Chapter 1 – The Economics of Cybersecurity: Advantage Attackers
Chapter 2 – Dangerous and Effective: China’s Digital Strategy
Chapter 3 – The Solar Winds of Change: The Threat of Systemic Cyber Risk
Chapter 4 – Outdated and Ineffective: Why Our Current Cybersecurity Programs Fail to Keep Us Safe
Chapter 5 – Reinventing Cybersecurity: A Strategic Partnership Approach
Chapter 6 – The Cybersecurity Policy We Need: Incentivize, Modernize, Economize
Chapter 7 – Health: Cybersecurity as a Core Element of Patient Care
Chapter 8 – Defense: Leveraging the Dual Economies of the Defense Industrial Base
Chapter 9 – Financial Services: Regulation Isn’t Enough
Chapter 10 – Energy: Protecting the Smart Grid
Chapter 11 – Retail: Serving Consumers and Keeping Them Secure
Chapter 12 – Telecommunications: Managing International Risk in a Post-COVID-19 World
Chapter 13 – Information Technology: Defining How to Govern IT
As our critical infrastructure and service providers become increasingly inter-connected, and leverage common hardware, software and vendors, the nation’s cyber risk level is dramatically increasing. Although more attention has been paid to managing systemic risk in the wake of the SolarWinds and Exchange server attacks. Most cyber risk management efforts still focus on codifying firm-specific best practices and incentivizing individual companies to adopt them. For example, the leading cyber risk management frameworks – provided by the National Institute of Standards and Technology (NIST), ISO/IEC 27000 series and Center for Internet Security (CIS) controls – focus largely on protecting a company’s own networks and assets. However, numerous examples demonstrate that risk manifests not only at the individual company level, but at the systems level, cascading across suppliers, vendors, business partners and customers. Cyber risk management needs to advance materially and marry company- and systems-level views of cyber risk. This chapter aims to further frame the dynamics of systemic cyber risk. First, by providing definitions of firm-specific and systemic cyber risk to establish clarity and level-set. Next, the chapter briefly describes a few recent systemic cyber risks to provide the reader with better context. Then, it reviews the current framework for assessing cyber risks to National Critical Functions (NCFs) and recommend enhancements. Last, recommendations are provided for work that can be done by the Federal government, in collaboration with industry, to better defend the nation’s critical infrastructure from systemic technology failure.
Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity
| 2500 Wilson Blvd, #245
Arlington, Virginia 22201
ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.
Anthony Shapella is the Director for Enterprise Risk Management, Liability and Financial Lines at AIG. Previously he worked at Towers Watson as a General Management Consultant and as a credit analyst at Susquehanna Bank. He has a master’s degree in strategic management from the Fox School of Business at Temple University and a bachelor’s degree in business administration and finance from Mount St. Mary’s University.