Current approaches to IT security and cyber risk management tend to underestimate some key aspects of cyberattacks:
- The human factor, which covers subjective, organisational, societal and economic aspects, and how it contributes to vulnerabilities to cyberattacks. This aspect is often ignored despite the fact that social engineering attacks generate the highest costs, and are ten times more common in social media posts than malware.
- The role of intangible assets in the quantification of the consequences of cyberattacks. More than half the value of companies worldwide is in intangible assets, such as intellectual property, much of which is stored on computers and could therefore be vulnerable to hackers.
- The strategy of the cyber attacker in the identification of vulnerabilities and assets at risk. Modern cyberattacks follow the same business logic used by big companies in defining their strategies and business plans. The same multidisciplinary combination of engineering, risk assessment, and economic, cognitive, behavioural, societal and legal knowledge is needed to properly address the strategy of professional IT attackers.
Therefore, the challenging overall goal of Hermeneut is to create a holistic, dynamic cybersecurity risk assessment model and approach to cost-benefit analysis that:
- starts from an integrated assessment of vulnerabilities of organisations, including human factors cybersecurity assessment, and their likelihoods,
- exploits an innovative macro- and microeconomic model to estimate the consequences of cyberattacks for intangible costs,
- ends with a cybersecurity risk assessment of tangible and intangible assets for an organisation or a business sector, and
- is followed by guidelines able to support decisions related to cybersecurity investments on hard and soft measures to mitigate the loss of an enterprise’s integrity.
All the Hermeneut objectives will be reached and applied at two complementary levels:
- The individual organisation level, offering a web-based decision support tool that makes the entire Hermeneut methodology and models available to decision makers, empowering them to take informed decisions based on quantitative information to guide their security investments, and
- The industrial sector level thus providing strategic guidance for policy makers in the key market sectors. Hermeneut will validate the models and methodology in two relevant market sectors in which intangible assets are highly important and the related costs in case of cyberattacks are high, namely the Healthcare and IP-intensive industry.
The concrete delivery of Hermeneut includes:
- An integrated estimation of the enterprise’s vulnerabilities for both the humans and technology, including human factors cybersecurity assessment, to assess the corresponding tangible and intangible assets at risk of cyberattacks and cybercrime.
- An innovative economic model to quantify the losses of tangible and intangible assets.
- A holistic, dynamic cybersecurity risk assessment model able to support decisions on cybersecurity investments for possible hard and soft mitigation measures, integrating also dedicated elicitation approaches and a Benefit-Harm Index (BHI).
- A web-based risk-driven cybersecurity cost-benefit decision support tool that implements and supports the above-mentioned methodology and model, including a workflow manager to cover the full process of risk assessment, from the analysis of vulnerabilities to the decision on investments in the different hard (technological) and soft (human factors) mitigation measures.
- A validation of the proposed approach in four key market sectors, amongst those with the highest cyber impact: healthcare, IP-intensive Industries, financial services and retail. Validation is performed using publicly available data sources complemented by elicited expert knowledge to provide strategic guidance on the necessary investments to reduce cyber-risks focusing on soft mitigation measures.
- A detailed validation of the proposed approach for the two market sectors elected as representative for Hermeneut: healthcare and IP-intensive Industries, such as critical infrastructure.
The holistic Hermeneut approach is based on:
- An integrated assessment of the enterprise’s vulnerabilities for both the humans and the technology (phase 1) and the corresponding cybersecurity risk assessment of tangible and intangible assets. The assessment takes into account the business plan of the attacker, the commoditisation level of the target organisation, the exposure of the target and performs a cybersecurity assessment of the human factors involved. On the same basis, it estimates the likelihood of a potential cyberattack exploiting the assessed vulnerabilities.
- An innovative micro- and macroeconomic cost model focusing on intangible costs (phase 2), able to quantify the cost of the loss of assets at risk identified by the phase 1. The model considers the impact of intangible factors and cyber risk on organisation’s sustainability at the micro-economic level, and the size of the GDP sensitive to cyber risk at the macro-economic level.
- A holistic, dynamic cybersecurity risk assessment model for tangible and intangible assets (phase 3) taking as input the vulnerabilities and likelihoods of cyberattacks from the iVA and the economic quantification of potential consequences from the cost model.
- The verification in two specific business sectors (Healthcare and IP-intensive industry) of the developed models (phase 4).
Hermeneut will have a duration of 24 months, starting May 2017. The project is organised in 7 work packages (WP), each providing to one or more specific outputs or supporting activities. Specifically:
WP1 – Project management includes the activities for effectively planning, managing, and controlling the project throughout its duration.
WP2 – Proactive estimation of vulnerabilities aims to analyse the most relevant vulnerabilities and to assess the corresponding tangible and intangible assets at risk.
WP3 – Micro and macro-economics models of intangible cyber-costs aims to improve the theoretical understanding of the formation, composition and dynamics of intangible costs caused by cyberattacks within the economy. The devised and refined economic model will serve as a basis to perform the dynamic cybersecurity risk assessment and to prioritize and plan resource allocation.
WP4 – Risk based cost & benefit framework aims to design and develop holistic, dynamic risk assessment model, methodology, and the Hermeneut supporting tool integrating also dedicated elicitation approaches and a benefit-harm model able to support risk-aware decisions on information security investments for the adoption of the possible hard (traditional) and soft mitigation measures.
WP5 – Validation and best practices aims to design, apply and execute the validation strategy, in order to assess all advantages and costs deriving from the answer to the very basic question: whether it is more expensive (expense vs. direct/indirect damage) to implement or not implement a proper cybersecurity system.
WP6 – Communication and dissemination defines and implements a proactive and interactive methodology to communicate and disseminate the results and recommendations achieved by Hermeneut.
WP7 – Policy recommendations and exploitation analyses policies and best practices relevant to the topics addressed by the project, to provide a set of policy recommendations based on the project outputs to identify and implement pathways to the effective exploitation of the project results and outputs by the stakeholder community and future research initiatives.