In light of the evolving threat landscape, SECONDO has the ambition to overcome the large amount of uncertainty about: a) the scale of cyber risk to businesses, especially for SMEs; b) the Return on Investment of managing and mitigating the risks; and c) the estimation of cyber insurance exposure and related insurance premiums. This is primarily achieved by putting the focus on: i) resilience that is about better detection and capability to handle events, instead of prior focus on near full prevention; as well as b) quantifications of risks, assets and effectiveness of the applied security controls in order to perform justified estimations.
SECONDO will provide new insights into the nature of next generation security economics tools and platforms. The main innovation of SECONDO is the research and development of an innovative data-driven platform that supports all relevant stakeholders in making optimal, risk-based and industry-specific cyber security investment decisions.
Contribution to Academia
Economics of security: Existing works in the field of economics of security have investigated various challenges related to cyber insurance. Many of them have also used game-theoretic models to reason about optimal strategies. The proposed framework will offer valuable results that will inform the way trade-offs between spending in securing an organization and purchasing cyber insurance products are modelled. It will also provide a decision support tool that will determine optimal values regarding splitting a cyber security budget into: (i) strengthening the organization mitigating actual cyber risks; and (ii) outsourcing risk to an insurer.
Additionally, the community will be benefited from the results of the project with regards to the derivation of fair cyber insurance premiums. The interaction with the industrial partners will allow the realisation of realistic model parameters (e.g. payoffs of the players) that will then be applicable to other existing or future economics of security models.
Decision and game theory for security: The research community on decision and game theory for security will benefit from project, too. This will be done through new theoretic results that bring together previous work in the field and the novel proposed framework. The project will leverage the interaction with industrial partners to propose how game-theoretic solutions can be realistically put into practise and make difference in industrial environments. Thus, the outcomes of this project will be able to influence existing game-theoretic works and also inspire new publications while contributing positively to the growth of the number of researchers working in this field.
Wider industrial benefits and contribution to SECONDO industrial beneficiaries
It is anticipated that the project will benefit the following groups: (i) SMEs: those companies that according to many reports, are typically less well protected than large firms. Statistics show that SMEs are reluctant to acquire cyber insurance, mainly due to incurred costs; (ii) Large organisations: those organisations that usually do as much as they can (e.g. spending large amounts of money) to have high level of cyber security; (iii) Cyber insurers: those companies that offer insurance products used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to ICT infrastructure and activities; (vi) Cyber security professionals, managers and business consultants: those who have to decide upon allocation of a cyber security budget to defend an organisation’s assets.
Wider EU and global economical and societal impact
Currently, much effort is being made at European and global level, to push towards realising economics of security as a major field of research to empower users and organisations to improve upon their security postures. To this end, SECONDO will provide an innovative platform that will contribute to mitigating cyber security risks by investing in cyber security as well as outsourcing residual risks. In turn, this will facilitate a more efficient and straightforward way of complying with GDPR throughout EU countries.
Regarding economic impacts, both SMEs and large organisations will be able to mitigate cyber risk through economically viable and effective cyber security solutions. They will also substitute expensive consultation on cyber security strategies and investments with the SECONDO platform and knowledge acquired from the project outcomes. Furthermore, the project results will help businesses to ensure their customers higher levels of security making their services more attractive than before therefore increasing customer portfolio. Especially SMEs will: (i) improve the trust of end users to their services and products; and (ii) increase their innovation in EU as higher levels of security will assure less expected losses, such as intellectual property theft, which has been experienced significantly in the past.
Cyber insurers will also be benefited from the results of the project by providing cyber insurance contracts with more affordable premiums for clients thus attracting more clients. Regarding societal impacts, the results of the project are envisaged to reduce the attack surface by minimising cyber security risks therefore assuring higher levels of cyber security to the EU society, which depends on large organisations, as a whole. Also, fair premiums are expected to increase the number of organisations that satisfy minimum requirements set by in order to be eligible for these fair premiums leading to trusted services for citizens. More affordable premiums may also encourage the underwriting of individuals to insure their personal data value and implement basic cyber security controls to protect them.
Apart from increasing security of businesses, SECONDO will improve communication of ideas and propositions between a security manager and the board of directors when it comes to investing in cyber security controls and cyber insurance. This will be achieved due to the rigorous as well as structured model offered by SECONDO, which can play a key role in bridging the knowledge gap between technical managers and business directors. This is a prominent challenge when taking financial decisions on how to allocate cyber security budgets.