What's Your Cybersecurity Rating?

Garud Iyengar and Vishal Misra are helping create a tool that assesses system vulnerabilities in order to standardize metrics for the nascent cyber insurance industry.

Garud Iyengar Interdisciplinary research pioneered by Garud Iyengar (right) and Vishal Misra (left) makes it possible to model the probability of intrusions. Their work makes use of machine learning to identify industry-wide vulnerabilities. (Photo by Jeffrey Schifman)

Garud Iyengar, chair of the Industrial Engineering and Operations Research department, has teamed with Vishal Misra, professor of computer science, to explore the vulnerability of enterprises to cyberattacks and to develop from this study a cybersecurity risk score. With this information, players in the emerging field of cyber insurance will be able to establish pricing policies and set premiums with greater granularity. “As it is now,” Iyengar said, “pricing is not based on actual risk. It’s almost blind.”

“Large enterprises, especially financial companies, are becoming obsessed with knowing their vulnerabilities and building intrusion-proof security,” Misra added, “far more so than even five years ago.” In general, small companies are more vulnerable to malware because they don’t patch or update their software as rigorously as larger firms. In response, several startups are working to identify markers for enterprise systems that will result in more sophisticated and focused insurance policies.

To determine the probability of a malware incursion into a network, Iyengar and Misra are working with data supplied by a New York-based startup called SecurityScorecard, which obtains the information from a proprietary collection of security intelligence sensors—essentially an intelligence engine vacuuming up many terabytes of unique data sets per month from malware analysis pipelines, monitored hacker chatter crawlers, honeypot/sinkhole infrastructures, vulnerability cadence checkers, and deep social engineering sensors. Iyengar and Misra, funded by a two-year Dean’s grant for interdisciplinary research, use machine learning to identify vulnerabilities that are common across systems and companies and then model the probability of intrusions. “Reducing intrusions through best practices is making the world a safer place,” Iyengar said.

Systematizing a way to rank system security is the first part of the researchers’ investigation, which they expect to be put into practice by their industry partner in the fall of 2017. Next on their agenda is to create risk models based on this rank to help the cyber insurance industry price their insurance products appropriately.

By Marilyn Harris