How much can your company expected to lose in a large data breach? Find out based upon an analysis of historical industry data.
Use the model to estimate cyber insurance coverage, communicate potential loss to the board of directors and senior management, justify security investments and incident response.
How to Get Started in Social Media for Art League City
Cyber loss model for all industries
1. VivoSecurity Inc.,
Los
Altos,
CA.
Email:
ThomasL@VivoSecurity.com
Carl
Friedrich
Gauss
who
discovered
the
Normal
(Gaussian)
distribution,
which
characterizes
random
events.
CYBER-‐LOSS
MODEL
Calculate
Maximum
Financial
Loss
from
Data
Breach
Communicate
cyber-‐exposure
to
the
board
and
senior
management;
Calculate
the
value
of
incident
response;
Calculate
insurance
adequacy,
guide
insurance
coverage.
2. Simple
Question
It is a simple question—but hard to answer: how much money will your company lose in a large
data breach. The answer can inform the amount and kind of cyber insurance; it can demonstrate a
strong understanding of risk to the board of directors and senior management; it can justify
investments into security controls and incident response.
A Cyber-‐Loss Model answers this question using factors that are predictive of the cost. Predictive
factors were discovered through a rigorous statistical analysis of historical industry data breaches.
6,600 10,000
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
$3,500
$4,000
$4,500
$5,000
JB DT AA JS MK RS
Total
Breach
CostThousands
Six
Experts
Affected:220,000
Incident: Malicious
Outsider
Data: PII
Lawsuits:0
Expert
guess
(blue
bars)
Model
Prediction
(green
line) Actual
Cost
(red
line)
Expert
Average
Much research shows that people
are not good at estimating the
impact of rare events—and large
data breaches are rare events.
The graph to the right shows an
example from a study conducted
with Stanford University in which
we asked industry experts to
estimate the cost of known data
breaches. Experts consistently
guessed high, by an average of
2000%. This is compared with our
model which was within 40% on
average.
Six
experts
guess
at
the
cost
of
a
single
data
breach,
compared
with
the
Cyber-‐Loss
Model.
3. Investigation
Notification
Call
center
Remediation
o Business
Loss
o Damage
to
personal
credit
o Theft
of
money
&
goods
o Credit
card
replacement
costs
Business
loss;
theft
of
money
&
goods
Credit
monitoring
&
privacy
insurance.
Fines &
settlements
Public
&
Other
BusinessesBreach
Company
Total
costs
Mitigate
Transfer
via
suits
Costs
Covered
by
the
Cyber-‐Loss
Model
Response
CostsDamage
costs
Term Meaning
Investigation Cost of investigating what happened in a data breach including data
that was exposed. Costs of updating agencies of investigation
progress.
Remediation Cost to preventing future data breach.
Notification Legal costs of notifying various government agencies and people
affected by the data breach.
Call
Center Cost of hiring or expanding call centers to handle calls from people
affected by data breach.
Business
Loss,
theft
of
money
&
goods
Loss of business and customers, fraud costs, cost of goods
purchased with stolen cards
Credit
Monitoring
&
Privacy
Insurance
Cost of providing credit monitoring such as Experian, insurance to
cover personal loss by people affected by the data breach.
Fines
&
Settlements Government fines, lawsuit awards and settlements, defense costs.
Glossary
The Cyer-‐Loss Model calculates the cost of a data breach exposing custodial data. Custodial data is
any PII data which triggers reporting requirements of various government agencies (also known as
risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphical
breakdown of costs included in Total Costs.
4. VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-‐3050
What
is
a
Cyber-‐Loss
Model?
The Cyber-‐Loss Model is essentially a complex formula that can explain the variability in cost
of historical data breaches. It was trained upon a large set of data breaches and tested for
accuracy on a randomly selected set of validation cases. It was developed in the statistical
language R using standard statistical techniques such as linear regression and Bayesian
Model Averaging.
The Cyber-‐Loss Model is deployed in an easy to use Excel Spreadsheet which requires a
small number of variable inputs that have been found to be predictive of cost. No
information is needed about a company’s security posture.
What is Model Validation? Federal Reserve has created guidance for model management
(SR11-‐7 & SR15-‐18). This guidance assures that models are developed following sound
statistical practices. Many banks have an internal validation process for establishing
compliance with Federal Reserves guidelines. Our Cyber-‐Loss Model complies with the
Federal Reserve’s guidance and can pass a bank’s validation process.
5. The graphs below are a pro forma example of breach cost characterizations.
Possible data breach cost is break down by incident and data type. The model also
provides a probability distribution for the range of costs, and the probability of
lawsuits.
$0
$20
$40
$60
$80
$100
Mean
Data
Breach
Costs
Millions
Incident
&
Data
Type
0%
20%
40%
60%
80%
100%
0 >0 1 2 3 4 5
Probability
Number
of
Lawsuits
Model
Outputs
$0
$5
$10
$15
$20
$25
Likelihood
Breach
Cost
Millions
$19.8M
80%
Confidence
Interval
Value
of
Incident
Response
Controls
Most
companies
would
experience
a
cost
of
under
$5M.
6. $0
$10
$20
$30
$40
$50
$60
$70
Probability
of
Breach
Cost
Breach
Cost
Millions
For a given set of parameters, the cost follows a probability distribution, with the probability
declining exponentially with cost. The 80% and 90% confidence intervals mark cost points
where 80% and 90% of data breaches, will fall below. But the difference between 80% and 90%
is large and 10% of companies will experience costs which fall within this cost interval. This
extra cost is driven primarily by incident response and a large cost interval justifies investments
into incident response activities.
80%
Confidence 90%
Confidence
10%
of
breaches
fall
here.
Value
of
Incident
Response.
Investigation
Notification
Fines
&
settlements
Breach
Costs
affected
by
Incident
Response
Turn
on
logs
to
capturing
information
that
can
speed
the
investigation.
Engaging
a
security
firm
early
can
save
millions.
Engage
a
law
firm
early,
negotiate
costs
and
be
prepared.
Reduce probability of a
lawsuit by engaging a law
firm to review contracts
and advertising promises.
7. What
Does
the
Cyber-‐Loss
Model
Include?
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-‐3050
Included Detail
Deployment Models are deployed as an easy to use Excel Spreadsheet.
Training We provide training on the use of the spreadsheet, how to
think about confidence intervals, and how to guide insurance
purchases.
Documentation We provide complete model documentation in the bank’s own
format.1
Validation
Support We provide support for the bank’s model validation team,
including data turnover, troubleshooting R and SQL code, and
discussions on modeling methodology. 1
Quarterly
Maintenance We provide new data as it becomes available, model re-‐
evaluation, all required validation documentation, validation
team support, re-‐deployment, and evidence of testing. 1
1.
Required
by
banks
and
insurance
companies,
not
recommended
for
other
industries.
8. Evaluation
Bank receives themodel as an Excel spreadsheet and performs initial evaluation using approximate
model inputs. VivoSecurity provides training for how to use the model, how to think about
confidenceintervals and apply results to insurancepurchases.
Model
Owner
The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO or
CRO group. Themodel owner might draft documents to officially sponsor themodel as preparation
for model validation.
Validation
Support
Data
Owner
VivoSecurity produces SR11-‐7 compliant validation documentation, following the bank’s format.
VivoSecurity then works with thebank’s validation team to support validateactivities.
Departments are identified that will produce validated numbers that will be entered into the
model. This might include creating and approving SQL to query systems and to generate the
numbers.
Insurance
Adequacy
The model owner receives validated numbers from data owners and performs a model based
evaluation ofinsuranceadequacy. Considerations aredocumented and approved.
Adjust
Insurance
Insurance coverage can be adjusted and premiums lowered using model based arguments and
historical industry data. Note that neither carriers nor brokers have models as rigorous as ours,
giving thebank an advantage in negotiations.
Document Considerations for insurance adequacy along with validated models and evidence of insuranceare
incorporated into regulator reporting documentation, e.g., FR Y-‐14A.
Use
Case
The diagram below shows the process for a typical retail bank that uses the Cyber-‐Loss Model in satisfying regulatory requirements. Activities
need not proceed sequentially. For example, after a model owner is determined, model validation (which takes themost time) can be performed
concurrently with other activities.
9. About
VivoSecurity
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-‐3050
VivoSecurity provides data analytics and statistical modeling to companies in the financial and
high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and
statisticians. We use advanced data analytic techniques to model the probability and cost of
cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of
software applications, strong knowledge of operating systems and hardware and a strong
understanding of enterprise operations.
Model Description
Peer
Risk
Model Characterizes
cyber
risk
in
dollars
in
comparison
with
peers.
Probability
for
Fraud, personal
customers Calculates
probability
for
a
cyber
attach
that
leads
to
fraud.
Probability
for
Fraud,
corporate
customers Calculates
probability
for
a
cyber
attach
that
leads
to
fraud.
3rd party
(vendor)
Risk Calculates
risk
in
dollars
posed
by
3rd party
partners.
Additional
Offerings