Cyber Risk from IoT Devices and Networks

 

Cyber risk and its associated economic impact are growing with the integration of artificial intelligence (AI) in human-computer interactions. Some examples include connected devices into more aspects of modern life, including banking, finance, and insurance. Cyber-attacks are increasing in frequency, and the severity of future attacks could be much greater than what has been observed to date. The critical question is how sufficient is our current cybersecurity to safeguard from such cyber risk.

The growth of artificial intelligence in human-computer interactions can also expose risks and vulnerabilities at the edge (IoT) of the network. A new assessment is required for detecting and reducing the new types of cybersecurity threats and simplifying compliance with internal, industry, and government regulations. One solution for protecting the edge is to integrate AI in the data collection and analytics of risk through fog computing for predictive outputs. While new cybersecurity is constantly been developed (e.g. ISO 3000), probabilistic data for risk analytics is not collected at the edge. Calculating cyber risks at the edge creates a new role of AI in cyber risk analytics with confidence intervals and time-bound ranges. This would protect data integrity while securing predictive analytic outputs and integrating solutions in these new types of fog computing cybersecurity.

What Makes It Difficult to Quantify Risk from the IoT

The challenge in quantifying cyber risk from the IoT emerges with the complexities, pervasiveness, and automation of IoT technology^[1]. Existing risk quantification approaches are not designed to calculate such high-connectivity systems. This categorizes many IoT cyber risks as invisible in the risk assessment process. Adding to this, IoT devices often do not have a mechanism for reporting attempted hacks. Systems such as connected printers or conference room systems are increasingly at risk, because of the new connected devices (e.g. smart lights or smart locks). Such risk can be reduced by connecting and authenticating the devices through the cloud, but that would trigger additional costs for the companies. Without quantification of the potential impact, companies could be reluctant to invest in additional costs (e.g. cloud connection and authentication). This creates a direct link between quantification of impact and willingness for cybersecurity investment. There are existing methods for cyber risk assessment^[2], and there are methods for cyber risk analytics^[3], but there are no cyber risk impact assessment models that use networks as sensors for real-time intelligence for predictive analytic outputs. Integrating real-time dynamic probabilistic data could enable predictive intelligence. A new AI-enhanced method for cyber risk analytics, integrated into the data collection and analytics of cyber risk assessment, could enable dynamic risk assessment, while the probabilistic data of risk frequency and magnitude would enable understanding risk exposure.

Why is IoT Risk Quantification Necessary

With the current lack of standards and regulations to govern the compliance process, the risk from IoT devices is becoming a liability. Speaking in legal terms, companies are required to take reasonable precautions to protect personal data and information. With the increasing volume of IoT devices, it is difficult to be compliant with this legal requirement. Hence, the definition of what can be considered reasonable becomes blurred. Government legislations are in the process of being created, but it is unlikely that such legislation will come soon and even more unlikely that the legislation would be unified and global. It is more likely that legislation will emerge on a case-by-case basis, starting with autonomous vehicles, judging from the media coverage on the ease of hacking. It is also possible that such new legislation would create more damage than good. For example, if new legislations criminalize all hacking, including ethical and white hat, it would be even more challenging for companies to identify vulnerabilities. Currently, fog computing is used primarily as an enforcer to limit damage from rogue devices. The AI alternatives we discuss for automated risk surveillance would improve information knowledge management e.g. predictive analytics, supported with real-time dynamic intelligence. Such information knowledge management enables measuring the cost and probabilities of cyber-attacks from human-computer interactions. The main obstacle in assessing the impact of cyber risk is the lack of probabilistic data. This is mostly caused by the lack of appropriate data collection strategies. As a result, the growth of cyber risk finance and insurance markets are lacking empirical data and are unable to price cyber risk with the same precision as in traditional insurance lines. Even more concerning, with the lack of probabilistic data, the estimates of the current costs of unpredictable ‘black swan’ cyber-attacks are entirely speculative. The postulate of automated risk surveillance supported with real-time intelligence would lead to improved information knowledge management and enable predictive risk intelligence.

How Can IoT Risk Be Quantified

Traditional risk assessment approaches could assist in conducting an initial IoT risk assessment. One example is comparing the benefits with risks on individual IoT device-by-device. However, the IoT enables many entry points, each entry point creating a security issue. Hence, new automated DevSecOps approaches that anticipate the uniqueness of connected technologies are required for calculating the IoT risk. Connecting the economic impact of cyber risk to human-computer interactions in different information knowledge management systems with artificial intelligence can provide predictive feedback sensors. Dynamic real-time data mechanisms would also assist and enable a better understanding of the problem before cyber-attacks. The reliability of cyber risk impact assessments could increase significantly if decisionmakers have a dynamic and self-adapting AI-enhanced methodology to assess, predict, analyze, and address the economic risks of cyber-attacks. However, the volume of data generated creates diverse challenges in a variety of verticals (ex. machine learning, ethics, business models). Simultaneously, to build design of cybersecurity architecture for complex coupled systems, while understanding the economic impact, demands bold new solutions for optimization and decision making. Much of that is application-oriented and by default interdisciplinary, requiring hybrid researchers, with experiences in different academic areas. To design cybersecurity architecture for integration of economic impact assessment in the cyber risk assessment must meet public acceptability, security standards, and legal scrutiny. With consideration on the above, the integration of areas such as economic impact modeling, policy and governance will contribute to knowledge by integrating economic impact and cyber risk assessment models that have not been previously integrated, and thus promote the field of developing a dynamic and self-adapting AI-enhanced data analytics methodology to assess, predict, analyze and address the economic risks of cyber-attacks.

Quantifying the Impact of IoT Risk

How can the economic impact of IoT cyber risk be quantified?

• New approaches for cyber risk quantification: a new Cyber Value at Risk framework was presented on the World Economic Forum, based on the Value at Risk statistical technique. The framework can be applied to estimate cyber risk losses over a given period and to answer the question of how much would the risk be reduced if we invest a given amount^[4]. The components of the framework consist of analyzing the dependencies between vulnerabilities, assets, and profile of attackers. The rationale is that the number of attacks depends on the value of the assets and the trends in the attacking community. However, in our recent publications on this topic^[5], we discovered that the lack of probabilistic data leads to qualitative cyber risk assessment approaches, where the outcome represents a speculative assumption ^[6]. Emerging quantitative models are effectively designed with ranges and confidence intervals based on expert opinions and not probabilistic data^[7]. Furthermore, the majority of the cybersecurity frameworks today apply diverse qualitative methods, [e.g. OCTAVE [1]; TARA [2]; CMMI [3]; CMM [4]], that advocate reaching the required cybersecurity maturity level. The issue is that the current cyber state needs to be transformed into a given target cyber state [5] through the implementation guidance [6] and reaching a target state without being able to quantitatively assess the outcome, represents a speculative assumption. There are several emerging quantitative cyber risk models, [e.g. FAIR [7], and CyVaR [8]], that are complementing the work of NIST and the International Organisation for Standardisation (ISO) [9], e.g. ISO 27032 and ISO 27001. Quantitative risk impact estimation is needed for estimating cybersecurity, cyber risk, and cyber insurance [10]. The argument is, however, that without a dynamic real-time risk assessment methodology, that apples AI for cyber risk data analytics, the estimations can be outdated and imprecise. What is currently needed is a predictive cyber risk analytics model that is based on confidence intervals and time-bound ranges. This would enable designing dynamic real-time risk analytics from existing cyber risk approaches e.g. NIST, FAIR, OCTAVE, TARA, ISO, CMMI, CyVaR, and the IoTMM.
• Weaknesses of qualitative approaches: Qualitative approaches are predominating the risk assessment process at present. The issue is that qualitative approaches are resource-intensive and often unreliable. Since qualitative approaches are often based on experts’ opinions, they are prone to different interpretations and are influenced by political and cultural forces.
• The quantitative approach enables organizations to re-focus cybersecurity efforts: The Cyber Value at Risk approach estimates the maximum loss that can occur in a worst-case scenario. Such scenarios include larger losses than estimated with other methods. The benefit of applying the Cyber Value at Risk is that understanding the maximum loss which is different than the expected loss, enables a better understanding of the uncertainty. This quantification enables calculating the Return of Investment (ROI). Hence, offers a better understanding of opportunity and risk. However, the lack of probabilistic data has led to a design that aims to present statistical results without statistical data. A new quantitative approach needs to be developed for an enhanced forward-facing predictive model, supported with mathematical and statistical methods, including dependency modeling, probability, linear regression, decision trees, clustering, and Bayesian inference. Such an approach would undoubtedly require collecting probabilistic data at the edge with an AI-enhanced approach. As critical domains extract value from centralized and edge analytics, this will likely further increase the attack surface for adversaries to poison or trick machine learning models to undermine their integrity or availability. Furthermore, this complexity is compounded by the sectors and applications that AI cognitive engines for risk analytics can be applied to, e.g. many changing requirements, while data and conditions are not fully understood. Therefore, some form of validation is required before AI cognitive engines for risk analytics can be applied in practice.
• Elements that will enable cyber risk quantification: The most valuable element for quantification is the availability of risk metrics. Currently, there is a lack of risk metrics. To address this, governments need to work with the private sector to identify and develop appropriate standards for the collection, distribution, and availability of cyber risk metrics. This could be achieved with a national information-sharing platform, strengthening the supervision of critical infrastructure and sectors that are elevating the cyber risks. The cyber insurance companies have also not matured and evolved as fast as cyber risks have. Cyber insurance companies could expand operations into performing quantitative cyber risk assessment before offering cyber insurance products. But manipulating personal data in real-time can be controversial. Hence, the threat event frequency should be developed along with an assessment of how imposter devices might compromise edge computing systems. This assessment should adapt AI cognitive engines for data collection and analytics with dynamic real-time feedback for predictive intelligence on threat event frequency and the magnitude loss.

Final Remarks

To promote research in cyber risk assessment, research should be published in open source, e.g. the source code of the Cyber Value at Risk model^[8]. The findings up-to-date indicate that SMEs are frequently not adequately protected from cyber risk and the main cause is the high costs. Large enterprises on the other hand are inadequately protected from SMEs operating as the third party in the supply chains. This, combined with the increasing sophistication of cyber-attacks, amplifies the maximum loss scenario. Simultaneously, the returns from cybersecurity investments are declining.  While new cybersecurity is constantly been developed (e.g. ISO 3000), probabilistic data for risk analytics is not collected at the edge. Hence, the role of AI in future cyber risk analytics should be related to the use of confidence intervals and time-bound ranges. The objective of such an approach would be to protect data integrity while securing predictive analytic outputs and integrating such solutions in these new types of fog computing cybersecurity. In fog computing, the IoT-augmented physical reality is open to adversarial behaviors that are yet uncharted and poorly understood, especially the socio-technical dimensions.

By integrating AI in risk analytics, a new approach can be devised for cognitive data analytics, creating a stronger resilience of systems through cognition in their physical, digital, and social dimensions. Such an approach would revolve around understanding how and when compromises happen, to enable systems to adapt and continue to operate safely and securely when they have been compromised. Cognition through AI and cognitive real-time intelligence would enable systems to recover and become more robust. Since some companies (AppDynamics^[9]) are already using AI (Cognition Engine^[10]) to defend, adapt and recover systems in response to adverse events, others could build upon that knowledge to design a similar model for securing the edge. The crucial factor is assuring that systems can continuously adapt and employ AI techniques to understand and mitigate the vulnerabilities of adverse events.

^[1] https://www.cs.ox.ac.uk/files/9680/2017-itpro-ncd_author-final.pdf

^[2] https://www.fairinstitute.org/

^[3] P. Radanliev et al., “Future developments in cyber risk assessment for the internet of things,” Comput. Ind., vol. 102, pp. 14–22, Nov. 2018.

^[4] https://www2.deloitte.com/lu/en/pages/risk/articles/benefits-limits-cyber-value-at-risk.html

^[5] P. Radanliev et al., “Future developments in cyber risk assessment for the internet of things,” Comput. Ind., vol. 102, pp. 14–22, Nov. 2018.

^[6] P. Radanliev, D. De Roure, S. Cannady, R. . Montalvo, R. Nicolescu, and M. Huth, “Economic impact of IoT cyber risk - analysing past and present to predict the future developments in IoT risk analysis and IoT cyber insurance,” in Living in the Internet of Things: Cybersecurity of the IoT - 2018, 2018, no. CP740, p. 3 (9 pp.).

^[7] P. Radanliev et al., “Integration of Cyber Security Frameworks, Models and Approaches for Building Design Principles for the Internet-of-things in Industry 4.0,” in Living in the Internet of Things: Cybersecurity of the IoT, 2018, p. 41 (6 pp.).

^[8] https://www.fairinstitute.org/blog/what-is-a-cyber-value-at-risk-model

^[9] https://www.appdynamics.com/

^[10] https://www.appdynamics.com/cognition-engine/

References

1. R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process,” Hansom AFB, MA, 2007.
2. J. Wynn et al., “Threat Assessment & Remediation Analysis (TARA) Methodology Description Version 1.0,” Bedford, MA, 2011.
3. CMMI, “What Is Capability Maturity Model Integration (CMMI)®? | CMMI Institute,” CMMI Institute, 2017. [Online]. Available: http://cmmiinstitute.com/capability-maturity-model-integration. [Accessed: 26-Dec-2017].
4. U.S. Department of Energy, “Cybersecurity Capability Maturity Model (C2M2) | Department of Energy,” Washington, DC, 2014.
5. C. NIST, Cybersecurity Framework | NIST. 2016.
6. M. Barrett, J. Marron, V. Yan Pillitteri, J. Boyens, G. Witte, and L. Feldman, “Draft NISTIR 8170, The Cybersecurity Framework: Implementation Guidance for Federal Agencies,” Maryland, 2017.
7. FAIR, “Quantitative Information Risk Management | The FAIR Institute,” Factor Analysis of Information Risk , 2017. [Online]. Available: http://www.fairinstitute.org/. [Accessed: 26-Dec-2017].
8. FAIR, “What is a Cyber Value-at-Risk Model?,” 2017. [Online]. Available: http://www.fairinstitute.org/blog/what-is-a-cyber-value-at-risk-model. [Accessed: 26-Dec-2017].
9. ISO, “ISO - International Organization for Standardization,” 2017. [Online]. Available: https://www.iso.org/home.html. [Accessed: 26-Dec-2017].
10. H. Öğüt, S. Raghunathan, and N. Menon, “Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self-Protection,” Risk Anal., vol. 31, no. 3, pp. 497–512, Mar. 2011.

 

---

 

Petar Radanliev is a Post-Doctoral Research Associate at the University of Oxford. He obtained his Ph.D. at the University of Wales in 2014 and continued with postdoctoral research at Imperial College London, Massachusetts Institute of Technology, and the University of Oxford. His current research focusses on cybersecurity, cyber risk standards for the IoT, risk quantification, and risk analytics.