cyber risk — Criminal violence - Property Crime: Fraud - Money laundering - theft and robbery - homicide - rape - extortion - arson — Read-Me.Org -Open Access to All
Read-Me.Org
Open Access Publisher and Free Library
01-crime.jpg

CRIME

CRIME-VIOLENT & NON-VIOLENT-FINANCLIAL-CYBER

Posts tagged cyber risk
Cyber Insurance and the Cyber Security Challenge 

By Jamie MacColl, Jason R C Nurse and James Sullivan 

  GOVERNMENTS AND BUSINESSES are struggling to cope with the scale and complexity of managing cyber risk. Over the last year, remote working, rapid digitalisation and the need for increased connectivity have emphasised the cyber security challenge. As the pursuit of approaches to prevent, mitigate and recover from malicious cyber activity has progressed, one tool that has gained traction is cyber insurance. If it can follow the path of other insurance classes, it could play a significant role in managing digital risk. This paper explores whether cyber insurance can incentivise better cyber security practices among policyholders. It finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope. Although several means by which cyber insurance can incentivise better cyber security practices are identified, they have significant limitations. Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise. While some mature insurers are moving in the right direction, cyber insurance as a whole is still struggling to move from theory into practice when it comes to incentivising cyber security. If this is to change, the insurance industry must overcome significant challenges. One is the competitiveness of the nascent cyber insurance market over the last two decades. Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders. The industry is also struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling. The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects. This limits insurers’ ability to accurately assess an organisation’s risk profile or security practices and price policy premiums accordingly. The spectre of systemic incidents such as NotPetya1 and SolarWinds2 has also limited the availability of capital for cyber insurance markets. However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.

To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential. The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk. They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware. Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively.   

RUSI Occasional Paper, June 2021, London: Royal United Services Institute for Defence and Security Studies , 2021. 68p.

Social Science, Rule of Law, CrimeRead-Me.Orgcyber insurance, cyber risk, digital security, ransomware, insurance market, cybersecurity policy
Principles for Reducing AI Cyber Risk in Critical Infrastructure: A Prioritization Approach

By SLEDJESKI, CHRISTOPHER L.

From the document: "Artificial Intelligence (AI) brings many benefits, but disruption of AI could, in the future, generate impacts on scales and in ways not previously imagined. These impacts, at a societal level and in the context of critical infrastructure, include disruptions to National Critical Functions. A prioritized risk-based approach is essential in any attempt to apply cybersecurity requirements to AI used in critical infrastructure functions. The topics of critical infrastructure and AI are simply too vast to meaningfully address otherwise. The National Institute of Standards and Technology (NIST) defines cyber secure AI systems as those that can 'maintain confidentiality, integrity and availability through protection mechanisms that prevent unauthorized access and use.' Cybersecurity incidents that impact AI in critical infrastructure could impact the availability, reliability, and safety of these vital services. [...] This paper was prompted by questions presented to MITRE about to what extent the original NIST Cybersecurity Risk Framework, and the efforts that accompanied its release, enabled a regulatory approach that could serve as a model for AI regulation in critical infrastructure. The NIST Cybersecurity Risk Framework was created a decade ago as a requirement of Executive Order (EO) 13636. When this framework was paired with the list of cyber-dependent entities identified under the EO, it provided a voluntary approach for how Sector Risk Management Agencies (SRMAs) prioritize and enhance the cybersecurity of their respective sectors."

MITRE CORPORATION. 2023. 18p.

Social SciencesRead-Me.Orgcyber threat, cyber risk, AI, Artificial Intelligence, cybersecurity, cyber crime
Cybercrime in Australia 2023

By Isabella Voce and Anthony Morgan

This is the first report in the Cybercrime in Australia series, which aims to provide a clearer picture of the extent of cybercrime victimisation, help-seeking and harms among Australian computer users. It is based on a survey of 13,887 computer users conducted in early 2023. In the 12 months prior to the survey, 27 percent of respondents had been a victim of online abuse and harassment, 22 percent had been a victim of malware, 20 percent had been a victim of identity crime and misuse, and eight percent had been a victim of fraud and scams. Overall, 47 percent of respondents experienced at least one cybercrime in the 12 months prior to the survey—and nearly half of all victims reported experiencing more than one type of cybercrime. Thirty-four percent of respondents had experienced a data breach. Cybercrime victimisation was not evenly distributed, with certain sections of the community more likely to have been a victim, and certain online activities associated with a higher likelihood of victimisation.

Most cybercrime victimisation went unreported to police or to ReportCyber, meaning official statistics significantly underestimate the size of the problem. Satisfaction with the outcomes of these reports was mixed, and relatively few reports resulted in an offender being apprehended. Rates of help-seeking varied and were influenced by the perceived seriousness of cybercrime and knowledge of how and where to report it.

The financial losses experienced by victims were wide ranging. Some victims reported losing large sums of money, but most victims reported relatively small financial losses. This report measures, for the first time, the harms experienced by individual victims and small businesses that extend beyond these financial costs. Twenty-five percent of respondents were negatively impacted by cybercrime in the 12 months prior to the survey, while 22 percent of respondents who owned or operated a small to medium business said their business was negatively impacted by cybercrime.

Statistical Bulletin, 43. Canberra: Australian Institute of Criminology, 2023. 113p.

violence and oppression, Criminal Justice, Social SciencesRead-Me.Orgcyber crime, cyber risk, cybersecurity, cyber attacks, cybercrime statistics, Australia
Evolution of Dark Web Threat Analysis and Detection: A Systematic Approach

By Saiba Nazah; Shamsul Huda; Jemal Abawajy; Mohammad Mehedi Hassan

The Dark Web is one of the most challenging and untraceable mediums adopted by the cyber criminals, terrorists, and state-sponsored spies to fulfil their illicit motives. Cyber-crimes happening inside the Dark Web are like real world crimes. However, the sheer size, unpredictable ecosystem and anonymity provided by the Dark Web services are the essential confrontations to trace the criminals. To discover the potential solutions towards cyber-crimes evaluating the sailing Dark Web crime threats is a crucial step. In this paper, we will appraise the Dark Web by analysing the crimes with their consequences and enforced methods as well as future manoeuvres to lessen the crime threats. We used Systematic Literature Review (SLR) method with the aspiration to provide the direction and aspect of emerging crime threats in the Dark Web for the researchers and specialist in Cyber security field. For this SLR 65 most relevant articles from leading electronic databases were selected for data extraction and synthesis to answer our predefined research questions. The result of this systematic literature review provides (i) comprehensive knowledge on the growing crimes proceeding with Dark Web (ii) assessing the social, economic and ethical impacts of the cyber-crimes happening inside the Dark Web and (iii) analysing the challenges, established techniques and methods to locate the criminals and their drawbacks. Our study reveals that more in depth researches are required to identify criminals in the Dark Web with new prominent way, the crypto markets and Dark Web discussion forums analysis is crucial for forensic investigations, the anonymity provided by Dark Web services can be used as a weapon to catch the criminals and digital evidences should be analysed and processed in a way that follows the law enforcement to make the seizure of the criminals and shutting down the illicit sites in the Dark Web. 

 IEEE Access, vol. 8, pp. 171796-171819, 2020, 

violence and oppressionGuest Usercrime, cyber crime, Threat modeling, preliminary analysis, cyber attacks, cyber risk, risk assessment