Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26:

“It is possible that the impact of cybercrimes on companies goes under-reported, as victims prefer not to disclose that their systems have been compromised. However, the fact that cybercrime is more frequently in the news suggests this is changing. There is a growing market for cyber risk insurance, covering risks ranging from computer security liability to business interruption, cybercrime and cyber extortion. The annual gross written premium for cyber risk-related insurance is US$ 500 million, with the market so far mostly in the United States.27 This is projected to grow over the next decade, especially due to recent regulatory and legal changes. For example, the US Securities & Exchange Commission (SEC) guidance released in October 2011 indicated that a computer breach should be viewed as a potential material event requiring disclosure regardless of whether the breach involved release of confidential data or not. The European Union and Asia have begun to adopt similar breach notice laws.28”
So maybe it was that SEC guidance on breach disclosure that got Davos’ attention. Maybe companies and governments will move towards more disclosure (instead of more punitive laws). With more disclosure, more reputation can be produced. And more reputation will provide financial incentives for distributed cooperation to get better at useful infosec.