In this post we set out a process for assessing risk that is simple and transparent. We use the scenario of a ransomware attack on an insurance firm to assess the impact in terms of direct costs, lost productivity and future revenues. The scenario is based on work done by the Institute of Actuaries cyber working group1, however rather than presenting a single point estimate we seek to test assumptions and identify the range of possible impacts.
The approach is designed for situations of significant uncertainty where a lack of data means relying on the judgement of subject matter experts. It is designed to elicit estimates from non-risk specialists in a manner that allows them to be comfortable with the subjective estimates they provide. It is crude in that it assumes all outcomes are equally likely (uniform distribution) and it takes the pessimistic stance that if things can go wrong they will, and will likely do so at the same time.
Some will view these design elements as limiting however at this first-pass stage we should be in favour of simple, timely, transparent models for initial insight and decision-making. This is the first step in an iterative process – a simple view of the ‘big picture’ – where explicit consideration is paid to assumptions and uncertainty ahead of confidence and precision.
Scenario
A life insurer is subject to a ransomware attack following a successful targeted spear-phishing campaign by hackers.
The insurer has gross written premiums of £3bn, and an annual profit of £300m. A group of hackers carry out a coordinated series of attacks against the insurance companies via a sophisticated and tailored spear-phishing campaign. Upon launching the attack, operating systems become unavailable; critical systems and services are inaccessible and data is encrypted. In effect all operations grind to a halt. Despite paying the ransom demand all data remains encrypted and a huge data recreation, malware decontamination and IT systems restoration effort is needed. As the insurer is in the middle of the IT transformation project, the restoration work is far more complex.
1 https://www.actuaries.org.uk/documents/cyber-operational-risk-scenarios-insurance-companies pages 20 – 25
Impact
The incident has a major impact on the firm’s business through interruption and increased cost of working. Many customers are not able to access their online accounts let alone conduct any transactions, and the firm suffers a significant drop in sales and productivity, a marked increase in policy lapses as well as regulator scrutiny. With major national and international news events competing for airtime the media attention is not as intense as it has been with organisations in similar positions.
Structure the approach
UK regulators recently published a discussion paper on operational resilience which states firms and institutions have to test their ability to stay within their impact tolerances in plausible but severe scenarios. This means identifying scenarios where the worst-case events and impacts can occur.
Step 1: Parameters
The first step in producing a quantified assessment is to identify the basic parameters and uncertainties to be modeled, such as the duration of events, value of lost productivity and sales, regulatory fines and remediation.
Parameters can be either basic or composite and the spirit of the approach is not to introduce complications which don’t have a clear benefit; start with effective, simple analysis then elaborate in useful directions as understanding develops. Additional complexity should be introduced only if it is useful.
Assumptions about the base values used in estimates may need to be tested since these can significantly impact the outcome of assessment.
Step 2: Uncertainty factors
The incident has a major impact on the firm’s business through interruption and increased cost of working. Many customers are not able to log onto the site, let alone conduct any transactions, and the firm suffers a significant drop in sales and policy lapses as well as regulator scrutiny. Media attention is not as intense as it has been with other companies in similar positions, focusing on poor customer outcomes and the internal controls of the firm.
While there is no optimal number of uncertainty factors. somewhere in the range 5 to 30 seems appropriate for the majority of evaluations.
Assess the impacts
Assessments need to be transparent with result presented as a statement of plausible expected value within within a range of upper and lower limits.
In this approach users answer a series of straightforward questions based on the risk factors identified. Any situation subject to uncertainty can be assessed in this way.
Step 3: Credible impacts
The aim is to produce a credible estimate of the range of impact and likelihood for each uncertainty. This is done using the parameters identified – such as cost, percentage change and days lost – measures that a subject matter expert should feel comfortable using to provide a judgment.
The scenario assumes the number of PCs impacted is 800 (estate size) and that 80 PCs could be restored per day, suggesting a 10 day event duration.
However the facilitator needs to explore and challenge assumptions where appropriate. There will be uncertainty around the estimate for both the number of PCs infected and the daily restore rate. The responsibility is to elicit from the subject expert an understanding of these uncertainties and express them either as a relative change %, or in absolute terms as shown below.
Step 4: Present the results
Through exploring the range of possible impact we learn that a 20% increase in the number of PCs impacted (to 960) along with a 20% slower restore rate (to 64 PCs a day) would mean the worst case (pessimistic) event duration estimate would rise to 15 days, a significant change to the scenario and impact assessment. Improved understanding of the potential impact range may lead to consideration of different event responses.
Explorer’s Risk Engine calculates the expected cost of the ransomware event and presents an expected value within a plausible impact range. While the pessimistic impact aligns with the original paper single-point estimate we have tested the assumptions and gained valuable insight into how this ‘worst-case’ ransomware attack could develop and impact the firm. This additional insight is especially helpful in discussions around setting tolerance levels.
Step 5: Evaluate actions
Explorer allows users to document their mitigating actions and presents a pre-and post- mitigation assessment. For example, if the businesses insurance cover was updated to include ransomware payments the expected cost impact can be reduced accordingly. This simple approach provides insight into how control actions shape the scenario outcomes.
Model complexity
This approach to estimating focuses on producing simple, timely and transparent models and provides an efficient way of learning about decision situations. The approach taken in this example requires capturing a minimum amount of information about uncertainties in the form of subjective judgements.
This enables us to do the simple expected range calculations shown above, however Explorer can readily capture 3 point estimates for Monte Carlo simulation.
Risk Connectivity
Risk connectivity is the opportunity to identify and explore a holistic view of risk. Risk Insights Explorer identifies risk relationships so encouraging insight into the ripple effects of decisions and the potential for unintended or unanticipated consequences.
By integrating Risk Connectivity’s holistic view with our simple-to-use estimating approach, decision-makers get clear and communicable results in one intuitive model.
I welcome your thoughts and comments.
LinkedIn at https://www.linkedin.com/in/johnmasonx/
Useful links associated with the above scenario:
https://www.actuaries.org.uk/…/cyber-operational-risk-scenarios-insurance-companies
https://www.theregister.co.uk/2018/01/25/after_notpetya_maersk_replaced_everything/