KNOWING THE UNKNOWN: BUILDING DEFENCES AGAINST HIDDEN CYBER-THREATS

For cyber-threats to be mitigated effectively, protection models must evolve with them.

There was a time, not so long ago, when individuals and businesses alike could purchase off-the-shelf anti-viral software and simply trust in their defensive wall.

Now, the ubiquity of the internet, cloud computing and smartphone technology have changed the landscape so comprehensively that cyber-crime has become a powerful weapon on a global scale.

Fighting cyber with cyber

Yet all is not doom and gloom. The same technology that enables new threats, intelligently applied, can be used to counter them.

Artificial Intelligence is a game changer because it allows us to improve our risk modelling by harnessing the power of Big Data

“Artificial Intelligence is a game changer because it allows us to improve our risk modelling by harnessing the power of Big Data,” says Neil Cantle, a Principal and Consulting Actuary at Milliman.

“With cyber-threat, which is evolving every day, there is such a vast volume of rapidly changing data it makes sense to have machines monitoring that and flagging things to you when you need to see them.

“This is particularly true of unstructured data, such as that found in articles or social media posts. This unstructured data hides ever-changing novel and interesting trends, which AI can mine and identify.”

Identifying tomorrow’s threats

But how is it possible even with the immense and exponentially growing power of machine learning, to predict threats that do not yet exist? The traditional approach – assessing historical data and projecting it forward – is severely inadequate in this context.

We’re actually putting a living and evolving process in

The answer lies in a cutting-edge approach to scenario planning. By harnessing the vast processing potential of AI, hugely complex variations of outcomes can be modelled, then fed to experienced actuaries to figure out a response.

“Essentially you are building a much more natural approach to the model,” says Cantle. “It works the way the experts would think about the problem, rather than just being a mathematician about it and focusing solely on statistics.

“The model doesn’t know which specific set of things would happen on a particular day, but it knows all the things that could happen and how they happen. From that point it effectively adds them all up and identifies areas of most significant risk.”

It works the way the experts would think about the problem, rather than just being a mathematician about it and focusing solely on statistics

This is not a case of handing sole responsibility to the machines, but rather playing to their strengths and bringing the information back to a human expert for analysis and action.

AI is good at flagging what could be possible, as most cyber-threats do not materialise out of thin air.

“There will be some kind of chatter, which AI can monitor and raise the possibility of a particular attack happening,” adds Cantle. “Then in the hands of the expert they can really think it through. Could they see it quickly? Could they fix it? Could they do anything at all to prevent it?

So AI is really feeding that challenge into the expert thought process and then testing it through scenarios, war-gaming and things like that.”

An evolving solution

While preventing cyber-threats is the goal, the reality is that 100 percent prevention is unlikely. This means that the best risk strategy is a combination of prevention and detection and response.

For example, phishing – an email scam which relies on tricking individuals into clicking on infected links or downloading malware onto their computer – works because it is a numbers game. Whatever protection companies put in place, it only takes one person to click on the wrong link to render those efforts meaningless.

With millions of phishing emails sent out every day, early detection of a breach is of paramount importance. The longer a system is compromised, the greater the potential damage.

All enterprises must come to terms with the fact that there is no such thing as 100 percent protection against cyber-threats. This makes it imperative for insurers and risk managers to understand they are dealing with probability and uncertainty when contemplating and modelling cyber-risk.

As the threats for a specific firm and the market generally evolve, so will the modelling

As Sadie Creese, professor of cybersecurity at the University of Oxford, puts it: “We need to be as open-minded and prepared as possible when we’re dealing with uncertainty in a threat.

“People who stick to one model of cyber-risk and look at everything in the same way will never see the new exposures around the corner.

“We have to get outside of our comfort zones and talk to people who see and anticipate the world in different ways. If we don’t, then we could fall behind the curve and get hit with very significant risks that we’re not prepared for.”

This evolution is never-ending, requiring constant vigilance to keep new threats at bay. Firms such as Milliman are well aware of this and have responded accordingly. “Essentially what we’ve done is build that evolution into our approach,” says Cantle.

“So rather than just turning up with a template and saying to a company, ‘Fill that out and we’ll tell you how big your risk is,’ we’re actually putting a living and evolving process in. This means that as the threats for a specific firm and the market generally evolve, so will the modelling.”