"Solving Cyber Risk brings a technical subject to life using entertaining and poignant parallels to historical warfare. It also makes a compelling argument for the use of counterfactual analysis of past cyber events, to help us protect the digital economy from the cyber aggressors of the future. The authors make the case for cyber resilience and give business leaders practical advice to embed cyber-aware culture in their organisation."-Domenico del Re, Director, PricewaterhouseCoopers"Before we can begin to address the serious risks that accompany the modern world's increasing dependence on networked computer systems we have to understand them, and this is the key achievement of Solving Cyber Risk. Anyone reading the book will come away better able to assess, quantify, and reduce the risks faced by their business."-Bill Thompson, Technology writer and BBC presenter"Is your organisation cyber-resilient? Are your services? Are you? Starting from practical assessments of how a security breach could damage the organisation, this comprehensive review of the current risk landscape will tell you why it matters, how to assess your own performance, and how to improve it."-Andrew Cormack, Former Computer Security Incident Response Team (CSIRT) manager"The essential handbook for anyone that wants to understand the cyber risks facing their business. The authors draw on decades of experience in cyber, insurance and modelling to provide the essential context for the range of potential threats and losses, today and in the future, providing real life case studies and practical advice for assessing and managing the risks."-Matthew Grant, Founder and Executive Director, Abernite Ltd."Whoever feels overwhelmed by the sheer amount of unsorted information - around cyber risk, the uncertainties of managing this risk and its questioned insurability (which I do not share) - should read this book. It helps to ringfence the key issues by classifying, weighting and prioritizing cyber related decisions. It is good for IT security professionals to get familiar with risk management framework and it is equally helpful for risk management professionals to break down the complexity of 'cyber' and focus on the essentials."-Simon Dejung, Senior Underwriter, SCOR

About the Authors ixAcknowledgments xiCHAPTER 1 Counting the Costs of Cyber Attacks 11.1 Anatomy of a Data Exfiltration Attack 11.2 A Modern Scourge 71.3 Cyber Catastrophes 121.4 Societal Cyber Threats 191.5 Cyber Risk 211.6 How Much Does Cyber Risk Cost Our Society? 24Endnotes 30CHAPTER 2 Preparing for Cyber Attacks 332.1 Cyber Loss Processes 332.2 Data Exfiltration 342.3 Contagious Malware Infection 412.4 Denial of Service Attacks 562.5 Financial Theft 632.6 Failures of Counterparties or Suppliers 68Endnotes 78CHAPTER 3 Cyber Enters the Physical World 813.1 A Brief History of Cyber-physical Interactions 813.2 Hacking Attacks on Cyber-physical Systems 833.3 Components of Cyber-physical Systems 863.4 How to Subvert Cyber-physical Systems 883.5 How to Cause Damage Remotely 913.6 Using Compromises to Take Control 923.7 Operating Compromised Systems 933.8 Expect the Unexpected 953.9 Smart Devices and the Internet of Things 99Endnotes 101CHAPTER 4 Ghosts in the Code 1034.1 All Software Has Errors 1034.2 Vulnerabilities, Exploits, and Zero Days 1044.3 Counting Vulnerabilities 1084.4 Vulnerability Management 1134.5 International Cyber Response and Defense 118Endnotes 122CHAPTER 5 Know Your Enemy 1255.1 Hackers 1255.2 Taxonomy of Threat Actors 1275.3 The Insider Threat 1435.4 Threat Actors and Cyber Risk 1455.5 Hackonomics 147Endnotes 151CHAPTER 6 Measuring the Cyber Threat 1536.1 Measurement and Management 1536.2 Cyber Threat Metrics 1586.3 Measuring the Threat for an Organization 1626.4 The Likelihood of Major Cyber Attacks 170Endnotes 182CHAPTER 7 Rules, Regulations, and Law Enforcement 1837.1 Cyber Laws 1837.2 US Cyber Laws 1867.3 EU General Data Protection Regulation (GDPR) 1907.4 Regulation of Cyber Insurance 1927.5 A Changing Legal Landscape 1947.6 Compliance and Law Enforcement 1967.7 Law Enforcement and Cyber Crime 199Endnotes 205CHAPTER 8 The Cyber-Resilient Organization 2078.1 Changing Approaches to Risk Management 2078.2 Incident Response and Crisis Management 2088.3 Resilience Engineering 2128.4 Attributes of a Cyber-resilient Organization 2148.5 Incident Response Planning 2188.6 Resilient Security Solutions 2198.7 Financial Resilience 225Endnotes 234CHAPTER 9 Cyber Insurance 2359.1 Buying Cyber Insurance 2359.2 The Cyber Insurance Market 2449.3 Cyber Catastrophe Risk 2489.4 Managing Portfolios of Cyber Insurance 2519.5 Cyber Insurance Underwriting 2589.6 Cyber Insurance and Risk Management 263Endnotes 264CHAPTER 10 Security Economics and Strategies 26710.1 Cost-Effectiveness of Security Enhancements 26710.2 Cyber Security Budgets 27110.3 Security Strategies for Society 27610.4 Strategies of Cyber Attack 28310.5 Strategies of National Cyber Defense 289Endnotes 294CHAPTER 11 Ten Cyber Problems 29511.1 Setting Problems 2951 The Canal Safety Decision Problem 2982 The Software Dependency Problem 3003 The Vulnerability Inheritance Problem 3014 The Vulnerability Count Problem 3025 The Malware Overlap Problem 3036 The Vulnerability Lifespan Problem 3047 The Binary Similarity Problem 3048 The Virus Modification Problem 3069 The Cyber Criminal's Dilemma Problem 30610 The Security Verification Problem 307Endnotes 308CHAPTER 12 Cyber Future 30912.1 Cybergeddon 30912.2 Cybertopia 31512.3 Future Technology Trends 32112.4 Getting the Cyber Risk Future We Want 328Endnotes 331References 333Index 355

ANDREW COBURN is senior vice president at Risk Management Solutions (RMS) and a director of the Cambridge Centre for Risk Studies, University of Cambridge. The architect of the leading cyber risk model in the insurance industry, he is coauthor of Earthquake Protection, Second Edition.ÉIREANN LEVERETT is the founder of Concinnity Risks and a senior researcher on cyber risk at Cambridge Centre for Risk Studies. An ethical hacker, he was on the multidisciplinary team that built the first cyber risk models for insurance.GORDON WOO is a catastrophist with RMS who helped create the conceptual framework for the RMS Cyber Accumulation Management System. An authority on cyber and insurance risk, he is the author of The Mathematics of Natural Catastrophes and Calculating Catastrophe.