Risk case: cyber risk and AI – Changing landscape | Newswaise

Risk case: cyber risk and AI – Changing landscape | Newswaise


Lawrence A. Gordon, by PhD

In today’s world, in interconnected computer-based information systems, cyber risk has become one of the important risk factors affecting organizations. In fact, several studies have shown that cyber risk (ie, the possibility of being a successful cyber-harassment), if not, private, as well as top risk concerns for public, field organizations Are. , Auditors have also recognized the important nature of cyber risk for organizations, as clarified by the development of cyber security risk management reporting framework of public accountants of American institute. Cyber ​​security risk is also a significant concern for the US Securities and Exchange Commission (SEC), as according to its 2023 disclosure rules, the registrars to the registrars to include item 1C (cyber security) in Form 10-K and Form 8 -K In the content need to disclose cyber phenomena. ,

AI model

The technical arsenal used by organizations to manage its cyber risk includes things such as encryption, access control, infiltration detection and prevention system, firewall and system restoration. In the last two decades, the AI ​​(Artificial Intelligence) model has been used widely to aid in helping the above methods to prevent and respond to cyber attacks. For example, AI-borne machine learning models facilitate the detection and correction of infiltration, future stating analysis, financial fraud detection and real-time reactions to cyber events.

Although AI defends organizations against cyber-halls, it is a two-edged sword. At this point, AI is also providing cyber attackers with an array of cost-skilled techniques that facilitates their cyber attacks. Sophisticated AI-Janit Fishing attacks, social engineering attacks, and ransomware attacks AI has made the cyber-Hamle landscape more deadly.

Cyber ​​risk sports principle aspect

AI-based models used by cyber attackers and cyber guards are growing rapidly. As a result, strategic interaction between cyber attackers and cyber defenders has become more automatic, more dynamic, more adaptive and more complex. These developments have increased, and have changed to a great extent, aspects related to cyber risk.

Unfortunately, there is no major strategy that gives an organization (as a cyber defender) a clear path to reduce the possibility of becoming a victim of a successful cyber attack. Despite the above, it is well known that the organization becomes a less attractive goal by investing in various types of cyber security-related activities for cyber hackers (ie, their cyber risk). This raises the following fundamental question: how much should be invested to stop an organization, or at least reduce, the possibility of a cyber phenomenon?

Cost-profit views

Although there is no definite answer to the above question, a well-established framework has been provided by the Gordon-Liybi model to get optimal amount to invest in cyber security-related activities. Gordon-lobe modelWhich is based on cost-profit analysis, the following three main components include: (1) a possible cost related to a cyber phenomenon, (2) The possibility that there will be a cyber phenomenon, and (3) benefits from (3) benefits in cyber security Investment (ie, how to spend on cyber security decreases a cyber phenomenon that decreases).

In addition to considering the total amount to spend on cyber security -related activities, an auxiliary question for organizations to respond is: developing and implemented the AI ​​model designed to reduce the possibility of cyber phenomenon How much should the cyber security budget of our organization be dedicated to? In answering this auxiliary question, organizations need to consider the costs associated with the AI ​​model.

The cost of development and implementation of new AI models designed to reduce the possibility of cyber phenomenon depends on many organizational-specific factors. These factors include, but not necessarily limited: (1) Whether the organization has to develop a special AI model, or it can use the existing open-source AI model, (2) Is it developing and developing the organization and Whether or not new personnel need to be hired to implement. The AI ​​model, and (3) needs new software and/or hardware so that the AI ​​model can be properly integrated into the existing information systems of an organization.

Concluding remarks

Ultimately, the economic aspects of the management of an organization’s cyber risk program need to consider both the costs and benefits related to the defense against cyber attacks. However, given the increasing use of AI-based models by cyber attackers and cyber defenders, cyber risk sports-principle aspects have taken new dimensions. The winners in this new game will probably be the most familiar with the development and implementation of the AI ​​model.

Lawrence A. Gordon Robert H. Smith is a student professor of Managerial Accounting and Information Assurance at Smith School of Business, University of Maryland (UMD). He is also a affiliated professor in the UMD Institute for Advanced Computer Studies.

,