Dive into the world of cyber insurance with host Sean Martin and co-host Julie Haney have Dr. Jason Nurse on the new (first!) episode of the Human-Centered Research Series, part of the Redefining CyberSecurity Podcast. Discover how cyber insurance factors into organizational risk management, the role of human behavior in cyber risk, and how research can bridge the gap between theory and practice in cybersecurity.
Guests:
Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead at National Institute of Standards and Technology [@NISTcyber]
On Linkedin | https://www.linkedin.com/in/julie-haney-037449119/
On Twitter | https://x.com/jmhaney8?s=21&t=f6qJjVoRYdIJhkm3pOngHQ
Jason Nurse, Reader in Cyber Security and Director of Science & Research, University of Kent [@UniKent] and CybSafe [@CybSafe]
On Linkedin | https://www.linkedin.com/in/jasonrcnurse
On Twitter | https://twitter.com/jasonnurse
On Mastodon | https://infosec.exchange/@jasonnurse
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Devo | https://itspm.ag/itspdvweb
___________________________
Episode Notes
In this episode of the new (first!) episode of the Human-Centered Research Series on the Redefining CyberSecurity Podcast, host Sean Martin and co-host Julie Haney from the Human Centered Cybersecurity program at NIST, chat with Dr. Jason Nurse, a reader in cybersecurity at the University of Kent in the UK. The discussion revolves around the role of cyber insurance in organizational risk management.
Jason elucidates cyber insurance’s function as a residual risk mitigation tool when dealing with cyber attacks, helping businesses recover and connect with response teams. They discuss how cyber insurance can incentivize better security practices but highlight challenges related to assessing security postures across diverse businesses. While ransomware features heavily in discussions of cyber risks, Jason points out that insurers don't always encourage ransom payments. Julie raises the issue of accessibility of cyber insurance for small businesses and suggests insurers offer 'pre-breach services'.
Sean, Julie, and Jason debate the role of human behavior in cyber risk, and how it affects organizations and insurance policies. They underscore the value of research in enhancing security practices and conclude by pondering ways to bridge the gap between academic research and practical implementation in cybersecurity.
Key Questions Addressed:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Between a rock and a hard(ening) place: Cyber insurance in the ransomware era: https://www.sciencedirect.com/science/article/pii/S016740482300072X
Cyber Insurance and the Cyber Security Challenge: https://kar.kent.ac.uk/89041/1/RUSI-Kent-OP-Cyber-insurance.pdf
Mapping the coverage of security controls in cyber insurance proposal forms: https://jisajournal.springeropen.com/articles/10.1186/s13174-017-0059-y
Impact 2024: https://www.theimpactconference.com/impact-usa/
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
How Risk Management and Human Behavior Shape Security Strategies: The Untold Impact of Cyber Insurance on Businesses | Human-Centered Cybersecurity Series with Co-Host Julie Haney | Redefining CyberSecurity Podcast with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. This is Sean Martin, host of the Redefining Cybersecurity Podcast here on the ITSP Magazine Podcast Network, where I have the pleasure of chatting with, uh, loads of smart people that, uh, know much more than me about lots of things. Uh, there there are no, no lack of domain domains to cover in cybersecurity and risk management, and.
Add privacy and, and advanced tech to the, to the mix, and it gets pretty crazy pretty quickly. And, um, today, uh, I'm, I'm thrilled. This is, we, those watching will see that, uh, Julie Haney's on, she's been on the show before and, and, uh, she kindly agreed to have a semi regular sub series here on redefining cybersecurity.
No commitments in terms of how often or. What topics, but the point is there, there is a domain around, um, human-centered [00:01:00] cyber security and looking at the human elements of cyber security, which Julie and her team, uh, excel at, at NIST and work with a lot of people, uh, to help that program excel and, uh, help organizations, uh, succeed in their programs And, uh.
This is the first of those. So I'm, I'm thrilled to have this, this conversation and she brings something very special with her to help us talk about, uh, the cyber insurance and the role of the human element in cyber insurance. Uh, so Julie, I'm gonna pass the mic to you a few words. About yourself, what you do at NIST, and then, uh, over to Jason for, for what he's up to.
Julie Haney: Yeah. Thanks Sean. Thanks for for having me. Um, so I, as Sean mentioned, I'm Julie Haney. Um, I lead the Human Centered Cybersecurity program at NIST, um, where we look at all things related to the human element. A lot of those non-technical things that we see in cybersecurity and how we improve.
[00:02:00] Cybersecurity experiences and outcomes, um, for people. Um, so for a number of years, um, I've been a big fan of Dr. Jason Nurse and his research. Uh, I think I once called myself a Jason Nurse Groupie. So, um, when I started doing research, um, a number of years ago, some of his research in, um, this human centered cybersecurity area was.
Inspirational to me, and I've always found that his group's research has real practical application. Um, and so I thought, uh, more people should have the opportunity to hear about, um, what he and his group, um, are doing. Um, so with that, I will ask Jason to introduce yourself. Just tell us a little bit about what you do and, and how you got there.
Jason Nurse: Hi. Thanks. Thanks very much. Uh, Sean and Julie for the introduction. Uh, really, really delighted to be here. Uh, so my name is Jason Nurse and I am a reader in cybersecurity [00:03:00] at the University of Kit in the uk. Um, for U.S, folks listening in, uh, reader write, so like a really odd title for an academic. But basically reader, I believe, um, translates in the US to sort of, uh, like professor, I think professor without a chair, if you know what any of those words mean.
Uh, for those of you that are not in academia at all, just think of me as another academic that likes to research some really interesting stuff. Uh, so a lot of my work has focused on the human aspect of cyber security, as Julie mentioned. Um, I'm really passionate about understanding. Why humans act as the way they act in the context of security?
Um, I won't lie. Security is a complex topic and I know, I really believe that we, we need to. To get security to a place where it, it isn't a bother for people. They don't look at security and get turned off or get frustrated and it's, it start to security isn't seen as the department of no, you know, like this is, this is always one thing that I'm, I'm really passionate about and really focused on.
But in addition to that, what I also do is [00:04:00] focus on basically research that's interdisciplinary as it relates to cybersecurity. So topics such as cyber insurance, topics as, as, um, behavior change topics such as. Cyber security and policy, cyber security and politics, cyber security, international relations.
So I do, I do kind of, I do have sort of have a ride quite wide, uh, remit in terms of stuff that I'm interested in. But yeah, very happy to delve into any of those and especially the topic of cyber insurance. Awesome. Thanks
Julie Haney: for being here, Jason. Um, so yeah, let's, let's dive into cyber insurance. So, what, what's the main purpose of cyber insurance?
Why, why is this becoming increasingly popular in, in recent years?
Jason Nurse: Yeah, so I think the, the key thing about cyber insurance, and the way I love to explain it is, you know, think of phone or car or home insurance and the, the gist of it is that if you have home insurance or the reason you buy home insurance is that it, it, it, it kicks in to protect you In situations where things go really bad, so, you know, you have your [00:05:00] home, uh, you come home one day or you wake up one morning and you see that all of a sudden your kitchen is flood.
You know, what's happened there? How do you respond? How do you respond quickly? Often people, uh, will call it very sure and, and basically look, seek, seek for some support. But in general, uh, insurance is about this idea of residual risk. You put things in place to deal with pro potential problems. But in the situations where things actually go horribly wrong, insurance often kicks in and in cyber, this is exactly what, what it is.
Um, so the basic idea is that. An organization would buy cyber insurance, would purchase cyber insurance policy much like, you know, you and you or myself would purchase a home insurance or car insurance policy. And in the situation where organization is breached, they've um, lost personal, lost data.
They've been exposed in some particular way. Basically, they've suffered a cyber attack. The idea is that in that scenario, they can call up their, their insurance company and, and basically receive some support. There's a variety of different support depending on the insurer. [00:06:00] Um, some insurers offer like immediate, um, support in terms of putting you in contact with internet response companies, digital forensics companies, PR companies to, you know, help you determine what should you say.
Who should you say to. You know, how do you navigate the, the, um, the regulatory landscape wherever you are, especially depending on where your customers are, um, in terms of who has been impacted. So cyber insurance really kicks in there, and that's where the, especially around this idea of data breach and data breach notification, that's where it came from.
And that was this general, the initial motivation for cyber insurance.
Sean Martin: And I'm, I'm, I'm curious, Jason, 'cause sometimes, and I know it's probably faulty. Thinking on my part because I, because I, as I'm sitting here thinking what you're describing and thinking of the broader insurance market, I, I still have this thought that cyber insurance is the backstop or the backup plan or when things go bad and therefore [00:07:00] we can.
Let some risk fly, um mm-Hmm. That maybe we wouldn't otherwise consider because we have insurance that, that, that doesn't necessarily translate. Right. I, I don't drive more recklessly than I normally do. Yeah. 'cause I have insurance. Right. Or different, different policies at different levels of coverage. So I, I can't see that that really translates to there, but what, what impact has cyber insurance had on.
Programs, posture, uh, response, uh, all the things that, that this touches.
Jason Nurse: Yeah. So really good question. And, you know, your, your skepticism isn't, isn't unwarranted. Uh, many individuals and there've been, so, I, I first got into cyber insurance research around, uh, 2014, 2013, 14. And at that point in time when that, I was sort of reading through the bits of research that were out there in the space at that point in [00:08:00] time, one of the big questions was around moral hazard and around the fact that why would someone invest in security when they can just go buy cyber insurance?
So I. In other words, behave as badly as possible. And if an attack does happen, oh, we have a cyber insurance policy. But just like you kind of highlighted the, I have a courage, I have a courage insurance policy, but that doesn't mean I'm gonna drive recklessly. It just doesn't work like that part of it because it's because, um, especially when it comes to organizations and businesses.
The average person that works for a business doesn't wanna treat that business recklessly. Um, because, especially because it'll, the, the eventual impact will fall back on them in some regard. They'll lose their job, their employer will be, will maybe be shut down, all these kind of things could, they could be eventually be fired.
So all that kind stuff kicks into play. What we've seen, uh, more so is that cyber insurance has. Had, uh, a bit of a positive impact in some, in some particular regards on, on organization security posture. And [00:09:00] that's an interesting thing, simply because, so some of my initial research about two, about two or so years ago, we asked exactly this question.
We tried to figure out can cyber insurance be an incentive for better security practices within organizations? 'cause we were seeing course of bits and, and tidbits of research, tidbits of articles, some news stories talking about. Cyber insurance is a good thing or bad thing for security. And what we sort of found out in our study, which, which involves speaking to I think about almost, almost a hundred security and, and cybers and cyber insurance practitioners, what we found was that, um, cyber insurance can actually really help cyber security.
And the, the, the gist of it is that as an organization comes to an insurance organization, says, Hey, so for example, Sean, if I come to you and I say, Hey, Sean, I, I'm a company and I wanna buy cyber insurance from you. You will typically say, okay, let, tell me a bit about your security. And maybe I tell you, okay, you know what?
My security is rubbish. You'll respond often and say, okay, [00:10:00] well goodbye. See you later. Not interested. So what actually happens more often than not is, uh, if I say my security is bad, uh, or if I say My security is this level, you might actually respond and say, okay, you know what? I might consider underwriting you however you have to do X, Y, and Z in terms of security.
I think that's where it can be particularly valuable. It provides this, this avenue, it provides this sort of, uh, platform to nudge companies into behaving a bit more securely or in, in, in the similar type of scenario. Let's say you do, you do decide to underwrite me, but I'm not really doing great in security, you might say.
But you know what, Jason? If you implement. X, y and Z secure. If you implement the NIST Service security framework, or if you implement ISO twenty-seven thousand one, or you know, whatever security practice, then I might give you a, a reduction on your premium. So instead of paying $10,000, I might make you pay $7,000.
So that sort of wants the initial gist of how cyber [00:11:00] insurance can actually gently nudge companies, uh, to, to have a better security practice.
Julie Haney: Yeah. So that's, I mean, that, that sounds very positive. And as a, um, unfortunately a glass is half empty type of person sometimes. I'm wondering have there been any negative impacts of, of cyber insurance on the market?
Jason Nurse: Yeah. Yeah, definitely. Um, unfortunately, yes. Uh, and the reality is there's been, um, even though it's so based anecdotal, even though it's been anecdotal to some extent, it's probably worth mentioning in that. Because let's take the example of ransomware. So ransomware, extremely hot topic now, um, everyone is talking about it.
Every, everyone is trying to, governments across the world are trying to nudge organizations. You know, please take your eyes serious, seriously bolster your self-resilience because attackers are coming and if they hit you, you can be offline, potentially permanently. And what we saw, especially in the early [00:12:00] days of, of, of ransomware attacks, is that.
Um, attackers were basically trying to, um, hit organizations that they knew had cyber insurance. Um, and we saw some anecdotal evidence around this. Some attackers were actually coming online, coming, uh, publicly and saying, Hey, we actually especially go after organizations that have cyber insurance 'cause we know that they can pay out.
And we know that they have the fund, the funds. And this is an interesting question, and it's one we actually got a chance to delve into a bit more. But the idea here was that because attackers, because an an, uh, an organization has an insurance policy, they could potentially u draw down on that to pay a particular appeal to ransom.
So what we did see, um, to some extent was some attackers basically trying to leverage that. To nudge organizations to pay out. Now, I don't think it's necessarily that clear cut. So there have been sort of other, other bits to consider definitely. Um, but I think [00:13:00] insurance has been overall good. But of course there are these sort of, uh, let's say nuances where it doesn't work as perfectly.
And, and even this idea of, as I mentioned, just know even this idea of, um, using of Siam insurance to nudge better security practices. Even that doesn't always work well simply because. Um, if I go to 10 insurers, they might tell me, they might tell me, or they might request 10 different security, um, profiles, or 10 different security postures.
So I, as an organization, it's really difficult for me at times to understand what does good security look like? And insurers themselves are struggling a bit with that, to be honest, because each insurer will not be necessarily sure what good security practice looks like or will have a slightly different opinion.
And arguably what you might find is that in some situations, insurers might prioritize security controls that are actually. That they can see our offering, let's say, best value based on reducing the number of claims or reducing the size of [00:14:00] attacks. But these might actually conflict to, let's say the government or a government decides, okay, everyone should use ISO, or everyone should use NCSF.
An insurer might arguably say, actually, maybe don't worry about that too much. 'cause we actually find that if you permit these three controls. These actually reduce the majority of our risks. So these are the only three ones that we're gonna ask for. So I think that's also an interesting dynamic, how we think about cyber insurance versus all the other stuff in the context of security.
Sean Martin: And then I'm wondering, Jason, I, I don't know, maybe it was 15, I can't remember how long it's been since I. Turned from, uh, product manager to journalist or marketing journalist. But one of my first, uh, areas of coverage, and I wanna say it's around 15 years ago now, uh, was around cyber insurance, and one of the big talking points was, I'll, I'll call it the maturity level or the lack thereof maturity level [00:15:00] for this space.
Yeah. Um, and the main point within that is the lack of, uh, of data, right? To, um, to determine what's a good risk, what's a bad risk, what's policy, what are good coverages and that kind of thing. Um, I know we've done a lot, or the industry's done a lot, um, companies that are insured and the insurers and the underwriters, they've all matured tremendously in the last 15 years, but we're far from perfect.
So I'm wondering what. What are some of the challenges that still, does that still exist? And are there any other challenges that this, uh, this world faces at the moment?
Jason Nurse: Yeah, great questions. Um, I think data is a big one. Um, data is massive because the realities that insurers, um, their focus and a lot of their business is driven by data.
And reliable data. If we look at, um, the insurance industry versus national, um, national [00:16:00] disaster, sorry, the insurance industry versus, um, the, the, the insurance industry focusing on national disasters or floods or burglary. You know, an insurer will be able to tell you with a relatively good certainty if you park a car on this road between this hour and this hour, how likely it is to get burgled.
They'll, they'll have to tell you good certainty of that. Because that's, that, that insight is what they need to determine a premium right to in security, we don't have that yet. And one of the big challenges actually in security is because the, the nature of of cyber is so dynamic. It changes so quickly, it changes.
Immensely quickly compared to other insurance lines. And because of that, it, it forces insurers. It basically moves insurers off of their comfort zone one, and then two, it forces the insurers to really think very carefully about what data they need. And it, it, it, for, it forces them to try to build up this data, unfortunately, over a long, [00:17:00] long period of time.
Now, one thing that even complicates that even further is the reality that cyber is, as I mentioned, just so dynamic. Today the massive threat is right somewhere. There is no guarantee that tomorrow or next week something won't sort of emerge. That sort of blows ran as where out of, you know, blows right away.
And all of a sudden's, a new threat. Gen AI is a really good example of that. Gen ai. Uh, and what's happening there, there's a lot of questions around. Is Gen.ai gonna take over? Is gene ai, I mean take, sorry, not take over the world. Is Gene AI gonna take over? Um, in terms of being a significant threat for, for businesses, for organizations, are attackers gonna start to use Gen.ai?
Are we gonna see attackers creating their create their own GPTs, uh, that create malware? We've already seen, I think one or two. I think Worm GPT was one of one of them that have pops popped up already. So I think the reality here is that because the, the, the environment can change so quickly, insurers also struggle to [00:18:00] deter to basically properly characterize that risk to the extent that they can actually write policies with a good level of certainty.
And around the early days of ransomware, what we saw with exactly this, this issue is that insurers, some insurers were making significant losses, um, because of underwriting organizations and they were paying out, um, uh, to cover, uh, ransomware attacks. And they were staying in the game. They were staying in the industry.
And the reason we're doing that is to try to get more data on, okay, what is ransomware? How, how significant is it? And, but eventually, many, many insurers had to step back because the losses were too significant. So this idea of data is, is essentially, it's critical. Uh, I did some work actually a couple years ago trying to understand the extent to which, because I, I'm fully aware of how significant data is, was trying to understand the extent to which insurers might.
Come together and actually sort of almost create a pre-competitive data set. So every insurer sort of pour into this one data set so we can be able to say, okay, using [00:19:00] this data set, we all can use it however we want, but using this data set, we can actually better understand cyber risk. We can better understand the impact of security controls.
We can better understand how effective one security control is versus another control. There was no appetite for it because the reality at that point was that. Every insurer viewed their insight has a competitive advantage. So it, the, the insurance industry was not there yet.
Julie Haney: Yeah, I was, I was wondering, um, I, that that's, that's super interesting. Um, yeah. 'cause if you think of like, like life insurance, they have like a lot more data as you mentioned. So you mentioned different security controls that that different insurers might prioritize those. How do they, how do insurers make sure that organizations are actually implementing those controls that they say they are and that they kind of maintain that level of security [00:20:00] over time?
Jason Nurse: Yeah. The, the reality is that, uh, some insurers is sort of trust, uh, they trust that an organization is going to do it. Um, one of the realities as well is insurers wait, may elect organization, like, so. Okay. Then we say every year you'll sign up and you'll say Yes. Okay, take the box saying that you do X, Y, and Z, Okay?
Or implement A, B, and C controls. Now, let's say, um, a breach occurs. And let's say in the post-mortem, the digital forensics firms find out or, and, and identify that actually, um, you said that two-factor dedication was on all admin accounts, but that was not at all the case then when the realities is that an insurer could decide they're not paying out.
Right. So the, the, because at that, in that regard, the company was essentially not being truthful, the honest to the insurer, which, you know, as we all know in terms of insurance, immediately invalidates the policy. So that's one thing that could potentially happen. Uh, another thing that [00:21:00] insurers have, have started to, to try to do is, um, so here in the uk, and I assume it's, it's an, I'm sure it must be a national thing as well.
Um, in terms of, once again, if use the analogy of car insurance, um, when an, if an insurer is, let's say a little bit unsure, a current insurer, automobile insurer. Is a little bit unsure about an, uh, an individual, a driver. Uh, they could be a bit risky, we're not sure. Um, but you know what? Let's write them typ.
Let's underwrite them. What typically the insurance might say is we're gonna install a black box on your car. And essentially this black box monitors how fast you drive, where you are, how dangerous your driving is, and it monitors, uh, various different, um, uh, aspects of, of the individual's basically driving.
And maybe at the end of every month a premium, the premium might change. Because the premium might change because the, the idea here is that the monitoring is happening live, so the insurer can make better decisions on how risky the person is. So if the person is less risky, maybe the premium might go [00:22:00] down.
If the person is more risky, maybe the premium might go up, or, or when it comes to renewal, they might not be renewed. And what we're seeing actually inside insurance is a little bit of that. Some insurers are offering a, let's say a vir, a, a virtual black box to sit on a network to better understand, um, what threat.
Or the extent to which, um, there's threats or there is, let's say bad security behavior on an organization's network In addition to this, what the black box sometimes can also do is help quickly pick up potential intrusions. I. So that's the sort of flip side in that the, the insurer may say, Hey, we have this installed one.
It of course allows us to monitor just to see your security profile, your security posture. Two, it also can help flag up, um, any potential threats based on our own intelligence. Uh, and I think both of these potentially can work together, and that's how insurers get the insight into. Into organizations.
One other quick thing I'll mention, which I've actually, we've, which I've seen much more, um, occurring quite a bit actually [00:23:00] over the last year or so, is close partnerships between insurance companies and security companies. Uh, this is an interesting one because, and I, I believe a lot of it is it in some regards, it makes perfect sense and a lot of it is driven by the fact that insurers need data.
Uh, security companies have data, um, and it's a really, it can be a really good, uh, mix of expertise because for some, I mean, Sean, you mentioned it as well. Um, one of the realities is that for some insurers, they don't have the expertise in cyber yet. I remember about, this is probably going back a little while now, probably about, uh, six or seven years ago, uh, I had the, I had the pleasure to, to speak at a conference, uh, a cyber insurance conference in, in Paris.
And I think what was super interesting about that was there were a lot of people in the room that underwrote cyber insurance and that were in the cyber insurance space. But very, very few people actually had the security expertise. So they had [00:24:00] written other sec, other insurance lines and they were sort of, uh, looped into cyber because cyber is becoming a thing.
But when you had, when you, when you engage them in the context of security attacks, um, understanding, let's say even the baseline level of understanding it comes to security, uh, whether it be underwriters are brokers that didn't have the expertise. And I actually worry quite a bit if, if, if, uh, you know, the state of the, the cyber insurance market in terms of expertise.
In brokers and, and, and insurers. I'm sure it's getting better, but I'm not sure where it is as yet.
Sean Martin: Yeah, it's uh, it's interesting. I've actually seen some security companies that offer cyber insurance as well, and it, it almost, it's almost their main, almost remain product in some cases, but certainly some that offer protections and response capabilities that also offer the insurance.
Um, and I wanna go back to that, to the black. Box example. 'cause I, that, to me, even the controls in many [00:25:00] cases are technical controls, looking for technical threats, dealing with, uh, yeah. Technical attacks, right? So that kind of, it is all technical stuff, right? We're gonna, we're gonna look for this threat, identify and block it.
That's all sitting on the network, sitting on machines. And then there's the human. That does stuff many times, not even through a computer. Um, mm. I had Sean Tuman. I haven't published the episode episode yet, but he, he works for a law firm. Uh, we talked a little bit about cyber insurance. He mentioned that ransomware has changed to some degree with respect to cyber insurance.
Fewer claims for that and almost an increase in, in, uh, business email compromise. Hmm. And, uh, and payment fraud. So those, those things end up occurring out of band, [00:26:00] away from traditional security controls. So I'm wondering how, how you view the role of cyber insurance understanding. Human behavior on and off a device, on and off a network, on and off company stuff versus personal stuff at home.
An executive, uh, working at home on their own local network without the protections of the, of the corporate controls. Um, still under the guise of, of that company's insurance program perhaps. So human behavior, I love the black box because it. Yes, it's probably looking, it's plugged into the bus. It's looking at some of the details of the car.
Mm-Hmm. Speed and things like that. But it perhaps in a smart car, it could look at the person's facial expressions. Um, electric car I, I know has this capability, right? Could look at their facial expressions, listen to the, the oh [00:27:00] crap moments when they're about hitting, about to hit the brakes. Right? And, and hear that they were talking on the phone beforehand.
That's a behavior that they can monitor. Through these devices, we don't have that same level of monitoring perhaps. So how does the human factor, the human behavior come into play here? Uh, from a cyber insurance perspective, I don't know, um, if there are other areas of, of insurance that, that we can learn from there.
But what, what's the state of that, I guess is my main question.
Jason Nurse: Yeah. Uh, it's, it's something that I haven't seen, uh, emerge massively, uh, if I'm honest. Um, the reality is that often in some of these regards, it's, especially for insurers, um, it's easier to, to monitor or to measure the technical elements. So, um.
A company's, uh, let's say number of open ports or what ports are open, uh, or what files have been clicked on. And so it's easy to, it is, let's say easy [00:28:00] to measure from that perspective and then therefore create a security posture for a company which then leads to, uh, premiums, etc. It's easy to measure that the human element is more challenging for, for, for certainly.
The, the era that I've seen most pop up most, to be honest from, from insurers, is engaging more with companies to help offer what we call, um, pre-breach services. I. So, so to your question, I haven't seen much of it. Uh, and it's really a significant threat. I think, um, insurers know it's a threat, uh, in our insurers know it's of, it's of concern.
And I think what I've seen insurers trying to do is, once again, these idea of pre-week services, not just explain that now. So the, the gist is that insurance, traditionally it would kick in after something bad happens. Uh, so if, uh, a data breach happens, you'll call up your insurer, they'll provide you support.[00:29:00]
Now what I've seen is that the insurers that are actually really good, they are really, really keen to support an organization in terms of their security from beginning to end. So what they try to, what they aim to do is if an, or if they sign up an organization, they'll say, okay, we're gonna make a number of services, security services available to you to boost your security posture.
One of these services that I've seen being, being offered is security awareness and training programs, especially organizations that don't have it. Uh, and these insurers basically say, we know that from our, usually from our analysis of claims, from our analysis of data, from monitoring of the, the environment, we know that, uh, the, the human element is of significant concern for most organizations, and therefore, as a part of our services, a part of our policy to you.
We are offering you this, or we will, or we will recommend that you train your people using this platform or this service. [00:30:00] Uh, and that's how they try to integrate it. But in general, there's not much more that I've seen after that, to be honest. I think probably at this point in time, the insurance industry is really just trying to, it's really getting, sorry, getting itself into gear.
It's starting to better understand security, starting to better understand threats or to better understand the attacks. Uh, as Julie and I were talking about just now, even better understanding effectiveness, uh, I worked on a project a couple years ago. And the primary aim of the project, we had one aim, it's a couple years of for a project.
Um, how do organizations or how can we better understand how effective security controls are? And personally, I don't believe the security industry has a perfect understanding of that in terms of what's effective security control, if we put this security control, if we have two security controls, how do we determine which are, are?
And, and, you know, relatively good conference. Which or which control is the most effective at actually helping? And I think that is really, really critical because for an insurer, they need to know [00:31:00] that insurer will know that, um, a particular lock on a door is more effective than the next lock on a door because it can be shown very clearly that, you know, this lock is weaker.
This lock can be barged open. This lock doesn't have two catches or doesn't have three catches in security. We don't really have that yet. Uh, and of course it's, it's even much more complicated by the fact that, uh, in security when it comes to security products, when it comes to products or, or, or, or most, um, most software be, if there's an additional complexity of patching.
Today a piece of a piece of software might be secure tomorrow there might be a zero to that's found, and then all of a sudden this software that everyone thought was secure now is completely insecure. And if you don't patch by tomorrow, you know your entire environment could be vulnerable to compromise.
This is the reality that we live in. Yeah, I want,
Julie Haney: I wanna go back a little bit about, you were talking about pre pre-breach services and I was thinking that the organizations that could [00:32:00] benefit most from those are the small businesses that don't have, for example, you know, dedicated security staff, um, that might not be as aware of risks.
And I was wondering. How are small businesses using cyber insurance? Are they buying them? Can they, can they afford these policies in the first place?
Jason Nurse: Hmm. Yeah. So they could at one point in time. Uh, they can't so much now, or they can't so much less over the last year or so. And a lot of the challenge simply has been because, because of ransomware, um, and in part, even because of Covid, because remember that for many insurers.
Cyber insurance was part of the business that they had, but they were doing other things as well. Uh, you know, many insurers haven't spun up initially as their big cyber insurer. They and the right other parts of, of insurance, and they'd have added a cyber [00:33:00] line. Now the reality is that Covid, uh, stretched many insurers, um, in terms of paying out for business interruption, paying out for various other things, which meant that there was much more stress on their finances.
And when we think about ransomware in particular with insurers once again, paying out quite early on, um, once again, there was much more stress on their finances. So the reality is that potentially, let's say five or a bit more years ago, um. Um, SMEs, small to medium sized businesses, organ are enterprises.
They could get cyber insurance. Now. It's very, very difficult for them to get it. But I think the key to, to the key to sort asking your question is of course the value. What's the value of cyber, of cyber insurance for SMEs? And I think there's immense value and I think it comes down to, to a couple things.
One thing I'm probably, the thing that stands out the most is cyber insurance offers SMEs. Um, services and, and security support that they would not o otherwise be able to, to access or, or to, to secure. [00:34:00] A key finding from, from some of our research was that larger organizations, they will buy a sub-insurance policy because to be honest, they understand and boards understand insurance.
They understand the value of insurance. So, to be honest, some boys might understand the value of insurance better than they understand the specifics of security. So they would buy sub-insurance. But they would not call upon their cyber. Even if they have an incident, they would not call upon their cyber insurance policy UN unless the breach is significant.
Now, for an SME, for a smaller organization that doesn't have an IT department or that has one person or a quarter of a personal responsible for security, the value of cyber insurance is that if they get breached, they can call one number. So they can call up their cyber insurer, they can say they've had a breach.
The server insurer will respond by connecting them to an incident response team, a digital forensics team, a uh, breach response console, um, a PR firm, [00:35:00] um, a data recovery company, all basically this entire suite of expertise. That there's, um, there's probably no way the average cyber insurer would be able, the average small business rather, would be able to, uh, afford on its own.
So I think that is the key value. This sort of, it opens this expertise that would just never, ever be on the table. I think that's the key value, I think for cyber insurance. But like I said, the challenge, no, is that, um, because the insurance has been so, so stretched because of, you know, ransomware, these other, these other threats.
On, uh, for right now, on average, the, the average SME can't get insurance. So I think the key thing though is to try to hopefully get the market in a place where we can get, uh, um, SMEs be able to dip into self-insurance once again because it's immensely valuable for them.
Sean Martin: I want to, uh, uh, it's great information Jason and.
Clearly, uh, you have your finger on the pulse, uh, of this and do guess what research on this. So [00:36:00] I wanna, I wanna get a picture from you of the types of research that you are working on. Um, maybe a deeper dive into this. What, what areas of cyber insurance are you looking at? So, and how do you do that? Do you go in looking for a specific.
Answer. Do you, do you have a feeling that you're trying to uncover and validate? Do you have, um, some proof points that you want to dispel? What, how, how, what's the approach? What are you looking at? Um, and we'll start with the cyber insurance stuff. What, what, what things are you doing there?
Jason Nurse: Yeah, I think so.
One, probably the key thing that I'm, I'm exploring or I've been exploring at the moment. Or I been scoring for Leicester for a couple years now, is the interaction between cyber insurance and security, a part of that has been ransomware. Um, because, so I remember a couple years ago, and this sort of kicked off one of the products I'm, I'm sort of working on in this question about everyone believed that cyber [00:37:00] insurance was the reason that or not everyone and a large proportion of individuals believe that cyber insurance was the reason that ransomware was getting as bad as it was getting.
So myself, uh, and some colleagues, we basically explored this question, uh, the way how we explored it, and a lot of my research, it involves actually talking to the people involved. Um, so I'm a massive believer, go Max. Once again, the human element to some extent. I'm a massive believer that some insights can only really be uncovered by sitting down and having really frank, really upfront conversations with people.
Each individual, especially the individuals that we speak to, has such a wealth of expertise. They've worked on insurance, they've worked on ransomware, they've worked on government policy, all the different areas for such period, such an extended period of time. I find these conversations valuable. So a lot of my research now really is based on interviews, folks, groups, engaging with people who are.
Working with these problems day in day out to better understand them and better understand how we can actually tackle [00:38:00] these issues. So in terms, in terms of, um, some research now looking at ransomware and cyber insurance, in terms of. Uh, has ransomware, has cyber insurance led to this, led to the, let's say, the exacerbation of this threat of ransomware?
Um, from my findings from that, no, it has not. Uh, yes, it had some limited impact. We can't deny that because insurance does, um, provide, uh, businesses with money or capital that they wouldn't have had, um, if they, if they had been hit. But the reality is that many insurers don't just say, oh, you've been hit.
Here's the money. Go and pay. Many insurers will say, well, okay, let's look at what we can do to bounce back before we even think about payment and think that is quite critical. Many insurers will also say, Hey, we have a suite of people that we can call in, try to find out what's going on. I hope we can get you back on your feet before even discussing or, or opening a conversation or opening a dialogue with attackers.
So that, that's one of the key ones. Um, another thing that I'm trying to focus on, that I'm focusing on right now is saving [00:39:00] shorts and SMEs in particular. Um, like I mentioned, I think there's immense value that, that, uh, cyber insurance can offer to SMEs, but I think that we don't really have a good understanding of that currently.
Uh, so a lot of my stream of my research is really on trying to understand that what is the specific value, what's the ideal touch points, what questions should be insurers be asking. Uh, how should insurers be engaging with SMEs? Are there specific types of SMEs? Are there specific controls or control sets suitable for SMEs in the uk for example, we have, um.
We have something called Cyber Essentials, uh, and this is sort of government bra backed, uh, let's say securities standard to some extent, uh, which is recommended for SMEs. But I'm aware that, you know, internationally, I'm not sure if such standards exist. So from country to country might have various different guidance for SMEs on how to be secure or how not to be secure.
So I think the question for me is how do we better understand companies from that perspective and how do we better support SMEs in the context of cyber insurance, given how valuable it can be. [00:40:00]
Julie Haney: That's fantastic. I mean, you're really looking at the problem from a lot of different angles. Um, I was wondering.
Because I know that when I've been doing, um, human-centered cybersecurity research over the last eight years or so, um, and I've covered a lot of different topics, it seems like when I'm, I'm going and reading research papers that have been done on the topic before, I always come across a paper that has.
Jason nurse as a co-author, um, I, it just happens. It, it, it just happens. So I know that you've done quite a bit of work in other areas other than, uh, cyber insurance. Um, so I was wondering if you could talk a little bit about some of those other interests in, um, recent years. And I know you've also, um, um, expanded some of those into, um, you know, kind of informing.
Government policies and, and, and kind of putting out some resources for practitioners to use. So yeah, if you could just [00:41:00] talk a little bit about some of those other things you're looking at.
Jason Nurse: Yeah, of course. Um, I think this is, this is, this is sort of, um, definitely an example of, of what I like to do in that, the reality is that, um, I love being academic because I like focusing on interesting stuff.
Uh, and I won't lie, there've been many days where I've woken up and I've thought, oh. Research on IoT security sounds interesting. Let's do some of that for a couple years, or, Hmm. Research on AI does sound quite interesting. AI seems to become a big, let's do research on that for a couple years. And, and to be honest, I, I love it and it keeps, you know, some of it's quite steep learning curve, but, but you know, it really is super interesting.
But, uh, some topics I focus on. So one is probably, if I go back to, I actually IoT, um, smart Home Security, um. This, this is, you know, whether we like it or not, um, smart devices are gonna be in our homes. Um, we won't have a choice, so we have to engage with them. But the reality, of course, is [00:42:00] what are the security, privacy implications of the devices in our homes, uh, and what, how do they pose, how do they put, uh, expose us to risk that we haven't considered or the average person has it considered?
Um, I remember about, uh, about. Five years or so, uh, I need to buy a new tv. And I went into the shops. I went, I looked online and I could not find a TV that was not a smart tv. Impossible. Impossible. Um, and I think this is, this is a really good example of the reality. Um, I think surely we even mentioned sort of connected cars and, you know, so there's, for me, there's this idea of.
Uh, so smart homes understand the risk there, understand the risk to security, privacy and implications for that. Um, another big area that I am fascinated about is, um, how organizations communicate as it relates to, um, when they suffered a, a breach or a sub-security incident. Um, 'cause I've seen that many organizations communicate in many, there many different ways, some of which might not be [00:43:00] as.
As nice or, or as appropriate as, as they could be. So I think that's also another, uh, key area for me. And then probably, um, I am very interested in, uh, I mean, there's so many. I'm just, I'm just sort of, I've lost my train of, train of thought, but I was, I was maybe just to stick with those, those are probably a good set.
Sean Martin: What we're gonna do, um, is we'll link to your profile and any, any, uh. Other web links you wanna share, Jason, that, uh, people can go to, to find some of your material. Yep. Sounds good. And, uh, of course, a lot of your work is, is, uh, part of what Julie's, uh, preparing and, and delivering as part of her work at, at NIST.
So we'll include links to her program there and, uh, some of her deliverables and, and, uh, and other, uh, things that companies should, should, uh, explore. I, I want to, um. [00:44:00] I wanna take this moment. Uh, we're gonna wrap here on the cyber insurance topic. Um, but I wanna take this moment to let folks know that the two of you are gonna be together again in Virginia.
I. At an event with other researchers, uh, looking at this, this fascinating world of human-centered, uh, cybersecurity, um, you're both speaking there. It's called Impact 20 twenty-four conference. Um, I don't know, Jason, you want to kinda give an overview of what that is and, and, uh, what the two of you have going on there?
Maybe and say what you're speaking about. Julie can share her recession.
Jason Nurse: Yeah, of course, of course. And, and thanks for mentioning it, Sean. Um, so Impact-TWENTY-TWENTY-FOUR is essentially a, a collaboration between Cybersafe, NACE, MITRE and the National Cybersecurity Alliance. Um, and the key thing about impact is I think the key, the key gist of it is we recognize that [00:45:00] there's a lot of academic conferences where academics sit, want to speak to academics.
We recognize that there's a lot of industry conferences where industry people come and speak to industry people. But the reality is that there's not any, as we can find clear conferences or, or, or basic meeting places for academics and researchers to talk about the exciting stuff that they're doing to an industry audience.
I. And the entire gist of impact is to really try to, or, or to basically, um, cement, uh, and, and bring academic research and put it in front of the people that really would love to use it and would love to engage with it. The, from, from, I mean, we've run this conference for the last couple years now, and every time we hear industry folks basically saying.
The stuff that they're doing, I would love to do. I just don't have the time. Like why is it taking so long to put this insight in front of me in terms of what, what academia is doing and how it can be valuable to me and my organization. So I think this, for me, this is the key value. It's sort of this key event, this networking event, this, this gathering where researchers, so for example, like Julie, [00:46:00] myself, and others, could come along and engage with industry professionals that have clear industry focused problems.
And we can come to really start, begin a dialogue. And I think, Julie, do you wanna talk a little bit about your, your session in particular?
Julie Haney: Sure. So, so my talk is actually, um, covering exactly the purpose of it is all is about the purpose of impact, that bringing research and practice together. Um, so at NIST, um, this past, uh, a year or so we've been doing some research about the research practice gap.
Um, so looking at. Um, you know, how can we bring this human-centered cybersecurity research insights so that it can be implemented into practice? Um, I know that I was a practitioner for a long time and I didn't know about any of this research. And when I became a researcher, I thought, wow, like this stuff could have really helped me in my work, but I just didn't know about it.
Um, 'cause I didn't, you know, I didn't know where to look, didn't have [00:47:00] the necessarily the time to look, wasn't sure like what I would do with it, how I would implement any of that. So. We've been, we've been looking at this, this kind of gap, this disconnect, um, from both the practitioner perspective, um, you know, what do they think of human-centered cybersecurity?
What are the challenges that they have implementing that in their, in their daily work? And then also the human-centered cybersecurity researcher perspective. So how are they? Collaborating with, um, practitioners throughout their entire research life cycle. And are they doing that right? Are they, um, are they consulting practitioners when they're first thinking of a research topic so that they make sure that's relevant?
Are they, um, consulting them when they're kind of developing recommendations to make sure those are actionable, um, and practical in an operational context? And are they, you know, putting out research outputs that are. Geared toward practitioners in a form, in a language, in a venue that practitioners [00:48:00] will have access to.
Um, so that's what I'm gonna be talking about is some of our research results.
Sean Martin: I love it. And, um, Julie, I mean, that's why I'm so excited about this sub-series with, with you looking at, uh, the research. I mean, as you noted, many practitioners may not know that the research exists, and if it does, how to. Get a hold of it and more importantly, put it to practice.
And, uh, I'm excited to to see. What, uh, what else we get to talk about in, in future episodes. And I, I definitely want to thank Dr. Jason, nurse for being the first guest as, uh, part of this, uh, part of this, we'll call it a series and, uh, super important topic. Love the work you're doing, Jason, and, uh, thrilled that we're able to pull this together along with, with Julie from NIST.
And, uh, excited for more of these conversations. So, uh, for [00:49:00] those listening. Be sure to, uh, subscribe, share with your fellow practitioners and, and security leaders and anybody else who would be interested in this research, um, from NIST and Jason and others. And, uh, yeah. Thank you both for, for a great conversation.
Really appreciate it. And Julie, thank you for being a fabulous co-host for this conversation as well.
Julie Haney: Thanks and thanks, Jason.
Jason Nurse: Thanks a lot. Thanks for having me.
Sean Martin: All right. Stay tuned everybody. We'll see you on the next one.