A long-term research project into cyberinsurance by the US government is providing short-term benefits in understanding cybersecurity.
The project is led by the Department of Homeland Security (DHS) and is called Cyber Incident Data and Analysis Repository (CIDAR). It began in 2014 for researchers to spend a decade or more collecting anonymous incident data which insurance companies could calculate, but in the meantime CIDAR can be used to evaluate hacking trends and determine the worthiness of corporate risk controls, officials said.
“That work started back in 2012. My predecessor on the project was looking at, at the time, could cyberinsurance markets drive better security practices,” explained Matt Shabat, a strategist in the DHS cybersecurity group.
SEE: Security awareness and training policy (Tech Pro Research)
DHS organized workshops in 2013 and 2014 with representatives from corporate IT departments, academia, and government agencies. Along with representatives from insurance companies, “Over time they realized the insurance market just wasn’t mature enough to support the market and the hypothesis,” Shabat said.
It was during the same timeframe that insurance companies realized government collection of significant hacking incidents could help with actuarial data. That process could take 10-15 years to determine statistically valid results, Shabat noted. Other collections of hacking data, then and now, are run by well-intended nonprofit and security companies that tend to lack context, such as what controls an organization had in place, what specifically failed, and what was the ultimate impact, he said.
The long timeframe doesn’t stop researchers from studying the data as it arrives. Currently the CIDAR database is seeded with 4,000 fictional incidents. Soon there will be real-world incidents including those from government, although the latter ones will be phased out over time because the government self-insures and that could skew the results, Shabat said.
“Within the next couple of weeks we’d like to send the data file out to the working group members,” Shabat said. DHS researchers have ideas for analytics they’d like to run, he said, and there are also plans being considered to resume public workshops. DHS would like to publish initial results in the federal register before the end of this year, he said. The National Institute of Standards and Technology (NIST), known in IT circles for its cybersecurity framework, is also interested in seeing the results, he said.
“The market continues to grow, the policies continue to grow. So we are continuing to see maturation,” Shabat continued.
Some people question if cyberattacks will simply grow too inevitable and evolve too fast for insurance companies to handle, but the opposite is happening–the number of cyber insurers grew from just a handful a decade ago to about 150 now, Shabat said. That figure is double the estimate of RAND researchers from one year ago. DHS was surprised to see how much cyberinsurance is being purchased by small businesses and local governments, he noted.
“The biggest question we have with these data points and the repository is, we’re very interested in the CISO’s input,” Shabat added, referring to chief information security officers. “We think that’s where a lot of the short-term benefits are going to come from.”