Countermeasure Portfolio Management of Silent Cyber Risks for Suitable Return of Investment
Abstract
In recent years, with the continuing development of the Internet of Things (IoT), various devices are now connected a huge number of networks and are being used for diverse pur-poses. The IoT has the potential to link cyber risks to actual property damage, as cyberspace risks are connected to physical space. With this increase in unknown cyber risks, the demand for cyber insurance is increasing. One of the most serious emerging risks is the silent cyber risk, and it is only likely to increase in the future. However, at present, security countermeas-ures against silent cyber risks are insufficient. In this paper, we propose a countermeasure portfolio management of silent cyber risk for organizations with the objective of contributing to the development of risk management methods against new cyber risks. Specifically, we modeled silent cyber risk by focusing on state transitions to different risks. We newly defined two types of silent cyber risk, Alteration risk and Combination risk, and conducted a risk assessment that identified 23 risk factors. After analyzing them, we found that all were clas-sified as Risk Transference. We clarified that the most effective risk countermeasure for Al-teration risk was insurance and for Combination risk was countermeasures to reduce the im-pact of the risk factors themselves. Our evaluation showed that the silent cyber risk could be reduced by about 50%, thus demonstrating the effectiveness of the proposed countermeas-ures. We also investigated the risk assessment results of silent cyber risk from the operational perspective. Specifically, we applied portfolio management based on the return on invest-ment of risk countermeasures for silent cyber risks and found that proactive countermeasures tended to have higher priority.
References
Ministry of Internal Affairs and Communications, 2020 White Paper on Information and Communication, 2020, (Japanese Edition).
Ministry of Economy, Trade and Industry, Cyber-physical security countermeasure frame-work, 2019, https://www.meti.go.jp/policy/netsecurity/wg1/CPSF_ver1.0.pdf, (Japanese Edition).
N. Kin, Trends in Silent Cyber Risk: Focusing on the United States and the United King-dom- P&C Insurance Report No. 126, 2019, (Japanese Edition).
T. Yoshizawa, How should insurers deal with emerging risks these days, The Insurance So-ciety of Japan and The Risk Research Society of Japan Joint Special Session, 2017, (Japanese Edition).
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK GUIDE) Sixth Edition, Project Management Institute, 2017.
IEC 31010:2019 Risk management — Risk assessment techniques.
H. Nagata, Systemic Risk and Financial Vulnerability, Fukuoka University Business Series 57 (3-4), end of volume 1-5,2013, (Japanese Edition).
M. Ando, Nikkei Cross Tech / Nikkei NETWORK, The average annual damage is 148 mil-lion yen, and there are two effective measures against cyber attacks., 2020, (Japanese Edi-tion).
National Institute of Information and Communications Technology, Release of NICTER Ob-servation Report 2020, 2020, (Japanese Edition).
ISO 31000: 2018 Risk management — Guidelines.
Tokio Marine & Nichido Fire Insurance Co., Presentation materials for the second meeting of the Information Disclosure Subcommittee of the Cyber Security Task Force, 2018, (Japa-nese Edition).
R. Mishina, et al., Risk Management of Silent Cyber Risks in Consideration of Emerging Risks, 2021 10th International Congress on Advanced Applied Informatics (IIAI-AAI), pp.710-716, 2021
M. Baezner, et al., Stuxnet. 2017. Available online: https://css.ethz.ch/ (accessed on 17 No-vember 2023).
R. Mishina, et al., A Visualization Model for Silent Cyber Risks Contained in Emerging Risks, 2021 IEEE 10th Global Conference on Consumer Electronics (GCCE), pp.575-576, 2021
R. Mishina, et al., An Extended Visualization Model for Silent Cyber Risks Considering Non-cyber Aspects, 2022 IEEE 11th Global Conference on Consumer Electronics (GCCE), pp.277-278, 2022
S. Tanimoto, et al., Risk Countermeasures Based on Five Whys Analysis Considering Of-fensive Security, 2023 IEEE 12th Global Conference on Consumer Electronics (GCCE), pp.643 - 645, 2023
G. Ahn, et al., Malicious File Detection Method using Machine Learning and Interworking with MITRE ATT&CK Framework. Appl. Sci. 2022, 12, 10761
R. Abdullahi et al., Fraud prevention initiatives in the Nigerian public sector: understanding the relationship of fraud incidences and the elements of fraud triangle theory, Journal of Fi-nancial Crime, https://doi.org/10.1108/JFC-02-2015-000
H. Sato, et al., Information Security Infrastructure, Kyoritsu Shuppan Co., Ltd., 2010, (Jap-anese Edition)
S. Tanimoto, et al., A Study of Risk Assessment Quantification in Cloud Computing, 8th International Workshop on Advanced Distributed and Parallel Network Applications (ADPNA-2014), pp. 426-431, Sep, 2014.