Research Affiliate Cybersecurity, MIT Sloan (CAMS), Managing Director, Disem Institute
Principal Research Scientist and Director, MIT CAMS
Head of Governance and Trust, Centre for Cybersecurity, World Economic Forum
This article is part of: Centre for Cybersecurity
Companies’ cybersecurity and resilience are increasingly scrutinized by investors and regulators.
The World Economic Forum’s Cyber Risk Principles help drive cyber resilience across industries.
Simulation-aided research from MIT CAMS shows that commitment to and adoption of the World Economic Forum’s Cyber Risk Principles significantly improves cyber resilience.
Results also show that, contrary to expectations, commitment to these cyber risk principles does not raise costs.
Unprecedented digitalization in our society has pushed many business leaders and executives to understand how they can adequately assess and govern cyber risk. Governing cyber risk is a holistic process aiming to improve organizational cyber resilience. In this context, governments define cyber resilience obligations, designate critical infrastructure that requires mandatory protection and help investors better compare their companies’ cyber efforts.
Successfully managing cyber resilience is necessary as organizations and executives face fines and other serious consequences. Potential repercussions mean board members must understand cyber risks and the best ways to mitigate them.
This is easier said than done. Ninety-three percent of companies are confident in their best practices mitigating cyber risks, while 57% expect to be hit by a cyber attack. Unfortunately, only half of these organizations have implemented suitable cyber measures.
Driving cross-industry cyber resilience
In 2021, the World Economic Forum and its partners, with the National Association of Corporate Directors (NACD), Internet Security Alliance (ISA) and PwC, published the Principles for Board Governance of Cyber Risk (the Forum’s Cyber Risk Principles), critical to driving resilience across industries. This guidance (initially developed for corporate boards of directors) is summarized in six principles:
Recognize that cybersecurity is a strategic business enabler.
Understand the economic drivers and impact of cyber risk.
Align cyber risk management with business needs.
Ensure organizational design supports cybersecurity.
Incorporate cybersecurity expertise into board governance.
Encourage systemic resilience and collaboration.
The principle represents a significantly different approach to resilience compared to how organizations delegate cyber security to IT, have a misplaced perception of the strategic nature of cyber risk and keep breaches under wrap.
A misplaced perception of the strategic nature of cyber risks can have enormous consequences. For instance, software company Kasaye experienced a ransomware attack in July 2021, which caused the postponement of their planned initial public offering (IPO) until further notice, leading them to fail to raise an estimated $875 million. Moreover, SolarWinds, breached in 2019, had specific advertising techniques to display their commercial success stories of high-profile customers, ultimately providing a “shopping list” for the adversary.
Understanding through simulation
With cyber risk a vital issue on leaders’ agendas, MIT CAMS has developed a method to improve leaders’ abilities to foresee and manage cyber risks. This technology, referred to as a cyber risk dashboard, is grounded in control theory and system dynamics and is built on significant research in the field, including interviews with chief information security officers (CISOs). It has been validated over the years at a Fortune 500 company by analyzing a wide range of strategic cyber risk challenges.
The dashboard closely mimics the cyber risk decision-making ecosystem. It considers current defence posture and development of attack tactics, emerging cyber incidents and changing organizations in terms of people, processes and technology. The cyber risk dashboard provides the means to make projections according to the performance indicators of an organization’s cybersecurity strategy. This work can be easily adapted for other strategic analyses. MIT CAMs used a simulation added approach to understand organizational behavior when adapting the Forum’s Cyber Risk Principles.
The use of personas – artificial decision-makers profiles with specific characteristics that drive their cyber risk management strategy – is a scientifically grounded approach to exploring the behavioural side of cyber risk management. Using the personas of different organizations to drive strategic decision-making, this simulation technology can foresee the future impact of their strategy. In this analysis, we also reuse data from our anonymized case study at a Fortune-500 company called Smart Wealth Management Inc. As such, we recognize:
The cyber-conscious CEO (CC-CEO)
This CEO might be aware of the principles but has yet to adopt them (yet). This CEO focuses on reasonable compliance with security standards and controls security costs. Increasing workload and lack of security resources drives a more reactive approach to cyber risk.
The WEF-resilient CEO (WEF-CEO)
This CEO is cyber-conscious but has gone further by adopting the Forum’s Cyber Risk Principles to foster resilience. He or she may be a signatory to the Forum’s Cyber Resilience Pledge. This CEO has a proactive and anticipatory approach to threats, knows how their technology drives their business and focuses on maintaining business performance and cyber risk cost predictions.
Strategic awareness fosters cyber resilience
We observe a significant difference when comparing the strength of defence posture represented by the number of security incidents/compromised assets. The CEO who follows the Forum’s Cyber Risk Principles (the WEF-CEO) is predicted to have up to 85% fewer cyber incidents (see Figure 1) compared to the CC-CEO.
Figure 1. Cumulative incidents over 60 months for cyber risk management strategy of the CC-CEO and the WEF-CEO. Image: MIT CAMS
The cyber risk efforts and task prioritization of the WEF-CEO allows early intervention that limits adversarial behaviour, whereas the CC-CEO’s team often responds slower, which ultimately benefits the adversary.
Similar insights can be observed in the risk profile (see Figure 2) regarding a frequency distribution of potential cyber incident occurrence in favour of the WEF-CEO, mainly when vast numbers of cyber incidents may require the IT teams to help the security teams. These situations, known as spill-over effects, require IT task reprioritization, usually at the expense of IT project delivery.
Figure 2. Cyber risk profile is based on the distribution of potential security incidents occurrence over 60 months for cyber risk management strategy of the CC-CEO and the WEF-CEO. Sensitivity analysis is performed with a 95% certainty range. Adopting the Forum’s Cyber Risk Principles demonstrates that individual organizations can significantly improve their cyber resilience without raising costs. Image: MIT CAMS
A resilient approach does not raise costs
The WEF-CEO likely has lower costs than the CC-CEO (see Figure 3). The major difference between these two scenarios is in the allocation of task priorities and cyber risk efforts of the security staff. The CC-CEO has ongoing efforts that require additional staff resources to support response and recovery processes, execute post-mortem research and adjust and improve security capabilities accordingly. The WEF-CEO-implemented security by design has an ongoing proactive capability adjustment and improvement (including continuous automation) and has implemented regular board-level cyber risk dashboarding and reporting.
Figure 3. Resourcing (FTE) 60 months for cyber risk management strategy of the CC- CEO and the WEF-CEO. Image: MIT CAMS
Adopting the Forum’s Cyber Risk Principles demonstrates that individual organizations can significantly improve their cyber resilience without raising costs. In these simulations, adopting the principles proved valuable. In practice, interconnectedness and connectivity between organizations introduces new interdependencies, which will be explored through further research and simulations. The current findings in themselves, however, make a strong case for organizations to adopt the Forum’s Cyber Risk Principles.
MIT’s work is co-funded by Fondo Europeo di Sviluppo Regionale Puglia POR Puglia 2014 – 2020 – Asse I – Obiettivo specifico 1a – Azione 1.1 (RS) – Titolo Progetto: Suite prodotti Cybersecurity e SOC and BV TECH S.p.A. and co-funded by Cybersecurity at MIT Sloan (CAMS).
License and Republishing
The views expressed in this article are those of the author alone and not the World Economic Forum.