Sergey Nivens - Fotolia

DHS cyberinsurance research could improve security

A longitudinal cyberinsurance study performed by the Department of Homeland Security could improve enterprise security but the effects depend on the data collected, said experts.

The Department of Homeland Security has undertaken a long-term cyberinsurance study to determine if insurance can help improve cybersecurity overall, but experts said that will depend on the data gathered.

The DHS began researching cyberinsurance in 2014 by gathering breach data into its Cyber Incident Data and Analysis Repository (CIDAR). DHS uses CIDAR to collect cyber incident data along 16 categories, including the type, severity and timeline of an incident, the apparent goal of the attacker, contributing causes, specific control failures, assets compromised, detection and mitigation techniques, and the cost of the attack.

According to the DHS, it hoped to "promote greater understanding about the financial and operational impacts of cyber events."

"Optimally, such a repository could enable a novel information sharing capability among the federal government, enterprise risk owners, and insurers that increases shared awareness about current and historical cyber risk conditions and helps identify longer-term cyber risk trends," the DHS wrote in a report about the value proposition of CIDAR. "This information sharing approach could help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity insurance offerings."

The full cyberinsurance study by the DHS could take 10 to 15 years to complete, but Matt Shabat, strategist and performance manager in the DHS Office of Cybersecurity and Communications, told TechRepublic that he hopes there can be short-term improvements to cybersecurity with analysis of the data as it is gathered.

Shabat said he hopes the added context gathered by CIDAR will improve the usefulness of its data compared to other threat intelligence sharing platforms. Experts said this was especially important because as Ken Spinner, vice president of global field engineering at Varonis, told SearchSecurity, "A data repository is only as good as the data within it, and its success will likely depend on how useful and thorough the data is."

"Sector-based Information Sharing and Analysis Centers have been implemented over a decade ago, so creating a centralized cyber incident data repository for the purpose of sharing intelligence across sectors is a logical next step and a commendable endeavor," Spinner added. "A data repository could have greater use beyond its original intent by helping researchers find patterns in security incidents and criminal tactics."

Philip Lieberman, president of Lieberman Software, a cybersecurity company headquartered in Los Angeles, said speed was the key to threat intel sharing.

“The DHS study on cyberinsurance is a tough program to implement because of missing federal laws and protocols to provide safe harbor to companies that share intrusion information," Lieberman told SearchSecurity. "The data will be of little use in helping others unless threat dissemination is done within hours of an active breach."

Many organizations may be reluctant to share meaningful data because of the difficulty in anonymizing it and the potential for their disclosure to be used against them.
Scott Petryco-founder and CEO of Authentic8

Scott Petry, co-founder and CEO of Authentic8, a secure cloud-based browser company headquartered in Mountain View, Calif., said the 16 data elements used by the DHS could provide "a pretty comprehensive overview of exploits and responses, if a significant number of organizations were to contribute to CIDAR."

"The value of the data would be in the volume and its accuracy. Neither feel like short term benefits, but there's no question that understanding more about breaches can help prevent similar events," Petry told SearchSecurity. "But many organizations may be reluctant to share meaningful data because of the difficulty in anonymizing it and the potential for their disclosure to be used against them. It goes against their nature for organizations to share detailed breach information."

The DHS appears to understand these concerns and outlined potential ways to overcome the "perceived obstacles" to enterprises sharing attack data with CIDAR, although experts noted many of the suggestions offered by the DHS may not be as effective as desired because they tend to boil down to working together with organizations rather than offering innovative solutions to these longstanding issues.

DHS did not respond to requests for comment at the time of this post.

Using cyberinsurance to improve security

Still, experts said if the DHS can gather quality data, the cyberinsurance study could help enterprises to improve security.

Spinner said cyberinsurance is a valid risk mitigation tool.

"Counterintuitively, having a cyberinsurance policy can foster a culture of security. Think of it this way: When it comes to auto insurance, safer drivers who opt for the latest safety features on their vehicles can receive a discount," Spinner said. "Similarly, organizations that follow best practices and take appropriate steps to safeguard the data on their networks can also be rewarded with lower a lower rate quote."

Lieberman said the efficacy of cyberinsurance on security is limited because the "industry is in its infancy with both insurer and insured being not entirely clear as to what constitutes due and ordinary care of IT systems to keep them free of intruders."

"Cyberinsurance does make sense if there are clear definitions of minimal security requirements that can be objectively tested and verified. To date, no such clear definitions nor tests exist," Lieberman said. "DHS would do the best for companies and taxpayers by assisting the administration and [the] legislative branch in drafting clear guidelines with both practices and tests that would provide safe harbor for companies that adopt their processes."

Petry said the best way for cyberinsurance to help improve security would be to require "an organization to meet certain security standards before writing the policy and by creating an ongoing compliance requirement."

"It's a big market, and insurers are certainly making money, but that doesn't mean it's a mature market. Many organizations require their vendors to carry cyberinsurance, which will continue to fuel that growth, but the insurers aren't taking reasonable steps to understand the exposure of the organizations they're underwriting. When I get health insurance, they want to know if I'm a smoker and what my blood pressure is. Cyberinsurance doesn't carry any of the same real-world assessments of 'the patient.'"

Spinner said the arrangement between the cybersecurity industry and cyberinsurance is "very much still a work in progress."

"The cybersecurity market is evolving rapidly, to some extent it is still in the experimental phase in that providers are continuing to learn what approach works best, just as companies are trying to figure out just how much insurance is adequate," Spinner said. "It's a moving target and we’ll continue to see the industry and policies evolve. The industry needs to work towards a standard for assessing risk so they can accurately determine rates."

Next Steps

Learn how to assess risk and define policies for cyberinsurance.

Find out about cyberinsurance coverage and avoiding limitations.

Get info on whether cyberinsurance is worth the risk.

Dig Deeper on Risk management