World Economic Forum’s Partnering for Cyber Resilience

Introduction

Partnering for Cyber Resilience was compiled by the World Economic Forum’s Partnering for Cyber Resilience ( the complete paper can be found here).

This organization and its current initiative aim to establish awareness of cyber risk and to build commitment regarding the need for more rigorous approaches to cyber risk mitigation. The initiative started at the 2011 World Economic Forum Annual Meeting in Davos, Switzerland. Early efforts included raising awareness through workshops and introductory publications. Since 2011, the initiative has managed to grow immensely by gathering more than 100 signatories to focus on ways to assess the impact of and exposure to cyber threats. Some of the notable names among these signatories include: Francis Bouchard (Group Head of Government and Industry Affairs, Zurich Insurance), Andres Ruzo (CEO, Link America), Jan Verplancke (Director, Chief Information Officer and Group Head, Technology and Operations, Standard Chartered Bank), Thom Mason (Laboratory Director Oak Ridge National Lab), Brian Behlendorf (Managing Director, Mithril Capital Management), Preston McAfee (Chief Economist, Microsoft). The following is a summary of the report, highlighting the values of the initiative and explanation of the framework.

Partnering for Cyber Resilience Introduction

The digitization of today’s world, which includes the convergence of web, social, mobile and the Internet of Things has promoted the notion of sharing data. However, this modern trend has not focused adequately enough on securing all this digital data. As firms continue to grow their cyber capabilities – they raise the risk of their cyber vulnerabilities. The challenge – how to protect against targeted threats without disrupting business innovation or hindering growth? The solution – develop a framework than can model and quantify the impact and risk of cyber threats. A solution that is being referred to as The Cyber Value-at-risk concept. This solution (or framework) seeks to unify: technical, behavioral and economic factors from both internal (enterprise) and external (systemic) perspectives. By doing so, the framework will eventually be able to provide organizations with a somewhat-holistic approach to dealing with cyber threats while minimizing the compromise it has on business activities.

In order for organization to make sound and informed decisions, they must have a way to quantify cyber risk. The Cyber value-at-risk framework helps them do so, and it does that by following a three-folded approach.

• Understand the key cyber risk drivers (or components) required for modelling cyber risks.
• Understand the dependencies between these components that can be embedded in a quantification model.
• Understand ways to incorporate cyber risk quantification into enterprise risk management.

By following this three-folded approach, organizations will set themselves up to successfully quantify the risk of cyber-attacks.

However, an organization must also understand the key components identified in the cyber value-at-risk model concept. The following three components help one understand the goal of cyber value-at-risk – to standardize and unify different factors into a single normal distribution that can quantify the value at risk in case of a cyberattack.

Vulnerability – This component focuses on how vulnerable an organization is. It is further broken down into: existing vulnerabilities, Maturity level of defending systems and the number of successful breaches. These three sub-components help us understand the range of vulnerability within an organization. It ranges from number of security updates, to the number of unpatched vulnerabilities to the success rate of compromises of machines.

Assets – Arguably the core of the entire model but the organizations assets must be evaluated. There are two types of assets that the framework takes into consideration for evaluation, those being: Tangible and Intangible assets. This is considered by many as the core of the entire model because the assets of an organization is what is sought after by an attacker. There for, understanding and evaluating the current assets of an organization is critical for understanding and quantifying the model.

Profile of Attacker – The last component of the model takes into consideration the attacker themselves. This tries to identity the type of attacker, the attack method and the motivation behind an attack. This is a crucial input in the cyber value-at-risk model as it helps us understand the profile of the adversaries targeting valuable assets.

After taking into consideration these three components and following the three-folded approach, one can have a clearer understanding of the cyber value-at-risk model. This model, as stated earlier, is intending to help an organization make more informed decision by quantifying their risk of a cyberattack. As any model, it is only successful when implemented and when a culture change occurs within an organization to adopt it. Successful cyber risk includes organization leadership, cyber life-cycle process management, and solution life-cycle implementation management. As such, further specifying and promoting cyber value-at-risk as a vehicle for global cyber resilience sustainability would benefit organizations and global stakeholders and support the creation of a more resilient cyber ecosystem.

Conclusion

As mentioned previously, the World Economic Forum’s Partnering for Cyber Resilience has managed to grow rapidly in the last couple of years. This latest publication is just another step towards achieving their goal of establishing awareness for cyber risk. As this initiative gains more and more momentum we will begin to see more publications regarding cyber resilience and potentially a more advanced version of the cyber value-at-risk framework. With over 100 signatories include key figures in the cyber world, we should not be surprised with the value this organization is bringing to the cyber world and their ability to really create awareness and change for cyber risk.