digital security — Criminal violence - Property Crime: Fraud - Money laundering - theft and robbery - homicide - rape - extortion - arson — Read-Me.Org -Open Access to All
Read-Me.Org
Open Access Publisher and Free Library
01-crime.jpg

CRIME

CRIME-VIOLENT & NON-VIOLENT-FINANCLIAL-CYBER

Posts tagged digital security
Cyber Insurance and the Cyber Security Challenge 

By Jamie MacColl, Jason R C Nurse and James Sullivan 

  GOVERNMENTS AND BUSINESSES are struggling to cope with the scale and complexity of managing cyber risk. Over the last year, remote working, rapid digitalisation and the need for increased connectivity have emphasised the cyber security challenge. As the pursuit of approaches to prevent, mitigate and recover from malicious cyber activity has progressed, one tool that has gained traction is cyber insurance. If it can follow the path of other insurance classes, it could play a significant role in managing digital risk. This paper explores whether cyber insurance can incentivise better cyber security practices among policyholders. It finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope. Although several means by which cyber insurance can incentivise better cyber security practices are identified, they have significant limitations. Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise. While some mature insurers are moving in the right direction, cyber insurance as a whole is still struggling to move from theory into practice when it comes to incentivising cyber security. If this is to change, the insurance industry must overcome significant challenges. One is the competitiveness of the nascent cyber insurance market over the last two decades. Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders. The industry is also struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling. The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects. This limits insurers’ ability to accurately assess an organisation’s risk profile or security practices and price policy premiums accordingly. The spectre of systemic incidents such as NotPetya1 and SolarWinds2 has also limited the availability of capital for cyber insurance markets. However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.

To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential. The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk. They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware. Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively.   

RUSI Occasional Paper, June 2021, London: Royal United Services Institute for Defence and Security Studies , 2021. 68p.

Social Science, Rule of Law, CrimeRead-Me.Orgcyber insurance, cyber risk, digital security, ransomware, insurance market, cybersecurity policy
Concealing for Freedom: The Making of Encryption, Secure Messaging and Digital Liberties
Concealing for Freedom: The Making of Encryption, Secure Messaging and Digital Liberties

By: Ksenia Ermoshina and Francesca Musiani

Concealing for Freedom: The Making of Encryption, Secure Messaging and Digital Liberties sets out to explore one of the core battlegrounds of Internet governance: the encryption of online communications. Current debates around encryption have fundamental implications for our individual liberties and collective presence on the Internet. Encryption of communications at scale and in increasingly usable ways has become a matter of public concern, especially since Edward Snowden’s 2013 revelations. A new cryptographic imaginary is taking hold, which sees encryption as a necessary precondition for the formation of networked publics. At the same time, there have been major evolutions and accelerations in the field of secure communications, prompted in part by the cryptography community’s renewed efforts to create next-generation secure messaging protocols and applications. It is vital that we unveil the very recent, and sometimes less recent history of these protocols and their key applications. The book takes on this task, in order to show how the opportunities and constraints they provide to Internet users came about, and how both developer communities and institutions are working towards making them available for the largest possible audience. It explores how efforts towards this goal are built upon interwoven stories about technical development and architectural choices, about community-building – and about Internet governance and politics. In doing so, the book focuses on the experience of encryption in a wide variety of contemporary secure messaging protocols and tools, and looks at the implications of these endeavors for the “making of” digital liberties on the Internet. Concealing for Freedom provides two key empirical and theoretical contributions. Firstly, it enriches a social sciences-informed understanding of encryption. It does so by examining how different solutions of cryptography for secure communications are created, developed, enacted, and governed, and what this diverse experience of encryption, operating across many different sites, means for online civil liberties. Secondly, it contributes to understanding the social and political implications of particular design choices when it comes to the technical architecture of digital networks, in particular their degree of (de-)centralization. The book explores developers’ actions and their interactions with other stakeholders, for instance users, security trainers, standardising bodies, and funding organizations. It also examines their interactions with the technical artifacts they develop, in which a core common objective is to create tools that “conceal for freedom” even as how this objective is met differs according to technical architectures, the user publics being targeted and the tools’ underlying values and business models.

Manchester, UK: Mattering Press, 2022. 274p.

Diversity, Social SciencesGuest Userdigital security, digital liberties, encryption