involve rapid and widespread deployment of new/novel technology/modalities • By the time an issue is identified, the problem is already extensive
  • 20. “Classic” Example of Emerging Risk • Asbestos (“Emerged” risk) – Naturally occurring, used as far back as ancient Greece – Industrial revolution, insulator for furnaces – Subsequently used far and wide – Then problems grew apparent (1960’s) – Extensive litigation, ongoing abatement problems – Classic illustration of unexpected impact for insurers – NOTE: Hind-sight is 20/20!
  • 21. Challenges of Emerging Risk • Lack of historical data OR data that is not entirely relevant – The capabilities of traditional risk management tools (quantitative, predictive) are being stretched when applied to emerging risk • Traditional modeling does not “fit” the challenges of “unknown-unknowns” • Implications: In order to optimize approaches, including insurance, “non traditional” tools may be needed – Environmental scanning, systems thinking
  • 22. Our “Human” Challenges • Tendency to focus within the “comfort zone” – Risks that are well known, well understood – Lots of data available for analysis – “Pure” risks that either happen, or don’t (e.g.- fire), with no up-side potential • We tend to heavily value corroborating factual information and discount outliers, non-conforming information
  • 23. More “human” challenges • Recent movie “Everest” • Roberto, M. A. (2002). Lessons from Everest: The interaction of cognitive bias, psychological safety, and system complexity. California Management Review, 45(1), 136-158.
  • 24. “Human”challenges- Lessons from the movie ‘Everest’ • Commitment escalation- continuing to invest resources, commitment to a course of action that increasingly appears questionable at best (Staw, 1987) – Led climbers to ignore rules and place themselves in increasing danger • Recency bias- tendency to focus on more recent events – Hindered the judgment of the expedition leaders who had experienced good weather on Everest during the prior recent years, causing them to underestimate the severity of the storm despite historical data that showed the conditions on May 10, 1996 were anything but abnormal.
  • 25. More “human” challenges • Groupthink – Defective decision making that occurs when conformity pressures of a group lead to faulty decisions, made in an effort to preserve group harmony. – Defective ‘groupthink’ decision making is characterized by the following attributes: poor information searching; selective bias in information processing; incomplete surveying of objectives and alternatives; failure to re-examine choices and rejected alternatives; and failure to develop contingency plans (Janis & Manning, 1977, p. 132). • “a disease of insufficient search for information, alternatives and modes of failure” (McCauley, 1998, p. 144)
  • 26. Something to Consider: Lessons from the Black Swan (Taleb, 2007) • Extreme outlier (unpredictable) • Thought not to exist (improbable) • Outside the boundaries of “normal” expectations • It can’t be… therefore it isn’t
  • 27. Futurist thinking- Emerging risk in the cyber realm
  • 28. CONCEPTUALIZING EMERGING CYBER RISK • “FOOD FOR THOUGHT” • SCADA • HACKING OF MEDICAL DEVICES • HACKING OF DRIVERLESS CARS
  • 29. Hacking in action- Use of smart phones • Max Cornelisse, Netherlands – hacking train schedule board – turning building lights on/off – raising/lowering drawbridge – changing digital highway road sign – Videos available on YouTube – Real, not real?
  • 30. SCADA • Supervisor Control and Data Acquisition – Refers to industrial control systems (ICS) • Computer systems that monitor and control industrial, infrastructure or facility-based processes • System collects data from various sensors at factory, plant or other remote locations • Sends data to central computer that manages and controls the data
  • 31. Possible SCADA Hacking Scenarios • Power outages (blackouts, across grids) • Waste water mixed with drinking water • Disruption of manufacturing lines • Transportation disruption/shut down • NOTEWORTHY – Potential for impact far away from the compromised source itself – Amplification of impact – Cascade effect
  • 32. Actual SCADA Incidents • Thirteen assembly lines shut down at Daimler-Chrysler, Zotob worm, 2005 • Springfield, Illinois public water supply pump burned out after being cycled on and off repeatedly (November 2011) through an IP address in Russia
  • 33. Actual SCADA Incidents • Ohio Davis-Besse nuclear power plant safety monitoring system off line for 5 hours, January 2003, Slammer worm • Brisbane hacker used radio transmissions to create raw sewage overflows on Sunshine coast (2000) • CSX Transportation computers infected by virus (August 2003) halting train traffic in Washington, D.C.
  • 34. Emerging threats to critical infrastructure • A computer virus attacked a turbine control system at a U.S. power plant – A third party technician had unknowingly used an infected USB drive on the network – Plant was down for three weeks
  • 35. Insulin Pump Hacking • “J&J Warns Insulin Pump Vulnerable to Cyber Hacking” – October 4, 2016, Wall Street Journal • OneTouch Ping uses unencrypted radio signal • Hacker in close proximity could use equipment to detect signal and program the device
  • 36. Driverless CarTechnology • Apps to unlock doors, start cars – “Now is the transitional period, and it’s kind of ugly. They’re old- school industries. They were mechanic or electronic kinds of systems, and now they’re software-based companies—and they haven’t realized they’re software-based companies, and that’s sort of the problem.” • Craig Smith, founder of Open Garages http://www.vocativ.com/332734/driverless-car-hack/ (June 29, 2016) • DECISION ALGORYTHMS TO AVOID CRASHES – SACRIFICE DRIVER TO SAVE GROUPS OF PEOPLE
  • 37. Concluding thoughts- • Some lessons from Super Storm Sandy… on a personal note
  • 40. Super Storm Sandy • Worth thinking about – Some flood zone maps haven’t been updated in over 30 years • NYC FEMA map last updated 1983 – Unintended consequences of coastal replenishment after other storms? (emerging risk) – “Only” a Cat 1 storm and not a classic “named storm”
  • 41. Conclusion • “The task is not to get it right but to get it less wrong, not to disprove existing understandings but to recognize their context-dependence, not to discover what is, but to construct from conflicting understandings previously unconceived alternative understandings.” Grobstein, 2010
  • 43. Suggested Readings • Ariely, D. (2008). Predictably irrational: The hidden forces that shape our decisions. New York: Harper Collins. • Bazerman, M.H. & Watkins, M.D. (2004). Predictable Surprises: The disasters you should have seen coming and how to prevent them. Boston: Harvard Business School Press. • Friedman, T.L. (2005). The world is flat: A brief history of the twenty-first century (1st ed.). New York, NY: Farrar, Straus and Giroux. • Haeckel, S.H. (2004). Peripheral vision: Sensing and acting on weak signals- Making meaning out of apparent noise. Long Range Planning, 37(2), 181-189. • Hubbard, D.W. (2010). How to measure anything: Finding the value of intangibles. Hoboken, NJ: John H. Wiley & Sons. • Taleb, N.N. (2007). The black swan. New York, NY: Random House