Cyber in ESG and pricing externalities

[KLINTS, Konrads (SG/Advisory)]

Hello,

Some people put Cyber in ESG. As far as I understand the idea behind ESG is to pay for economic externalities, making them cost of doing business; e.g. carbon emissions aren’t a cost, pollution is therefore free and there’s no incentives to reduce. 

But what’s there for cyber? Most cyber risk - eg ransomware, is already cost of doing business so there is no need for that risk to be part of ESG. On the other hand part of a data breach impact is borne by victims. How should we price that risk? In health there’s the concept of micromorts which was means of capturing spread out impact, should we coin “microcybers”? And if so, how much would be a good spend to reduce the risk - dollars per microcyber?

I tried to tackle this question over here, but I don’t think I came close enough to price it: https://medium.com/@truekonrads/does-cyber-belong-in-esg-and-how-much-it-costs-e0d383597127

--

Don’t just say hello on chat, please also state how  can I help you: see nohello.net

Konrads Klints, KPMG Singapore |  Cyber Serenity is possible

📱 Mobile +65 9759 9470

We have access to interesting problems, work for us: careers.kpmg.com.sg

---

KPMG in Singapore operates through locally registered entities (click for details) which are member firms of the KPMG global organization of independent member firms affiliated with KPMG International Limited ("KPMG International"), a private English company limited by guarantee.

This email and all attachments are confidential and may be privileged. Any opinion or advice in here is subject to the terms and conditions in the relevant engagement letter. If you are not the intended recipient, kindly notify us and delete this message. Further, you should not copy or disclose the contents of this email, or rely on the contents, as KPMG accepts no responsibility or liability to you. KPMG may use and disclose information in emails, including personal data, for the provision of services or to comply with the law or professional standards.

Emails are not encrypted and are therefore susceptible to tampering, including viruses. Anyone who communicates with us by email is taken to have accepted these risks.

[Jeff Lowder]

Hi Konrads,

This probably isn't the feedback you're looking for, but I am not a fan of this:

The likelihood of a data breach per year is N%, the impact on company will be X and the downstream impact on customers will be Y per customer, to a total of X+Y. If we spend Z to improve our controls, we will bring the overall likelihood of incident to less than M% which is the most we can reasonably do and if there is a data breach, here is how we will help our stakeholders mitigate the costs. This would bring the total Annual Loss Expectancy to $K

In my opinion, the problem with the "likelihood of a data breach per year is N%" is that it blurs the distinction between frequencies and probabilities, and what we need is a way to clearly distinguish scenarios where we might expect multiple incidents per year (example: successful phishing attacks) from rarer events which might happen at most once per year. While it is a little bit more complicated, I think the best way to accommodate this is to think in terms of a frequency distribution (where N might be once a decade, once every 5 years, once a year, 10 times a year, 100 times a year, etc.) and for each value in the frequency distribution have a probability value. Example: 1% chance every 10 years, 2% chance of every 5 years, 5% chance of once a year, 20% chance of 10 times per year, etc.

Jeff

--
What's new, SIRAnaut? Check us out at http://societyinforisk.org & on twitter [@societyinforisk]
---
You received this message because you are subscribed to the Google Groups "SiRA-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sira-public...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sira-public/AM7P138MB0145D6A9998AB7D5F7F670F5F2239%40AM7P138MB0145.EURP138.PROD.OUTLOOK.COM.

[Jack Whitsitt]

Let me rephrase this a little, and see if you agree?

We use "likelihood" as an aggregate unit for three different input units: Actual Expected Frequency, Potential Frequency Variance from Actual, and Confidence in Actual/Potential Frequency - the former two being driven by the mechanics of the events in play and the latter being driven by data pertinence (reference class specificity) and data source trust (actual actuarials calibrated estimates, uncalibrated estimates, and so on).

I think it's fine to group these together into "confidence an event will happen in a given year" as long as the input drivers are called out (mechanics + data pertinence).

Tangent:

I do think a chart calling out those three in one graph would is valuable and fairly interesting.   When I do it, it's used to illustrate the amount of confidence I have and opportunities for increased visibility.

Also, for funsies, you can set visibility/confidence thresholds for the kinds of decisions you get to make with the forecasts...

To view this discussion on the web visit https://groups.google.com/d/msgid/sira-public/CAL2XqunLS1zKm%2BTQrLJy2sEuQFAwJW%2BPfgvwFgYqcAg-1Jg0FQ%40mail.gmail.com.

--

Art & Security --> http://sintixerr.wordpress.com

[Jack Whitsitt]

This is just an extension of the appetite/tolerance problem. ESG just makes it clearer. Organizations don't feel or experience risk, individual humans and human communities do.  If you don't understand your multi-stakeholder model for risk, you're going to be misaligned no matter how much quant you do.

For instance, ESG can be quantified in one of several ways, depending on your relationship with the rest of the equities in your security:

1. Trust and Reputation Market valuations: You may want to buy something with some stakeholder group's trust/happiness with your ESG stances and work instead of using money.   What you do here is quantify how much money you'd  lose if you're not able to purchase those things (eg "customer stickiness" or "willingness to continue to allow you to pollute without throwing you out of office")  on the trust/reputation markets,   Calculating those market exchange rates to cash would be fun, but possible.

2. Instead of valuing the Trust/Reputation market losses themselves, you could model cost-to-correct or cost-to-prevent.  Basically, you look at what you'd be buying on the trust/rep markets and quantify how much it would cost in dollars to prevent or correct those impacts.  

3.  You could assume a genuine UN-style multi-stakeholder model - ie, you assume all stakeholders (even, for example, "the public") has a genuine interest you care about and so develop distinct appetites, tolerances, and other decision framework/consequence model triggers for each group that has an equity in your security stances. That way your forecast just has different impact units / accumulation assumptions for each stakeholder/appetite group that matches how they experience risk.  For ESG, you might have a "general public" set, a regulator set, a board set, a stockholder set, an employee, etc.

I like some combo of all 3.   #2 is usually more concrete than #1 and helps better understand actual likely costs, but #1 gets you more insight into the why's and how's of the impacts.  #3 can take advantage of #1 and #2 or not.

--
What's new, SIRAnaut? Check us out at http://societyinforisk.org & on twitter [@societyinforisk]
---
You received this message because you are subscribed to the Google Groups "SiRA-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sira-public...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sira-public/AM7P138MB0145D6A9998AB7D5F7F670F5F2239%40AM7P138MB0145.EURP138.PROD.OUTLOOK.COM.

--

[Naomi Weisz]

Hi Jeff, 

If I could chime in here -- I completely agree. Not distinguishing between frequencies and probabilities is problematic as it hides the dimension of occurrences per year. The idea of having a frequency distribution is interesting. I think another way to overcome this problem is with a Monte Carlo simulation. When you run a large simulation you can essentially create a frequency distribution from it - for each event type, you can check for each year how many times it occurred, and create the frequency distribution from that data. To able to do this, you will need a Poisson distribution for how many times each event type will occur in the next year, but that’s possible to create. The Monte Carlo also solves another acute problem which is the correlation between event types, and the relation of them to co-happen in the same year.

Naomi

To view this discussion on the web visit https://groups.google.com/d/msgid/sira-public/CAL2XqunLS1zKm%2BTQrLJy2sEuQFAwJW%2BPfgvwFgYqcAg-1Jg0FQ%40mail.gmail.com.

--

Naomi Weisz Head of Marketing +972 50 709 5870   www.kovrr.com   |

 

Kovrr is a Microsoft partner and a preferred solution on the Microsoft Azure Marketplace.

Ask us how using Quantum can contribute to your MACC (Microsoft Azure Consumption Commitment) & learn more here.

[Jeff Lowder]

I have actually built Bayesian networks using the approach I described and then run Monte Carlo simulations with 10-100K trials in order to generate the distributions. 

To view this discussion on the web visit https://groups.google.com/d/msgid/sira-public/CAPeDMC2TqJRLH_Fpetd97SE0stiBkS_mEmrHsPwj_1pyzy1b%3Dw%40mail.gmail.com.