Efficient cyber risk decision making with artificial intelligence

A recent survey among risk managers in the finance industry shows that cyber risk is ranked at the top as the main risk before regulations and geopolitical risks. IMF (International Monetary Fund) estimates cyber attack losses annually to 9% of banks’ net income globally ($100 billion), or when faced with a worse case scenario as much as $350 billion. Christine Lagarde, Managing director at IMF, states in a recent post (https://www.linkedin.com/pulse/estimating-cyber-risk-financial-sector-christine-lagarde/) “Scenario analysis could be used to develop a comprehensive assessment of how cyber-attacks could spread…” as a way forward.

What IMF is looking for is quantitative automated cyber risk assessment. One reason why Christine Lagarde is asking for this as a solution is because cyber risk management today is mainly a manual task relying heavily on hard to come by and expensive expertise that can only assess limited parts of the complex cyber infrastructure. What is needed instead (in order for the approach to be useful for real) is threat modeling and attack simulations based on large amounts of real data that uses artificial intelligence (AI) to calculate quantifiable risks.

securiCAD by foreseeti is a threat modeling and attack simulation tool for managing cyber risk. The tool uses AI techniques such as Bayesian inference to quantitatively calculate an organization’s cyber risks, where the data has been collected over many years through various studies including penetration tests and expert judgments. The approach employed in securiCAD has been validated using Turing tests with experts at several occasions. Also, currently the tool has been used in numerous commercial projects.

A typical example is when a new IT change project is designing the to-be architecture that is to be implemented. The system architecture can thus quantitatively and automatically be analyzed in terms of IT risks. Thereby in the design phase of the project the risks can be handled and minimized before the project starts implementing the new system, an efficient way of not only minimizing risk, but also saving costs.

Besides the design case securiCAD can also use existing data e.g. from network scans and firewall rules to automatically populate the as-is architecture thereby revealing cyber risks that previously have gone unnoticed. With this as-is model architects can try what future to-be scenario that best removes the found risks.

Robert Lagerström, Associate Professor in Software Systems Architecture & Security, KTH & foreseeti

Robert Lagerström , foreseeti