metrics - All Articles - CISO Platform2024-03-29T13:28:57Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/metricsCybersecurity Insurance is Missing the Riskhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-insurance-is-missing-the-risk2023-11-25T01:51:09.000Z2023-11-25T01:51:09.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12300627891?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">First published by <a class="markup--anchor markup--p-anchor" href="https://www.helpnetsecurity.com/2023/08/25/cyber-insurance-industry" target="_blank">HelpNetSecurity</a> — Matthew Rosenquist</p><p class="graf graf--p">Cybersecurity insurance is a rapidly growing market, swelling from approximately $13B in 2022 to an estimated $84B in 2030 (26% CAGR), but insurers are struggling with quantifying the potential risks of offering this type of insurance.</p><p class="graf graf--p">The traditional actuary models do not apply well to an environment where highly motivated, creative, and intelligent attackers are dynamically pursuing actions that cause insurable events. Accurate estimation of losses is key to determining customer premiums. But even after two decades, there’s a wide range of loss ratios between insurers (-0.5% to 130.6%). The underwriting processes are not robust enough to properly estimate the losses and accurately price reasonable premiums.</p><h3 class="graf graf--h3">Why is the insurance industry struggling with this?</h3><p class="graf graf--p">The problem is with the nature of the threat. Cyber attackers escalate and adapt quickly, which undermines the historical-based models that insurance companies rely on. Attackers are continually shifting their maneuvers that identify victims, cause increasing loss, and rapidly shift to new areas of impact.</p><p class="graf graf--p">Denial of service attacks were once popular but were superseded by data breaches, which cause much more damage. Recently, attackers expanded their repertoire to include ransomware-style attacks that increased the insurable losses ever higher.</p><p class="graf graf--p">Trying to predict the cornerstone metrics for actuary modelers — the Annual Loss Expectancy and Annual Rate of Occurrence — with a high degree of accuracy is beyond the current capabilities of insurers. The industry currently conducts assessments for new clients to understand their cybersecurity posture to determine if they are insurable, what should be included/excluded from policies, and to calculate premiums. The current process is to weigh controls against best practices or peers to estimate the security posture of a policyholder.</p><p class="graf graf--p">However, these rudimentary practices are not delivering the necessary level of predictive accuracy.</p><p class="graf graf--p">The loss ratio for insurance firms has been volatile, in a world where getting the analysis wrong can be catastrophic. Variances and unpredictability make insurers nervous. At maximum, they want a 70% loss ratio to cover their payouts and expenses and, according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve the desired loss ratio.</p><p class="graf graf--p">In response to failures to predict claims, insurers have been raising premiums to cover the risk gap. In Q4 2021 the renewals for premiums were up a staggering 34%. In Q4 2022 premiums continued to rise an additional 15%.</p><p class="graf graf--p">There are concerns that many customers will be priced out of the market and the insurance industry and left without a means of transferring risk. To the detriment of insurers, the companies may make their products so expensive that they undermine the tremendous market-growth opportunity. Additionally, upper limits for insurability and various exception clauses are being instituted, which diminish the overall value proposition for customers.</p><h3 class="graf graf--h3">The next generation of cyber insurance</h3><p class="graf graf--p">What is needed are better tools to predict cyber-attacks and estimate losses. The current army of insurance actuaries has not delivered, but there is hope. It comes from the cyber risk community that looks to manage these ambiguous and chaotic risks by avoiding and minimizing losses.</p><p class="graf graf--p">These cybersecurity experts are motivated by optimizing limited resources to prevent or quickly undermine attacks. As part of that continuous exercise, there are opportunities to apply best practices to the insurance model to identify the most relevant aspects that include defensive postures (technology, behaviors, and processes) and understanding the relevant threat actors (targets, capabilities, and methods) to determine the residual risks.</p><p class="graf graf--p">The goal would be to develop a unified standard for qualifying for cyber insurance that would adapt to the rapid changes in the cyber landscape. More accurate methodologies will improve assessments to reduce insurers’ ambiguity so they may competitively price their offerings.</p><p class="graf graf--p">In the future, such calculations will be continuous and showcase how a company will benefit by properly managing security in alignment with shifting threats. This should bring down overall premium costs.</p><p class="graf graf--p">The next generation of cyber insurance will rise on the foundations of new risk analysis methodologies to be more accurate and sustain the mutual benefits offered by the insurance industry.</p></div>Striking the Balance: Effective Cybersecurity Visualization for Informed Decision-Makinghttps://www.cisoplatform.com/profiles/blogs/striking-the-balance-effective-cybersecurity-visualization-for-in2023-10-20T00:59:43.000Z2023-10-20T00:59:43.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12260318298?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">In the complex and ambiguous realm of cybersecurity, the power of visualization tools cannot be overstated. When employed judiciously, they serve as invaluable assets, offering crucial data in a readily comprehensible manner. Conversely, when inundated with superfluous information, these tools become distractions that obscure the very insights they aim to illuminate. In this sophisticated landscape, aesthetics must never overshadow utility, and focus on what truly matters remains important.</p><p class="graf graf--p">The underlying purpose of metrics and visualizations is the transformation of raw data into actionable information through astute analysis. The value of such information lies in its ability to drive decisions, even if the decision’s outcome is non-action. Any metric or visualization that fails to facilitate decision-making is, by definition, frivolous — an unproductive diversion that squanders valuable time.</p><p class="graf graf--p">Consider, for a moment, the stark, bare, and very industrial interiors of warships — a deliberate design choice. Such environments are purposefully devoid of distractions and embellishments, fostering an unwavering focus on the mission at hand, especially during moments of crisis. This approach, applied to cybersecurity visualizations, conveys only essential information, omitting extraneous elements that could mask critical issues or distract operators from their core objectives.</p><p class="graf graf--p">Regrettably, vendors often opt for entertainment over substance. One of the worst and most widespread offenses is the global attack map. These mesmerizing displays show a global map surface that often features streaks or lines representing near real-time attacks traversing geographic regions. They often captivate onlookers and are popular in the lobbies of security service companies as well as their products. However, they ultimately serve no practical purpose, offering no actionable insights. When a cybersecurity analyst witnesses a sudden surge of malicious packets emanating from a neighboring country, it won’t evoke any meaningful action. The notion of shutting down border connections or blocking vast ranges of IP addresses is absurd. Such visualizations, while perhaps impressive, are designed for marketing rather than operational utility. At the least, they are trivializing significant matters and at worst, they are distracting operators from activities that will initiate a specific response.</p><p class="graf graf--p">In contrast, a visualization that brings attention to a system that is actively being exploited, so an operator can isolate it from other assets and begin remediation, is far more useful, but less likely to impress onlookers.</p><p class="graf graf--p">The true potential of visualization in cybersecurity lies in its alignment with the needs of expert practitioners. They require a rapid synthesis of data presented in a way that is easy on the eyes and directs a laser focus on issues in need of urgent attention. Achieving the optimal balance necessitates a strategic approach, beginning with a clear understanding of the tactical objectives of operators and working backward to determine the most effective visualization methods. In this manner, we can ensure that our cybersecurity visualization tools serve as potent aids, enhancing our ability to make timely and informed decisions to safeguard critical systems in an increasingly complex digital landscape.</p></div>Cybersecurity Vault Podcast - A Deep Dive into Cyber Risk with Wade Bakerhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-vault-podcast-a-deep-dive-into-cyber-risk-with-wade2023-06-21T22:20:02.000Z2023-06-21T22:20:02.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/iEYrdLkbgS0" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p>In this Cybersecurity Vault episode, I talk with the legendary cybersecurity metrics maestro Wade Baker about the challenges of measuring what is important, manipulation through poor metrics, and where the cybersecurity industry is heading.</p><p>Wade has been a thought-leader in wrangling cybersecurity data for decades, is the co-founder of Cyentia Institute, professor at Virginia Tech, and a board member for the FAIR Institute and RSA Conference. </p><p>Connect to Wade on LinkedIn: <a href="https://www.linkedin.com/in/drwadebaker/">https://www.linkedin.com/in/drwadebaker/</a></p><p>Follow Matthew on LinkedIn: <a href="https://www.linkedin.com/in/matthewrosenquist/">https://www.linkedin.com/in/matthewrosenquist/</a></p><p>Watch all The Cybersecurity Vault episodes: <a href="https://www.youtube.com/@thecybersecurityvault">https://www.youtube.com/@thecybersecurityvault</a></p><p>Thanks to our sponsor Eclipz</p></div>Video - Cybersecurity Value and Metrics with Gavin Groundshttps://www.cisoplatform.com/profiles/blogs/video-cybersecurity-value-and-metrics-with-gavin-grounds2021-10-27T17:41:18.000Z2021-10-27T17:41:18.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9741846254?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/YXM8_kOcDPE" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">Measuring the true value of cybersecurity with Gavin Grounds, Executive Director of Information Risk Management and Cybersecurity Strategy at Verizon. Listen as we explore the benefit of security metrics that effectively quantify risk and how to best manage them.</p><p class="graf graf--p">This is the first in a two-part series from <a class="markup--anchor markup--p-anchor" href="https://www.blogger.com/blog/post/edit/4285472926414358544/1173798098418646738#" target="_blank">The Cybersecurity Vault channel</a> (<a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/channel/UCwyi1gfiJ-MNbNIOuqQx59w" target="_blank">https://www.youtube.com/channel/UCwyi1gfiJ-MNbNIOuqQx59w</a>)</p></div>Security Metrics and Dashboard for CEOhttps://www.cisoplatform.com/profiles/blogs/security-metrics-and-dashboard-for-the-ceo-board2015-12-02T15:30:00.000Z2015-12-02T15:30:00.000Z23j0c848tmyvuhttps://www.cisoplatform.com/members/23j0c848tmyvu<div><p><span><a href="http://www.cisoplatform.com/profiles/blogs/security-metrics-and-dashboard-for-the-ceo-board" target="_blank"><img width="1200" src="{{#staticFileLink}}8669807062,original{{/staticFileLink}}" title="Image for information security metrics" alt="Information Security Metrics For The Board" class="align-center" /></a></span></p><p><span>It is very important to properly define the right Information Security Metrics for an organization to estimate the security structure and to communicate it efficiently to the Board level executives.There is a growing interest from the Board and the CEO to understand the information security posture of the company. Many of the CISOs I know have been asked by the Board or the CEO to present. I also notice a huge disconnect between the security professionals in terms of what they think the Board want and the reality. From my experience of being a security professional as well as being a Board member (I need to manage my investors), I am attempting to structure my experience.</span></p><p><span class="font-size-3">( Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/free-resources-for-kickstarting-your-it-grc-program">Free Resources For Kickstarting Your IT-GRC Program</a> )</b></span></p><p></p><p></p><h2>Key Considerations while presenting to the Board</h2><p></p><ul><li><strong style="font-size:12pt;">Less is more. Board doesn't want the technical details.<br /> <br /></strong> We might want to fill up the presentation with a lot of information security metrics and data but the board wants the most critical ones which they can understand and relate to. E.g. They might not be interested in knowing about patching status or the number of incidents that you handled. </li></ul><p></p><ul><li><strong style="font-size:12pt;">Board speaks a different language<br /> <br /></strong> Understanding the language of the board is very important. Use technical jargon as sparingly as possible. Change your language and examples to something that the non security audience can easily relate to. One way to handle this is to link your information security metrics to the most important business critical systems<br /> <br /> For Example: Instead of providing only information security metrics link the story to what matters to the board. If collection of revenue is central to your sustainability then the "<strong>Billing system</strong>" gets attention.</li></ul><p></p><ul><li><strong style="font-size:12pt;">Board is worried about how good the security is....minus the technicalities<br /> <br /></strong> That's a hard problem to answer. Security cannot be measured on absolute terms. However you got to explain it in simple way. Define your information security metrics to demonstrate your organization's security. You also need to assure how ready you are in terms of handling any critical incident</li></ul><p></p><ul><li><strong><span class="font-size-3">Be cautious: Verify your assumptions<br /> <br /></span></strong> A lot of times we assume that the board might be interested in certain things, this may not be true for critical information security metrics. Most of the time people guess it wrong. It is a good idea to assume but definitely verify and take feedback</li></ul><p></p><p><span class="font-size-3">( Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/10-questions-to-ask-before-you-start-your-bug-bounty-program">10 questions to ask before you start your Bug Bounty program…</a> )</b></span></p><p></p><h2>List of To-Do before the Board Meeting</h2><p></p><ul><li>Understand what the Board wants helps you define required information security metrics</li><li>Understand the level of understanding of each individual in the board</li><li>Align your security strategy & information security metrics to the Business Goals</li><li>Use Real Life examples and stories which is contextually similar to your business</li><li>Represent numbers or other complex stuff graphically which gives an idea of trend</li><li>Be prepared with the synopsis of the key security projects running and the most vital ones needing approval</li><li>Be prepared with security strategy in simple numbers eg. If scenario 1 happens, Loss=$5million</li><li>References to stats and competing organizations is helpful</li></ul><p></p><p></p><h2>Recommended Board Level Information Security Metrics / Dashboard (Less is more)</h2><p></p><div><ul><li><strong>State of Security in comparison with competition</strong></li></ul><p>The management is generally uses competitive matrix in business planning exercise. Providing them a clear picture of how your security is in comparison to the peers would be the language which the <strong>b</strong>oard/CEO is more comfortable with.</p><p></p><ul><li><strong>Open business critical risks</strong></li></ul><p>Letting the management know which are the critical risks which could directly impact the business is extremely critical not just for them but also for you. A word of caution: This should not be the long list of technical details but high level understanding of only those things which are business critical.</p><p></p><ul><li><strong>No. of critical incidents reported to media/regulatory agency</strong></li></ul><p>Please do not deluge the CEO/Board with all the incidents that you have detected. This could create a first time impact but for the long run what matters is the incident that had to be reported to the regulatory agency or the media. This number should ideally be zero.</p><p><span id="docs-internal-guid-7e7ed265-3876-aa99-3b25-e97a367eb185"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/using-80-20-rule-in-application-security-management">Using 80/20 Rule In Application Security Management</a> )</span></span></p><p></p><ul><li><strong>Loss/Downtime due security incidents</strong></li></ul><p>How much did the business lose due to security incidents? Was there any downtime? These are the business metrics that the Board/CEO really cares about.</p><p></p><ul><li><strong>Compliance status</strong></li></ul><p>If compliance is critical for your business then it is important to report the status. Are there any critical risks or exposures due to non compliance? If so to what extent?</p><p></p><ul><li><strong>Budget </strong></li></ul><p>It is important to provide a high level idea of the money you spent, what did you deliver and how much more money you need and why? It should be simple in non technical language. </p><p></p><ul><li><strong>Key security initiative performance status</strong></li></ul><p>There could be some key security initiatives that you might want the management to know. It should not be all the projects you are running but the biggest and the most important ones that the business cares about. You should report the status like - if you are on time and budget? any key risks ?etc.</p><p></p><p><span class="font-size-3">More: <strong><a href="http://www.cisoplatform.com/main/authorization/signUp" target="_blank">Are you a CISO Platform Member? Apply here (it's free)</a></strong></span></p></div><p></p></div>11 Ways To Measure The Effectiveness Of Your Identity & Access Management (IAM) Solutionhttps://www.cisoplatform.com/profiles/blogs/11-measure-effectiveness-identity-access-management-solution2016-02-12T11:30:00.000Z2016-02-12T11:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Identity Access Management (IAM) is a set of business policies, framework and processes which ensures the right person has access to the right asset/resources. Identity Access Management solutions can deliver intangible benefits that are revenue increasing and other tangible benefits that are cost reducing.</p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/11-measure-effectiveness-identity-access-management-solution" target="_blank"><img width="750" src="{{#staticFileLink}}8669805287,original{{/staticFileLink}}" class="align-full" alt="8669805287?profile=original" /></a></p>
<p></p>
<p>Here are <strong>11 Ways To Measure The Effectiveness of your Identity Access Management (IAM)</strong> solution:</p>
<ul>
<li><strong>Average number of distinct accounts (credentials) per user:</strong> <br /> Generally an organisation has multiple number of accounts per user. <span>Identity Access Management (IAM)</span> solutions can help organisations to reduce this number close to one using their <strong>SSO (Single Sign on) functionality</strong>.</li>
<li><strong>Number of unused accounts:</strong><br /> Identity Access Management(IAM) solution can also help in <strong>reducing the number of unused/uncorrelated accounts</strong>. Uncorrelated accounts are the accounts which don’t have any owners and they come into picture because of promotions, transfers, and termination of workforce. These uncorrelated accounts can create risk for the companies if being hijacked by outsiders.</li>
</ul>
<ul>
<li><strong>Number of orphaned accounts:</strong> <br /> These are the privileged accounts without an owner. For an effective <span>Identity Access Management (IAM)</span> solution, this metric should come down.<br /> <br /> ( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/10-questions-to-ask-before-you-start-your-bug-bounty-program"><b>10 questions to ask before you start your Bug Bounty program…</b></a><b> )<br /></b></li>
</ul>
<p></p>
<ul>
<li><strong>Number of new accounts provisioned:</strong> <br /> Number of new accounts provisioned should be equal to the number of new joinees. If there is a significant difference between these two numbers then it indicates that your IAM solution is not effective to give correct identity data.</li>
</ul>
<ul>
<li><strong>Number of exceptions per access re-certification cycle:</strong> <br /> Exceptions means when the user is assigned the rights he/she should not be given. High number of exceptions can be because of poor identity data or access process problem (persons requesting re-certification do not have all the information required).</li>
</ul>
<ul>
<li><strong>Password policy effectiveness:</strong> <br /> To measure the effectiveness of your IAM solution you can check the password reset data for a period say one month. With an effective Identity Access Management (IAM) solution this volume of data should tend to go down. If it does not, then there may be some issues with the password policies and management of your organisation.</li>
</ul>
<ul>
<li><strong>Average time to provision and de-provision of a user:</strong><br /> For an effective Identity Access Management (IAM) solution, this metric should come down.Most of the time, if someone is not getting the timely access, then there are backend processes responsible for that. This gives you an indication that you should work on your business processes.</li>
</ul>
<ul>
<li><strong>Average time to provide an authorization</strong> <br /> For an effective <span>Identity Access Management (IAM)</span> solution, this metric should come down.This metric can provide insight into the efficiency of an organization's approval processes.Knowing the time taken can help to resolve the bottlenecks and help in improving out dated processes.<br /> <br /><p>( <span id="docs-internal-guid-7e7ed265-3703-c3c7-56c8-9c6e568323f4"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-assess-effectiveness-of-vulnerability-management">Checklist To Assess The Effectiveness Of Your Vulnerability Management Program</a></span><b> )<br /> <br /> <br /></b></p>
</li>
</ul>
<ul>
<li><strong>Average time to make changes in identity policies:</strong><br /> For an effective Identity Access Management (IAM) solution, this metric should come down as IAM solutions <strong>can aid centralization of policies</strong>. So changes are faster compared to traditional ways. Organisation wide changes can be made easily.</li>
</ul>
<ul>
<li><strong>Violation of separation of duties:</strong><br /> For an effective <span>Identity Access Management (IAM)</span> solution, this metric should come down.The organization should implement preventive controls to monitor these violations, report them and orchestrate their remediation.</li>
</ul>
<ul>
<li><strong>Reduced identity management cost</strong><br /> For an effective Identity Access Management (IAM) solution, this cost of managing the large amount of identity store should come down. An effective IAM solution will provide the capability to expand the organization’s people and IT resources without increasing the IT staff.</li>
</ul>
<p></p>
<p>More: <a href="http://www.cisoplatform.com/main/authorization/signUp"><b> </b><b>Join the community of 3000+ Chief Information Security Officers.</b></a><b> </b> <a href="http://www.cisoplatform.com/main/authorization/signUp"><b>Click here</b></a></p>
<p></p></div>Cybersecurity Value is About Protecting Intangible Assetshttps://www.cisoplatform.com/profiles/blogs/cybersecurity-value-is-about-protecting-intangible-assets2021-01-14T19:44:10.000Z2021-01-14T19:44:10.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><iframe width="560" height="315" src="https://www.youtube.com/embed/WyLl3d5sTiU?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></p><p>Intangibles now account for 90% of the S&P’s total assets and it is no accident that the core of cybersecurity has evolved to protect those aspects of the business. It is a natural progression for security to align with protecting the most important assets. This is a crucial element when communicating the value and relevance to audiences. </p></div>