Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. CyberRAVE January 24, 2006 Strategic Approach to Developing Corporate Data Insurance Coverage By Joseph A. Sprute, President CyberRAVE™ LLC
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Business Intent Programmatically Couple Enterprise Risk Management with Computer Assisted Audit Technology. Provide Network Data Compliance and Insurability for “Certified” environments. Underwrite and sponsor new lines of insurance products for corporate customers. Foster a business culture that mitigates network data threats and vulnerabilities.
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Business Case Companies need additional risk coverage for network data systems. “Certified” products & services establish a framework for optimized business performance. Companies will benefit using compliant systems that have key insurable components. The baseline for defining risk associated with Network Data is raw data.
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Operational Goals I. Actuarial Components II. Risk Metrics III. Application Environment IV. Module Integration V. Systems Integration VI. Certification Programs
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. I. Actuarial Components Risk Classification Unknown Risk Threats & Vulnerabilities Assessment Risk Controls Price Variables Price Drivers
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Risk Classification Assets Threats Vulnerabilities Strategic Priorities Strategic Goals Manifest Risks
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Unknown Risk Bayesian Analysis –Expresses uncertainty about unknown parameters probabilistically A logical, quantitative framework that supports the iterative process of integrating and accumulating information and knowledge in order to further a scientific, technologic or policy interest Supports inverse probability (Posterior Distribution) Handles prior probabilities Supports complex statistical problems with relative ease Knowledge structure works with multi-discipline practitioners Casts statistical problems in the framework of decision making Entails formulating subjective prior probabilities to express pre-existing information Has careful modeling of the data structure Checking and allowing for uncertainty in model assumptions Formulating a set of possible decisions and a utility function to express how the value of each alternative decision is affected by the unknown model parameters Components can be omitted (e.g. no prior information, decision-theoretic framework etc)
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Threats & Vulnerabilities Assessment Universal Known Unknown Past Present Future
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Risk Controls Threat & Vulnerability Assessment Risk Minimization Environmental Monitoring Measurements & Modeling Active Mitigation True Remediation
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Price Variables Risk, Cost, Benefit Variable Risk Table Translations Data Analytics Insurance Underwriting Criteria Asset Coverage
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Price Drivers Advantages over competition Customer perception of value Product fit compared to nearest competition Expected term of competitive advantage Expected Product lifecycle Estimated total potential market (defined without price controls) Percentage of market share sought ROI expectations Branding resources (advertising etc) Impact on new sales and lifecycle of existing products
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. II. Risk Metrics Asset Profile Asset Valuation Variable Risk Factors Risk Calculations Decision Support Risk Minimization
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Asset Profile Type Class Value Threats Vulnerabilities Uses
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Asset Valuation Origination & Handling Prior Conditions (History) Storage & Management Accounting Controls Applicable Uses Risk of Abuses
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Variable Risk Factors Threats, Vulnerabilities & Incidents 1.Network Data Level Assessment, Access, Authorization, Authentication, Accounting, Auditing 2.Physical Level People, Data, Systems, Network, Processes, Facilities 3.Logical Level Social, Economic, Political, Legal, Technical, Administrative 4.Semantic Level Ontology, Syntax, Context, Constructors, Properties, Operators 5.Reporting Level Who, What, Where, When, Why, How 6.Actuarial Level Universal, Known, Unknown, Past, Present, Future
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Risk Calculations Data Value Risk Categorization Bayesian Analysis (Unknown Variables) Damage Cost Risk Conversion Risk Management
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Decision Support Risk Premium Matrix Real-Time Compliance Monitor Risk Modeling Tools Business Rules Framework Service Control Panel User Interface
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Risk Minimization Physical Security Logical Security Standards & Best Practices Business Process Management Reporting Auditing
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. III. Application Environment Systems & Platforms Actuarial Reporting Regulation Compliance Account Management Customer Use
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Systems & Platforms Common off the Shelf Process Management Risk Management Measurement & Analytics Reporting, Forensics & Auditing Computational Grid
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Actuarial Reporting Assessment Access Authentication Authorization Accounting Auding
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Account Management Data Profile Metadata Storage & Management Environmental Controls Risk Factors Certification Auditing
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Customer Use Business Performance & Optimization Standards, Best Practices, & Compliance Asset Protection Risk Management Data Management
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. IV. Module Integration Beneficial Uses Change Management Application Environment Administrative Support Training Sales
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Beneficial Uses Risk Coverage –Best Practice –Compliance –Disaster Recovery –Asset Reimbursement Business Process Efficiency –Accounting –Monitoring –Reporting –Optimizing
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Change Management Communication Process Alignment Roles & Rules (Policy Development) Systems Integration Monitoring & Testing Reconfiguration
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Application Environment Module Description Application Overview Platforms Programming Languages Application Programming Interface Standards & Best Practices
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Administrative Support Legal & Regulatory R&D Business Systems Facilities & Hosting Personnel Roles & Rules
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Training Marketing Communications Sales Prospects Customers Partners Employees
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Sales New & Existing Accounts –Accounting Services –Actuary Services –Business Services –Consulting Services –Insurance Services
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. V. Systems Integration Business & Technology Sales & Marketing Legal & Administrative
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Business & Technology Objectives Declaration Resource Consolidation Risk Tolerance Calibration Compliance Tools Documentation Systems Certification
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Regulation Compliance National & International –BFSI –Healthcare –Telecom –Utilities
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Sales & Marketing Professional Services (Regulated Industries) –Financial Services –Health Services –Telecommunications –Transportation –Utilities –Etc
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Legal & Administrative Jurisdiction Policy Coverage Certification Monitoring & Reporting Auditing
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. VI. Certification Programs Coverages –Employees & Processes –Data & Information –Legal & Jurisdiction
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Coverages Transaction Disaster Employee Legal Privacy Regulatory
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Assess Asset Profile User Environment Actuarial Components Risk Metrics Compliance Standards Goals & Expectations
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Account Asset Inventory Liability Assessment Controls Reporting & Transparency Certification
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Harden Data Networks (Public/Private) Communication Methods & Systems Information Management Systems User Environments Users & Groups Compliance
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Manage “Hardened” Elements Change Expectations ROI TCO
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Audit People Processes Technology
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Notes
Non-Confidential Copyright © 2006 CyberRAVE LLC. All Rights Reserved. Risk Conversion Data Context Storage & Handling Asset Valuation Threats & Vulnerabilities Mitigation Risk Management Insurability