Resilience is Answer to Major Cyber-attack

Researchers from The Ohio State University measure economic consequences of cyber attacks

In survey results released by Business Insurance last Thursday, risk management professionals believe that their bosses and boards aren’t taking cybersecurity as seriously as they did last year. The report comes just as Dr. Zhenhua Chen from The Ohio State University and Adam Rose from the University of Southern California released a preliminary report of their research examining the major economic consequences of a cyber-attack in terms of GDP and employment.

The survey, the seventh annual released by Zurich Insurance Group Ltd., shows that 62 percent of risk professionals said that their board of directors recognized cyber risk as a significant threat to the organization, down from 83 percent a year ago.

“Cyber-attacks continue to pose an extreme threat to the U.S. — major security breaches in private industry and government are on the rise,” says Dr. Zhenhua Chen, a research fellow of The Risk Institute and assistant professor at The Ohio State University. “These attacks haven’t yet caused major cross-sectorial damage, but the potential is there.”

Cyber-attacks can shut down industrial facilities, critical utilities and infrastructure systems, interfere with military operations, and compromise national security. And it isn’t just supposition, we’ve already seen it happen.

In Ukraine last December, hackers successfully blacked out a portion of the nation’s capital for about an hour. As reported by Wired, cybersecurity researchers discovered “disturbing evidence” that the Kiev attack was almost certainly a dry-run for a much larger attack using “most evolved specimen of grid-sabotaging malware ever observed” outside of a controlled setting.

Chen’s research focuses on answering three questions: 1) what are the economic consequences of cyber-attack measured in terms of GDP and employment? 2) How do the consequences vary when the attacks are targeted among different critical infrastructure sectors, such as manufacturing and cyber sectors? 3) What is the potential of various cyber-resilience tactics to reduce losses?

Chen’s overall research objective is to improve risk management for cyber-threats among both private and public sectors through better understanding of the economic consequence of cyber-attacks and the benefits of various cyber resilience tactics in reducing these consequences.

As a result of an extensive literature review, Chen and his team identified that although a plethora of studies have attempted to identify the economic impact of cyber-attacks, there is a lack of a systematic approach to evaluate economic impacts of cyber-attacks in terms of GDP and employment changes. They also realized that while several studies have addressed pre-disaster approaches to risk reduction (e.g.: mitigation), very few studies have addressed post-disaster approaches to recovering cyber capabilities (e.g.: resilience).

Chen has developed two attack scenarios to assess the direct costs and identify post-attack resiliency options. The first is a hypothetical cyber-attack scenario that assumes the supervisory control and data acquisition (SCADA) system of the auto-manufacturing sector in Michigan is disrupted by a cyber-attack for ten days. The second scenario pertains to a disruption of cyber sectors used by a broad range of industries in the event of a natural disaster such as an earthquake.

Zhenhua Chen is a research fellow at The Risk Institute. The Risk Institute at The Ohio State University’s Fisher College of Business exists to bridge the gap between academia and corporate America. By combining the latest research with the real-world expertise of America’s most forward-thinking companies, the Risk Institute isn’t just reporting risk management’s current trends — it’s creating tomorrow’s best practices.

Post Executive Education Series, “Identify, Plan, Protect: Using Cyber to Your Advantage”

On April 19,2017,  The Risk Institute at The Ohio State University, Fisher College of Business held an engaging conversation, as part of its Executive Education series, on the topic, “identify, Plan Protect: Using Cyber to your Advantage”.

As we see on an almost daily basis, Cyber Risk and Crime has become a part of our lives. During the first few weeks of 2017, we witnessed a large restaurant chain’s register payment systems impacted and a large business services firm’s marketing database with over 33 million corporate contacts shared across the web. Without much difficulty multiple other examples are found that cross any number of industries.

We were fortunate to have had Ohio Attorney General Mike DeWine introduce the topic to our audience of executives. AG DeWine is passionate about Cyber Crime and Cyber Risk and its impact upon the citizens of Ohio.

The session focused on raising the conversation of the obvious current situation with regard to Cyber Risk and Crime, but also considered risk mitigants that businesses can take.  The speed at which crisis communication and Public Relations plans are treated and managed are certainly at the forefront of dealing with Cyber challenges within business.  So much so, that the phrase “Fiasco Vortex” has been coined (see Glass Jaw by Eric Dezenhall). In the 21st Century, communication never sleeps. We live in a 24/7 news cycle that demands a much different treatment to Cyber Risk and Cyber business continuity planning.

An organizations business continuity plans will need to be tested to respond to geographic specific exposure that could have wider impact upon the business and it customers. Our speakers highlighted, from their diverse experiences and backgrounds, how companies can take a proactive approach to Cyber Risk and Crime.

Session leaders, Helen Patton, CISO, The Ohio State University; Jim Trainor, SVP, Aon Cyber Solutions and former FBI head of the FBI Cyber Division, Washington, DC; David White, CIO, Battelle Memorial Institute; David Lyon, Senior Manager, The Crumpton Group, LLC, collaborated to provide insight into:

  • Cyber a View from the CISO Trench
  • Cyber Threat Landscape 2017 and Beyond
  • Cyber Security’s Impact on IT Operations
  • The Role of Intelligence in Cyber Attacks: Offense vs. Defense

The session emphasized how to proactively use risk management to balance the risks related to Cyber Risk in order to meet business goals and enhance business performance.

The session did an excellent job of creating thought provoking ideas and advancing The Risk Institute’s unique role in uniting industry thought leaders, academics and highly respected practitioners. This is an ongoing dialog to advance the understanding and evolution of risk management in our world today. The Risk Institute’s conversation about risk management is open and collaborative with its relevance across all industries and its potential for competitiveness and growth.

Not If, But When – Facing Cyber Risk in the Digital Age

minton bernadette 130x195By Professor Bernadette A. Minton
Academic Director, The Risk Institute
Arthur E. Shepard Endowed Professor in Insurance
The Ohio State University Fisher College of Business 


When the World Wide Web was invented nearly thirty years ago, the concept of what today’s cyber landscape would look like was little more than science fiction. Rapid advances in technology coupled with the growth of the Internet have revolutionized the way businesses and individuals interact. Integrated networks are allowing organizations to access, analyze, use and share information more easily than ever before. The composition of firms in the global economy is changing from organizations producing primarily material goods to those creating intangible assets relying on technology and intellectual property.

Yet, as the global economy becomes increasingly Internet-connected,  organizations, while reaping the potential benefits, are simultaneously exposed Internet_map_1024_-_transparent,_invertedto an increasing array of known and unknown cyber threats. Not a day goes by without the news of another cyber attack taking place at another organization. The conventional wisdom is not “if a cyber breach will happen” but “when will it happen.”

In the upcoming Risk Institute Executive Education Risk Series, we kick off the 2015-16 academic year with a discussion on the evolving environment of cyber threats.  Our session leaders from Battelle, EY and Aon will collaborate to provide executives with insights into how to:

  • Embrace a systematic approach to understanding the evolving cyber landscape and assess the various cyber threats facing the organization
  • Develop an integrated and enterprise-wide approach to consistently assess the organization’s vulnerabilities to cyber threats
  • Proactively quantify their organization’s cyber exposure and apply potential risk management and insurance solutions to help insulate the exposure
  • Apply current findings of research on cyber vulnerability to the products and services

Overall, the half-day session will emphasize the importance of balancing the power of cyber ecosystems with the associated risks to create organizational value.

To learn more or to register, please visit the Risk Series page.