Researchers at the Critical Infrastructure Resilience Institute, a Department of Homeland Security Center of Excellence, have developed a new software tool that will provide an assessment of a company’s cyber security risk based on the company’s IT infrastructure. The new tool can be applied to many fields, particularly the ballooning $2.75 billion cyberinsurance market, which currently lacks a technological approach to analyzing the cyber risks of potential policy holders and pricing policies accordingly.
The Cyber Risk Scoring and Mitigation (CRISM) tool measures the security capabilities of the software and hardware that comprise a company’s cloud IT infrastructure. By deploying this tool, insurers will be able to improve risk assessment and create individualized insurance policies tailored to cover cyber losses.
CRISM would provide a more technologically grounded approach aimed at improving underwriting cyberinsurance policies than is used today. Insurers currently determine policy pricing using written questionnaires and interviews with the company seeking cyber insurance, an approach that does not include a hands-on evaluation of the company’s specific IT systems, says CIRI researcher Jay Kesan.
“There is a real lack of sophisticated risk assessment tools and analytical techniques designed to to assess risk and incentivize higher investments in cyber security, while imposing stiffer pricing on companies with riskier profiles,” said Kesan, a professor of law and engineering at the University of Illinois at Urbana-Champaign. “Right now there’s not much analysis of how vulnerable a company’s IT systems actually are.”
With cyber crimes expected to cost companies $2.1 trillion globally each year, according to a recent Forbes article, companies will seek to mitigate their cyber risk through better vulnerability assessments, looking to transfer some of their financial risks through cyber insurance policies. Insurance companies, in turn, will want better risk assessment tools to help them calibrate their underwriting risks and to responsibly price cyber insurance policies.
CRISM is built on a platform optimized for vulnerability detection, attack graph analysis, and risk assessment. The platform can be adapted for diverse network configurations and dynamic scaling cloud environments. The tool also provides options to choose among several risk assessment models for generating, analyzing, and evaluating attack paths based on security requirements and cloud service configuration.
In addition, it leverages risk scores from vulnerability databases and intelligence feeds, network vulnerability tests, automatic attack graph generation, and attack graph modeling techniques. The tool provides quantitative risk assessment and categorizes attack paths based on the impact to cloud services. It also illustrates the security risk scores via different visual metaphors that allow practitioners to process information at several levels of granularity.
“We want to know how an attacker could compromise one of the services and what is the propensity of an attack propagation,” said Sachin Shetty, a CIRI researcher and associate professor in the Virginia Modeling, Analysis and Simulation Center at Old Dominion University. “We take all the information and create an attack graph, which shows any pathway that attackers could exploit.”
The next step is continuing to make the model more realistic. The greatest challenge in achieving that goal is overcoming companies’ inherent desire to keep their network configurations and data private, Kesan said.
“Creating an information-sharing framework is extremely crucial,” he said. “We need significantly more detailed cyber incident data to create an effective technological risk assessment tool. If we can provide superior information to a company about the vulnerabilities in their IT systems, they may be able to reconfigure their systems, update their software and hardware, and add more powerful intrusion detection systems. In the end, that will save everyone money.”
In addition to CRISM, CIRI researchers have also developed a new tool – the NIST Cyber Security Framework Dashboard – that simplifies the process of implementing the demanding cyber security risk management process outlined in the NIST Cyber Security Framework (the Framework). By making it easier for companies of all sizes and in all sectors to adopt and implement the Framework’s standardized cyber risk management process, the Dashboard promises to not only improve the cyber security and resilience of our Nation’s critical infrastructure, it will help provide a standardized metric for insurance companies to evaluate the risk management maturity of potential policy holders.