For many industries, Intellectual Property (IP) is a precious, largely intangible asset. There are many unique aspects to managing cyber risks associated with a company's IP. Such IP will typically include patents, trademarks and copyrights. However, it is the company's trade secrets, and specifically the portion of the IP that is intended to be kept a secret, that are mainly at risk in a cyber attack. The theft of trade secrets, including design documents and details of unreleased products, could cause significant financial loss to IP-intensive companies.

IP-intensive industries rely on the knowledge and creativity of their employees. Therefore, they must balance security measures not only with implementation costs, but also with "usability". Usability is the ability of developers to access both internal and external information with little or no interference by security systems.

The nearly ubiquitous digitisation and the ever-increasing connectivity of products both produced and used by IP-intensive industries pose new types of cyber risks that any cyber risk management strategy must include. Risks to these companies are not limited to the traditional risks to their IT systems, but typically include also risks to the products they produce and "cyber-physical" risks. For example, a company developing a connected rail switching system must consider the possibility that a cyber attack could lead to a catastrophic rail accident. Insiders pose a significant threat in IP intensive industries. Any cyber risk management strategy must take into account the cyber threat of insiders.

Cyber-attacks are occurring in significant numbers on IP-intensive industries and are leading to substantial financial loss. Dealing with this threat properly requires a comprehensive Cyber Risk Management strategy. The HERMENEUT methodology provides essential tools for implementing such a plan.

A "one-size-fits-all" approach to cyber risk management in the IP-Intensive Industries is not appropriate. A successful approach combines an automated risk assessment methodology with inputs specific to the particular industry and to one specific company. HERMENEUT provides such an approach: one that will allow Cyber Risk Management to become an integral part of every company's Risk Management Strategy at the top management levels.

Key findings

  • For IP Intensive companies, it is the portion of a company's IP that is intended to be kept a secret that puts the company at risk in case of a cyber attack.
  • Attacks based on social engineering can compromise even knowledge held by employees.
  • The nearly ubiquitous digitisation and the ever-increasing connectivity of products produced and used by IP-intensive industries pose new types of cyber risks. Any cyber risk management strategy must include them.
  • Supply chain risks are of particular significance in the IP-intensive sector. In fact, they can lead to risks to the corporate IT systems and to the products produced by the company. Attackers are always looking for the weakest link, and this may be in one of the company's suppliers.
  • A corporate Cyber Risk Management must include the cyber-physical risk and risks to the company's assets and to the products it produces.
  • Damage to a company's products can lead not only to physical risks but also to the loss of reputation.
  • A cyber defence policy that is too restrictive can lead to difficulties in the usability of corporate systems. As a consequence, this can cause problems in hiring the most creative employees.
  • We recommend that IP Intensive companies identify their "crown jewels", to defend via the most sophisticated means, and to defend other assets at their appropriate levels.
  • Cyber Risk Management must be part of a company's corporate level risk management strategy, and not only of the IT or engineering levels.
  • A successful approach to Cyber Risk Management combines an automated risk assessment methodology with inputs specific to the particular industry and company.
  • Understanding the tangible and intangible risks in a company is of vital importance in building a Cyber Risk Management Plan. Only the company itself has the necessary information to identify and quantify these risks.
  • The HERMENEUT methodology for quantifying the intangible risks in the IP-Intensive Sector is fundamental in drawing the correct balance between security, cost and usability.