Good risk analysis runs on defensible data, and to lead our discussion on how to get the best possible data to take to decision-makers, the 2020 FAIR Conference has lined up an expert discussion panel led by the best-known data crusader in cyber risk management.
The session: “How Better Data Can Help Executives Make Better Decisions”, Tuesday, October 6 at 2 PM. Leader: Wade Baker, PhD.
Wade Baker pioneered and led the Verizon Data Breach Investigations Report (DBIR), the annual, authoritative accounting of cyber loss events, and continues the mission at Cyentia Institute, the cybersecurity research firm that recently released the Information Risk Insights (IRIS 20/20) report analyzing the frequency and cost of cyber incidents over the past decade.
“Real data is a kind of gut check” that reins in the tendency of many in the cybersecurity profession to fall back on FUD, Wade says.
As a preview of his upcoming FAIRCON session on better data, here are some of Wade’s latest thoughts on data and FAIR.
Q: What was the main takeaway about data from the IRIS 20/20 Report?
A: I hope it showed that having a large set of incident data even if it’s not a perfect collection of information can really give us insight into the frequency and losses of incidents.
Just the field of cybersecurity and in particular cyber risks and losses are so prone to errors in estimation. We fight against that all the time in the quant space, and the things that we tend to fear we inflate the possibility that it could happen or if it did happen the magnitude of losses.
So, real data is kind of a gut check: Is this in alignment with what I’m thinking and what I’m seeing?
The 2020 FAIR Conference (FAIRCON2020), the premiere global risk management conference, will be held digitally on October 6 & 7 (Tues. and Wed.). FAIRCON2020 will provide ground-breaking keynote addresses, engaging C-suite panels, and expert case study sessions through a cutting edge virtual event platform. See the agenda. REGISTER NOW!
Q: One of the messages of the report was to take a probabilistic approach.
A: Indeed, and I think we’re getting there. I started the DBIR just out of necessity because I was really tired of doing risk assessments and just sticking a finger in the wind, and kind of making things up. I saw the DBIR as a way to have some sort of evidence.
It was very hard to count things back then, but I’m glad to say that now we’ve got a pretty good bit of data out there and we can start making probabilistic statements and creating those distributions in a more data-informed manner and I’ve enjoyed seeing that evolution.
Q: What would improve the data that’s available to the risk management profession? Should a government agency step in and demand data sharing?
A: It’s a problem that’s got to be attacked from lots of different directions. Certainly, I have long thought that some type of entity that was responsible for not just collecting but also distributing publicly that kind of information would be very useful to many.
Depending on where you set the threshold for that kind of reporting or whether it is voluntary or mandatory, that will depend on what we are able to see.
The Advisen data set [analyzed in IRIS 20/20], primarily consists of events that either had to be disclosed publicly or were found out publicly. For those kinds of incidents, it’s pretty good.
But I’ve had several people read IRIS 2020 and say, I think you guys missed a large segment of incidents that hit SMBs that are never reporting publicly, that are reported to their insurance carriers. I completely agree with that and would love to add in a data set from a cyber insurer to that study.
I think there’s all kinds of gaps in visibility but any time you start collecting a data set and then you collect the next data set and the next, you get better over time.
Q: What benefit do you think FAIR brings to the profession and its outlook on data?
A: A framework to have these discussions and evaluate and assess and begin measuring risk is the primary thing that brings most people into FAIR.
FAIR gives that common language. That’s still the number one thing.
But more recently, the thing that has really captured my attention around FAIR is the increasing momentum that the community has brought. There’s so much more discussion, and people outside our little cyber-quant community know about FAIR.
The FAIR Institute has done a fantastic job of educating not only the marketplace but government agencies and those kinds of things ultimately might be a harder push in the right direction than even a great framework because they give all the momentum to get new people involved. Lately, I’ve been very impressed with that momentum.