Budapesti Műszaki és Gazdaságtudományi Egyetem

Location: IB110 

Most firms are exposed to cyber risk via harms including lost confidential data, ransom demands and the associated disruption, post-breach litigation and regulatory fines, and destroyed hardware and operational systems. This raises the question of how to evaluate the effectiveness and adequacy of security controls designed to prevent such incidents occurring. Quantified risk management provides one decision making framework, but this necessitates adequate measurement techniques and the availability of relevant data. This talk presents findings from three papers: (1) A systematization of knowledge on quantifying cyber risk presented at Oakland'21; (2) a novel approach to extracting loss estimates from insurance prices; and (3) ongoing work trying to track the likelihood of different incidents longitudinally. I will relate these ideas and results to ongoing research topics at CrySyS Lab including ICS risk.