Integrating a Proactive Technique Into a Holistic Cyber Risk Management Approach

• Published date: 01 December 2018
• Author: Angelica Marotta,Michael McShane
• DOI: http://doi.org/10.1111/rmir.12109
• Date: 01 December 2018

Risk Management and Insurance Review

C

Risk Management and Insurance Review, 2018, Vol.21, No. 3, 435-452

DOI: 10.1111/rmir.12109

FEATURE ARTICLE

INTEGRATING A PROACTIVE TECHNIQUE INTO A HOLISTIC

CYBER RISK MANAGEMENT APPROACH

Angelica Marotta

Michael McShane

ABSTRACT

Cyber threats are an emergingrisk posing a range of challenges to organizations

of all sizes. Corporate risk managers need to understand that cyber risk man-

agement must not be a silo in the IT department. Cyber threats are the result

of intelligent adaptive agents that cannot be managed by traditional risk man-

agement techniques only. The article describes the honeypot concept, which is

a proactive measure for identifying and gathering information about attackers

in order to develop suitable and effective countermeasures. In addition, this

article proposes the integration of the honeypot concept into a cyber risk man-

agement approach based on the five preparedness mission areas of the Federal

Emergency Management Agency (FEMA).

INTRODUCTION

Cyber risk has been a topic for years in IT and computer science journals, but only a few

cyber risk articles have appeared in risk management and insurance journals. Hovav

and D’Arcy (2003) and Gatzlaff and McCullough (2010) have researched cyber attacks

from a financial economics perspective to investigate the effect of cyber attacks on an

organization’s stock price. Biener et al. (2015) and Eling and Schnell (2016) provide an

overview of the evolving cyber insurance market and the insurability of cyber risk,

while Eling and Loperfido (2017) investigate and model data breaches from an actuarial

perspective. These articles investigate cyber-related issues, but not the cyber risk man-

agement process itself. Organizations can no longer afford to let cybersecurity dwell in

a technical silo. Cyber threats are different from the risks faced by corporate risk man-

agers. Unlike typical corporate risks, cyber threats result from intelligent actors who

can adapt and change tactics as defenses are implemented, thus rendering past data

quickly obsolete as a predictor of future attacks. In addition, cyber risks are plagued

by information asymmetry, correlated loss, and interdependent security issues (Biener

et al., 2015; Marotta et al., 2017; McShane et al., 2018; Shetty et al., 2018) that hamper

traditional risk management and insurance practices from being effective.

Angelica Marotta works at IIT-Italian National Research Council, Pisa, Italy, and is Research

Affiliate, MIT Sloan School of Management, Cambridge, MA; e-mail: angelica.marotta@iit.cnr.it.

Michael McShane is Associate Professor of Risk Management and Insurance, Old Dominion

University,Norfolk, VA; e-mail: mmcshane@odu.edu.

435

436 RISK MANAGEMENT AND INSURANCE REVIEW

Like traditional terrorists, cyber criminals have an asymmetric information advantage

and only need to be right once, while defenders need to be correct every time. Cyber

threats are systemic and require much less effort than required for physical terrorism.

A single cyber criminal can attack multiple organizations simultaneously. In addition,

cyber risks are interdependent (Hofmann, 2007; Hofmann and Ramaj, 2011; Ogut et al.,

2005) meaning that the security of an organization depends not only on an organization’s

actions, but on the actions/inactions of other entities, such as contractors and suppliers.

Risk managers need to understand the emerging cyber risk threat and work together

with IT specialists to manage cyber risks in a holistic manner.

Organizations face a growing list of cyber threats, such as data and intellectual property

theft, ransomware, and distributed denial-of-service (DDOS) attacks that shut down

websites. Cyber crime costs the global economy approximately $445 billion a year with

the world’s largest economies accounting for around half of this, and is expected to

increase in the coming years (Allianz, 2015). Rapid growth in cyber threats has been

accompanied by a worrying change in attackers’ purposes and techniques that can

render cybersecurity measures ineffective.

Progress enabled by the Internet opens new and easy ways of gathering information.

Even a relatively inexperienced attacker can perpetrate potentially devastating attacks

with large-scale consequences for organizations. An Institute for Critical Infrastructure

Technology(ICIT) report argues that even a “script kiddie”1could cause serious damage

to the system of a major healthcare provider, using only phishing attacks and exploit

kits available on the Internet (ICIT, 2016). Generally, these attacks occur because organi-

zations have common vulnerabilities (B¨

ohme, 2005; Shetty et al., 2018), which are unin-

tended flaws or design errors that enable an attacker to access multiple organizations.

The purpose of this article is to make risk management researchers and practitioners

aware of emerging cyber concerns; introduce the honeypot concept, which is a proactive

tool for identifying and managing cyber risks by better understanding cyber intrud-

ers; and propose the integration of this tool into a FEMA-based preparedness model.

Depending on the goals of implementation, honeypot technology can range from simple

low-interaction software emulation of services and applications to high-interaction hon-

eypots that can include an actual operating system and other real resources. In the most

recent definition, honeypots are decoy systems implemented to attract cyber attackers

with the purpose of learning to overcome the attacker’s information advantage and also

to distract the intruders and to protect the real system.

This article is structured as follows. The next section “Honeypot Basics and

Relevant Research” provides a basic understanding of honeypots and highlights rel-

evant research. The subsequent section “Cyber Risk Management Problem Statement”

discusses a major issue facing cybersecurity followed by a proposed honeypot solution

to this problem. Then the integration of this solution into a cyber risk management

model based on the FEMA emergency management approach is outlined followed by

the section “Implementation of Production Honeypots Into the Network” describing

the implementation of a production honeypot in a corporate network. The final section

“Conclusion” concludes and suggests future research on cyber risk management.

1An inexperienced individual who performs cyber attacks by using tools developed by experts.