Current approaches to IT security and risk management tend to underestimate some key aspects of cyber-attacks:
- The human factor, which covers subjective, organisational, societal and economic aspects, and how it contributes to vulnerabilities to cyber-attacks. This aspect is often ignored despite the fact that Social Engineering attacks generate the highest costs, and are ten times more common in social media posts than malware.
- The role of intangible assets in the quantification of the consequences of cyber-attacks. More than half the value of companies worldwide is in intangible assets, such as intellectual property, much of which is stored on computers and could therefore be vulnerable to hackers.
- The strategy of the attacker in the identification of vulnerabilities and assets at risk. Modern attacks follow the same business logic used by big companies in defining their strategies and business plans. The same multidisciplinary combination of engineering, risk assessment, and economic, cognitive, behavioural, societal and legal knowledge is needed to properly address the strategy of professional IT attackers.
Therefore, the challenging overall goal of Hermeneut is to create a holistic risk assessment model and approach to cyber-security cost-benefit analysis that:
- starts from an integrated assessment of vulnerabilities of organisations and their likelihoods,
- exploits an innovative macro- and microeconomic model to estimate the consequences of cyber-attacks for intangible costs,
- ends with an estimation of the tangible and intangible assets risks for an organisation or a business sector, and
- is followed by guidelines able to support decisions related to cybersecurity investments on hard and soft measures to mitigate the loss of an enterprise’s integrity.
All the Hermeneut objectives will be reached and applied at two complementary levels:
- The individual organisation level, offering a web-based decision support tool that makes the entire Hermeneut methodology and models available to decision makers, empowering them to take informed decisions based on quantitative information to guide their security investments, and
- The industrial sector level thus providing strategic guidance for policy makers in the key market sectors. Hermeneut will validate the models and methodology in two relevant market sectors in which intangible assets are highly important and the related costs in case of cyber-attacks are high, namely the Healthcare and IP-intensive industry.
The concrete delivery of Hermeneut includes:
- An integrated estimation of the enterprise’s vulnerabilities for both the humans and technology, to assess the corresponding tangible and intangible assets at risk against cyber-attacks and cyber-crime.
- An innovative economic model to quantify the losses of tangible and intangible assets.
- A holistic risk assessment model able to support decisions on cyber-security investments for possible hard and soft mitigation measures, integrating also dedicated elicitation approaches and a Benefit-Harm Index (BHI).
- A web-based risk-driven cyber-security cost-benefit decision support tool that implements and supports the above-mentioned methodology and model, including a workflow manager to cover the full process of risk assessment, from the analysis of vulnerabilities to the decision on investments in the different hard and soft mitigation measures.
- A validation of the proposed approach in four key market sectors, amongst those with the highest cyber impact: healthcare, IP-intensive Industries, financial services and retail. Validation is performed using publicly available data sources complemented by elicited expert knowledge to provide strategic guidance on the necessary investments to reduce cyber-risks focusing on soft mitigation measures.
- A detailed validation of the proposed approach for the two market sectors elected as representative for Hermeneut: healthcare and IP-intensive Industries, such as critical infrastructure.
The holistic Hermeneut approach is based on:
- An integrated estimation of the enterprise’s vulnerabilities for both the humans and the technology (phase 1) and the corresponding tangible and intangible assets at risk. The assessment takes into account the business plan of the attacker, the commoditisation level of the target organisation, the exposure of the target and finally the involved human factors and, on the same basis, to estimate the likelihood of a potential cyber-attack exploiting the assessed vulnerabilities.
- An innovative micro- and macroeconomic cost model focusing on intangible costs (phase 2), able to quantify the cost of the loss of assets at risk identified by the phase 1. The model considers the impact of intangible factors and cyber-risk on organisation’s sustainability at the micro-economic level, and the size of the GDP sensitive to cyber-risk at the macro-economic level.
- A holistic risk assessment model (phase 3) taking as input the vulnerabilities and likelihoods of cyberattacks from the iVA and the economic quantification of potential consequences from the cost model.
- The verification in two specific business sectors (Healthcare and IP-intensive industry) of the developed models (phase 4).
Hermeneut will have a duration of 24 months, starting May 2017. The project is organised in 7 work packages (WP), each providing to one or more specific outputs or supporting activities. Specifically:
WP1 – Project management includes the activities for effectively planning, managing, and controlling the project throughout its duration.
WP2 – Proactive estimation of vulnerabilities aims to analyse the most relevant vulnerabilities and the corresponding tangible and intangible assets at risk.
WP3 – Micro and macro-economics models of intangible cyber-costs aims to improve the theoretical understanding of the formation, composition and dynamics of intangible costs caused by cyber-attacks within the economy. The devised and refined economic model will serve as a basis to assess risk and to prioritize and plan resource allocation.
WP4 – Risk based cost & benefit framework aims to design and develop holistic risk assessment model, methodology, and the Hermeneut supporting tool integrating also dedicated elicitation approaches and a benefit-harm model able to support risk-aware decisions on information security investments for the adoption of the possible hard (traditional) and soft mitigation measures.
WP5 – Validation and best practices aims to design, apply and execute the validation strategy, in order to assess all advantages and costs deriving from the answer to the very basic question – whether it is more expensive (expense vs. direct/indirect damage) to implement or not implement a proper cyber security system.
WP6 – Communication and dissemination defines and implements a pro-active and interactive methodology to communicate and disseminate the results and recommendations achieved by Hermeneut.
WP7 – Policy recommendations and exploitation analyses policies and best practices relevant to the topics addressed by the project, to provide a set of policy recommendations based on the project outputs to identify and implement pathways to the effective exploitation of the project results and outputs by the stakeholder community and future research initiatives.