Mind the Gap: Securely modeling cyber risk based on security deviations from a peer group

• URL: http://arxiv.org/abs/2402.04166v1
• Date: Tue, 6 Feb 2024 17:22:45 GMT
• Title: Mind the Gap: Securely modeling cyber risk based on security deviations from a peer group
• Authors: Taylor Reynolds, Sarah Scheffler, Daniel J. Weitzner, Angelina Wu
• Abstract summary: This paper proposes a new framework for cyber posture against peers and estimating cyber risk within specific economic sectors. We introduce a new top-line variable called the Defense Gap Index representing the weighted security gap between an organization and its peers. We apply this approach in a specific sector using data collected from 25 large firms.
• Score: 2.7910505923792646
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: There are two strategic and longstanding questions about cyber risk that organizations largely have been unable to answer: What is an organization's estimated risk exposure and how does its security compare with peers? Answering both requires industry-wide data on security posture, incidents, and losses that, until recently, have been too sensitive for organizations to share. Now, privacy enhancing technologies (PETs) such as cryptographic computing can enable the secure computation of aggregate cyber risk metrics from a peer group of organizations while leaving sensitive input data undisclosed. As these new aggregate data become available, analysts need ways to integrate them into cyber risk models that can produce more reliable risk assessments and allow comparison to a peer group. This paper proposes a new framework for benchmarking cyber posture against peers and estimating cyber risk within specific economic sectors using the new variables emerging from secure computations. We introduce a new top-line variable called the Defense Gap Index representing the weighted security gap between an organization and its peers that can be used to forecast an organization's own security risk based on historical industry data. We apply this approach in a specific sector using data collected from 25 large firms, in partnership with an industry ISAO, to build an industry risk model and provide tools back to participants to estimate their own risk exposure and privately compare their security posture with their peers.

Related papers

• SecCodePLT: A Unified Platform for Evaluating the Security of Code GenAI [47.11178028457252]
  We develop SecCodePLT, a unified and comprehensive evaluation platform for code GenAIs' risks. For insecure code, we introduce a new methodology for data creation that combines experts with automatic generation. For cyberattack helpfulness, we construct samples to prompt a model to generate actual attacks, along with dynamic metrics in our environment.
  arXiv  Detail & Related papers  (2024-10-14T21:17:22Z)
• Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications [0.0]
  We argue in favour of switching the attention from goodness-of-fit and in-sample performance, to focusing on the out-of sample forecasting performance. Our results indicate that business motivated cyber risk classifications appear to be too restrictive and not flexible enough to capture the heterogeneity of cyber risk events.
  arXiv  Detail & Related papers  (2024-10-04T04:12:34Z)
• Cross-Modality Safety Alignment [73.8765529028288]
  We introduce a novel safety alignment challenge called Safe Inputs but Unsafe Output (SIUO) to evaluate cross-modality safety alignment. To empirically investigate this problem, we developed the SIUO, a cross-modality benchmark encompassing 9 critical safety domains, such as self-harm, illegal activities, and privacy violations. Our findings reveal substantial safety vulnerabilities in both closed- and open-source LVLMs, underscoring the inadequacy of current models to reliably interpret and respond to complex, real-world scenarios.
  arXiv  Detail & Related papers  (2024-06-21T16:14:15Z)
• A Safe Harbor for AI Evaluation and Red Teaming [124.89885800509505]
  Some researchers fear that conducting such research or releasing their findings will result in account suspensions or legal reprisal. We propose that major AI developers commit to providing a legal and technical safe harbor. We believe these commitments are a necessary step towards more inclusive and unimpeded community efforts to tackle the risks of generative AI.
  arXiv  Detail & Related papers  (2024-03-07T20:55:08Z)
• Municipal cyber risk modeling using cryptographic computing to inform cyber policymaking [0.5872014229110214]
  Using data from 83 municipalities, we build data-driven cyber risk models and cyber security benchmarks for municipalities. We produce benchmarks of the security posture in a sector, the frequency of cyber incidents, forecasted annual losses for organizations based on their defensive posture. These newly derived risk measures highlight the need for continuous measured improvement of cybersecurity readiness.
  arXiv  Detail & Related papers  (2024-02-01T20:45:20Z)
• A Counterfactual Safety Margin Perspective on the Scoring of Autonomous Vehicles' Riskiness [52.27309191283943]
  This paper presents a data-driven framework for assessing the risk of different AVs' behaviors. We propose the notion of counterfactual safety margin, which represents the minimum deviation from nominal behavior that could cause a collision.
  arXiv  Detail & Related papers  (2023-08-02T09:48:08Z)
• RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports [8.45831177335402]
  This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies.
  arXiv  Detail & Related papers  (2023-07-20T17:52:47Z)
• A robust statistical framework for cyber-vulnerability prioritisation under partial information in threat intelligence [0.0]
  This work introduces a robust statistical framework for quantitative and qualitative reasoning under uncertainty about cyber-vulnerabilities. We identify a novel accuracy measure suited for rank in variance under partial knowledge of the whole set of existing vulnerabilities. We discuss the implications of partial knowledge about cyber-vulnerabilities on threat intelligence and decision-making in operational scenarios.
  arXiv  Detail & Related papers  (2023-02-16T15:05:43Z)
• Adverse Media Mining for KYC and ESG Compliance [2.381399746981591]
  Adverse media or negative news screening is crucial for the identification of such non-financial risks. We present an automated system to conduct both real-time and batch search of adverse media for users' queries. Our scalable, machine-learning driven approach to high-precision, adverse news filtering is based on four perspectives.
  arXiv  Detail & Related papers  (2021-10-22T01:04:16Z)
• PCAL: A Privacy-preserving Intelligent Credit Risk Modeling Framework Based on Adversarial Learning [111.19576084222345]
  This paper proposes a framework of Privacy-preserving Credit risk modeling based on Adversarial Learning (PCAL) PCAL aims to mask the private information inside the original dataset, while maintaining the important utility information for the target prediction task performance. Results indicate that PCAL can learn an effective, privacy-free representation from user data, providing a solid foundation towards privacy-preserving machine learning for credit risk analysis.
  arXiv  Detail & Related papers  (2020-10-06T07:04:59Z)
• Epidemic mitigation by statistical inference from contact tracing data [61.04165571425021]
  We develop Bayesian inference methods to estimate the risk that an individual is infected. We propose to use probabilistic risk estimation in order to optimize testing and quarantining strategies for the control of an epidemic. Our approaches translate into fully distributed algorithms that only require communication between individuals who have recently been in contact.
  arXiv  Detail & Related papers  (2020-09-20T12:24:45Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.