The Why and Wherefore of Cybersecurity Risk

There is a song in Gilbert and Sullivan’s “HMS Pinafore” light opera that begins “Never mind the why or wherefore.” Perhaps that has been a problem all along with cybersecurity risk management. We discuss ad nauseum the how, what, when and where of cyberattacks, but seldom do we really understand why they are happening. Yes, we give standard reasons, such as financial gain, revenge, and the like. But do they really represent the true underlying motives? Perhaps we are getting it all wrong, which would explain our failure to identify and curb so many of these attacks that are only getting bigger, broader and more frequent and effective.  Now we hear that our drones may be spying on us! See David Shortell’s article “DHS warns of ‘strong concerns’ that Chinese-made drones are stealing data,” which is available at If it’s true, it shouldn’t be a surprise. But there are greater concerns such as with so much military software and equipment being sourced from other countries, which may or may not be our friends at some future date.

We need to be aware that the apparent motive behind a cyberattack may not be the real reason. For example, in the financial services sector, where I have spent most of my career, the greatest concern is loss of confidence in the financial system rather than the stealing of funds, although large potential money losses are always a worry. Whereas many attackers are in it for the money, hostile nation states and terrorists may well be more interested in creating chaos and loss of trust, which can be much more devastating than money losses.

Similarly, it was interesting to read Samuel Greengard’s article, “Deep Insecurities: The Internet of Things Shifts Risk,” in the May 2019 issue of the Communications of the ACM journal, which is available at  Greengard quotes consultant Benson Chan as saying: “In the end, the biggest danger isn’t a device failing or a grid shutting down; it’s a loss of trust in technology.” In my experience, working on a consulting project for a major payment card company, we were attempting to anticipate which accounts would default. We were able to analyze large amounts of payments data to try to identify which accounts might default. But the results were not conclusive. I suggested that we look at why the accounts defaulted. Was it due to contested charges? Or the incapacitation or death of a card holder? Or sudden financial difficulties? It would have made a big difference to our model if we knew why accounts failed. I feel the same way about cyberattacks. Do we know the real motives of attackers? Were the employees really disgruntled? Or had they experienced a sudden change in their financial obligations due to, say, a high, unexpected medical bill? Or did they by chance come across an opportunity to steal some money or data that could be sold … and take it? I contend that, unless we have a full understanding of why outside attackers or insiders embark on their nefarious activities, it is well nigh impossible to apply appropriate deterrence, avoidance or protective measures. There’s a big difference between trying to steal money and attempting to disrupt the system so that customers will lose confidence in it. Money losses by big corporations can usually be absorbed so that the incentive to protect against them is likely to be much less than the desire to avoid loss of confidence. The measures may be similar, but the scale will likely be much greater when reputation and future business are at risk. Knowing why specific kinds of attack are launched makes all the difference in what measures to take to mitigate cybersecurity risk. It’s well worth making the extra effort to find out the true motives behind attacks.

Post a Comment

Your email is never published nor shared. Required fields are marked *