The Future of Cyber Risk

Professor Daniel Ralph is a Founder and Academic Director of the Centre for Risk Studies, Professor of Operations Research at the University of Cambridge Judge Business School, and a Fellow of Churchill College. Daniel’s research interests include identification and management of systemic risk, risk aversion in investment, economic equilibria models and optimisation methods. Management stress test, via selection and construction of catastrophe scenarios, is one focus of his work in the Cambridge Centre for Risk Studies. Another is the role and expression of risk management within organisations. Daniel engages across scientific and social science academia, a variety of commercial and industrial sectors, and government policy making. He was Editor-in-Chief of Mathematical Programming (Series B) from 2007-2013.

Dr Andrew Coburn is Chief Scientist of the Centre for Risk Studies, coordinating the inputs of consumers of research into the Centre’s risk agenda. Andrew is the principal coordinator of the research programme on ‘System Shock’ at the Centre.

Andrew is one of the leading contributors to the creation of the class of catastrophe models that over the past 20 years has come to be an accepted part both of business management in financial services and of public policy making for societal risk. He has extensive experience in developing models and using them for business decision support. Andrew has also provided research inputs into government policy, such as House of Congress legislation on terrorism risk management policy and urban planning for disaster mitigation in Mexico, Metro Manila, and Southern Italy.

Visit Dr Andrew Coburn’s profile

Dr Richard Clayton is a software developer by trade running a software house that created operating systems and word processors used by millions in the 1980s. In 2000 Richard returned to Cambridge to study for a PhD and he has stayed on as an academic because “it is more fun than working”. He is the Director of the Cambridge Cybercrime Centre, based in the Computer Laboratory, leading an interdisciplinary team that not only research cybercrime themselves but also create enormous datasets that allow other academics to do their own cybercrime research with real world data. 

Conrad Prince served from 2008-2015 as the Director General responsible for the intelligence and cyber operations conducted by Britain’s signals intelligence and cyber security agency, the Government Communications Headquarters (GCHQ). In March 2015 Conrad was appointed the first UK Cyber Ambassador, a post he held until February 2018, when he left Government service. As UK Cyber Ambassador he provided strategic advice to a range of partner governments on establishing national cyber security strategies and capability programmes. On leaving Government service Conrad took up a range of advisory roles relating to cyber and security, including as a senior adviser to Pool Reinsurance. He is a Distinguished Fellow at the UK think tank the Royal United Services Institute, and their senior cyber adviser.

How can technology bring people together offline and improve lives? That is what Erin tries to answer through her ideas, projects, and explorations of technology. Community drives her passion for technology. To that end, she developed Extraqueericular.com, on online platform connecting the LGBTQ+ community to LGBT-friendly services and events. Her interests lie in web application development and security. You can follow her on Twitter.

Justin Clarke-Salt is a Managing Director in Aon’s Cyber Solutions. He is in charge of Aon’s proactive business development and partnership efforts for the Security Advisory and Security Testing practices for EMEA (formerly parts of Stroz Friedberg and Gotham Digital Science). Justin also oversees the Red Team services and capability development within the firm, as well as directly overseeing individual client engagements globally in his role as a CREST Certified Simulated Attack Manager (CCSAM) for regulatory Red Team testing such as CBEST, iCAST, and TIBER.

Justin has more than 21 years of experience providing organisations with security and risk management services. He is an internationally recognised expert in the field of information security. He has assisted Fortune 500 and FTSE 250 corporations with information security assessment and advisory services, including the management and running of compliance focused security testing programmes for some of the largest financial services organisations in the world.

Justin is a published author in the areas of application and network security, including as the lead author/technical editor of SQL Injection Attacks and Defenses (Syngress 2009, 2nd Edition 2012), co-author of Network Security Tools (O’Reilly 2005), and a contributing author to Network Security Assessment, 2nd Edition (O’Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Justin is also an active member of OWASP, having recently stepped down from chairing the OWASP London chapter for over seven years.

Dr Jennifer Daffron is the Cyber Research Lead at the Cambridge Centre for Risk Studies. Her research interests include defining and exposing cyber threat vulnerabilities on organisational and human behavioural platforms. Jennifer holds a PhD in Experimental Psychology from the University of Cambridge.

Winston Krone is the Global Managing Director of Kivu Consulting, an international technology firm specialising in the forensic response to data breaches and proactive IT security compliance and risk reduction. Winston has handled hundreds of incidents globally in healthcare, professional services, education and financial institutions. He has frequently testified as a cyber expert in post-breach litigation – including as expert for Uber in their 2015 data breach, and as an expert for Apple in multiple class actions alleging privacy violations – and has presented his findings to regulators in the US and UK. Winston is both an English solicitor and California attorney, receiving his law degree from Oxford University. Since 2017, Winston has been based in Amsterdam, supervising Kivu’s EU operations, and working with the London insurance market on innovative risk reduction solutions.

About Kivu: With offices in the US, Canada, London and Amsterdam, Kivu is a pre-approved cyber forensics vendor for all leading North American and European insurance carriers, with a particular expertise in ransomware and cyber extortion.

Dr Gordon Woo is an internationally recognised expert on risk management, with a particular focus on man-made catastrophe risks. In 2004, Newsweek magazine described Dr Gordon Woo as one of the world’s leading catastrophists. He has 30 years of experience in catastrophe risk consultancy, advising financial institutions, governments and major corporations.

His involvement in cyber risk extends back a decade to April 2009, when he was invited to address the Singapore Island Forum, organised on behalf of the Singapore government, focusing on cyber risk. Since then, he has researched extreme cyber risk using the framework of counterfactual risk analysis, which he pioneered for terrorism.

A top mathematics graduate at the University of Cambridge, he completed his PhD at MIT as a Kennedy Scholar, and was a member of the elite Harvard Society of Fellows. He also has a postgraduate Cambridge degree in computer science.

He is an adjunct professor at Nanyang Technological University, Singapore, and a visiting professor at University College London. He is the author of two books published by Imperial College Press: The Mathematics of Natural Catastrophes and Calculating Catastrophe. He is also a co-author of Solving Cyber Risk, published by Wiley.

Mike Jones (sting3r) has a background in cryptology. He has performed numerous penetration tests for various industries such as the Department of Defense, major financial institutions, casinos, telecoms, and various others. Mike has developed exploit techniques both network and app-based as well as physical. The experience Mike has had has been on both sides of security, being a long term member of various hacking groups and APT nation-state groups. His experience was refocused to helping industries protect themselves. The key to a good defence is to know who you’re defending against.

Sille works for an Estonian company Clarified Security that is focused on delivering practical security services like red teaming on production and cyber range exercises, manual penetration testing and hands-on security courses. She is among other things responsible for “making magic happen” but mainly organizing and coordination of red team exercises and project management. She is also a trainer for the operational side of incident response.

Before joining the team, she was responsible for incident response and reporting on national and international level (including both large scale cyber attacks in 2017) and organizing both technical cyber security seminars and end user awareness raising campaigns at CERT-EE. Before operational incident response she worked on escalations and fraud prevention in a large international corporation.

She has participated in the largest live-fire cyber exercise Locked Shields as both Blue Team and Red Team member and as a Blue Team member at a large number of national and international cyber range and tabletop exercises.

Sille holds a MSc degree in Cyber Security from Tallinn Technical University and a BA degree in Business and Public Management from Tallinn University and is currently obtaining a MA in Communication Management.

Jasson Casey serves as Chief Technology Officer at SecurityScorecard and is responsible for product management, engineering, research, and platform operations. Jasson has 20 years of experience delivering security and networking products to all markets and customer types, including global enterprises and carriers. He also serves as a Fellow in Cyber Security with the Center for Strategic and International Studies (CSIS), and as Advisor to IronNet Cybersecurity, a security startup founded by Gen. (Ret) Keith Alexander.

Prior to joining SecurityScorecard, Jasson was VP of Engineering at IronNet Cybersecurity and oversaw development of the vendor’s revolutionary collective intelligence platform and pioneered new approaches to total network observability, including limitless wirerate packet capture with truly elastic retention abilities, and a complementary stack of trusted streaming and batch data analytics. He also brings a long history of innovation advocacy for Software-defined Networks (SDN) through his work founding and leading Flowgrammable, and serving as a member of the Software Leadership Council at the Open Networking Foundation. Previously he held roles in product management, business development and engineering with CenturyTel (CenturyLink), Level3 (CenturyLink) and Alcatel (Nokia).

Jasson has a BSEE from the University of Texas at Austin and is a PhD candidate in electrical engineering at Texas A&M University.

Timothy Olson is Vice President of Cyber Risk and Breach Response for Symantec, a world leader in cyber security (www.symantec.com). Symantec helps organisations, governments and people protect their digital lives at home and across their devices.

Tim is responsible for Symantec’s global cyber risk and breach response practice leveraging its suite of Norton and LifeLock products. Operating one of the largest civilian cyber intelligence networks, a global community with over 50 million people, allows Symantec to see and protect against the most advance threats.

Tim is considered one of the foremost experts in breach response in the US and starting in 2004 he has personally supported thousands of organisations’ data breach events – many of the largest and most publicised in US history including Boeing, Bank of America, Target and The Walt Disney Company.

He has also assisted with many of US government related breach events such as the Federal Trade Commission, Internal Revenue Service, Veterans Affairs, State Department and the National Archives – to name a few.

Prior to Symantec, Mr Olson was Vice President of Experian (www.experian.com) where he launched Experian’s breach response practice growing it to become the dominate provider in the US and UK with over $150 million of annual revenue.

Tim also served as General Manager within Experian’s consumer business unit responsible for its strategic accounts including Google and Facebook. In this role, he developed new business channels that exceeding $500 million in annual revenue. Additionally, Tim spearheaded work for Experian in the emerging markets of Brazil and India.

Tim is a graduate of Brigham Young University, Provo, Utah where he attended the Marriott School of Management. He is fluent in German and is a FAA certified licensed private pilot. Tim has received numerous professional awards including finalist of the Ernst & Young Entrepreneur of the Year. He was also a member of the Board of Directors for the Maricopa integrated Health System.

Tim with his wife Kristen reside in Arizona and have six children and 16 grandchildren.

Stephen co-founded BitSight in 2011 and serves as the Chief Technology Officer. Prior to founding BitSight, Stephen was President and Co-Founder of Saperix, a company that was acquired by FireMon in 2011.

While at the MIT Lincoln Laboratory, Stephen was a member of the Cyber Systems and Technology Group where he led R&D programs solving large-scale national cybersecurity problems. Before MIT,  he worked at Caldera Systems, an early Linux startup.

Stephen holds a bachelors degree in Computer Science from Brigham Young University and Master of Science in Engineering and Management from the Massachusetts Institute of Technology.

Mingyan Liu is the Chair of Electrical and Computer Engineering at the University of Michigan, Ann Arbor, where she has been a professor of Electrical Engineering and Computer Science since 2000. She received her MSc degree in systems engineering and PhD degree in electrical engineering from the University of Maryland, College Park, in 1997 and 2000, respectively. Her research interests are in optimal resource allocation, sequential decision theory, incentive design, and performance modelling and analysis, within the context of large-scale networked systems. Her most recent research activities involve online learning, modelling and mining of large scale Internet measurement data and the design of incentive mechanisms for cyber security. She is the recipient of the 2002 NSF CAREER Award, the University of Michigan Elizabeth C. Crosby Research Award in 2003 and 2014, the 2010 EECS Department Outstanding Achievement Award, the 2015 College of Engineering Excellence in Education Award, the 2017 College of Engineering Excellence in Service Award, and the 2018 Distinguished University Innovator Award. She is a Fellow of the IEEE and a member of the ACM.

Dr Jason R.C. Nurse is an Assistant Professor in Cyber Security at the University of Kent. He is also a Visiting Academic at the University of Oxford, a Visiting Fellow in Defence and Security at Cranfield University, and a professional member of various associations relating to cyber security research and practice. His research concentrates on investigating interdisciplinary approaches to enhance and maintain cyber security for organisations, individuals and governments. This considers the full spectrum of technologies in use today and encompasses topics such as human aspects of security, dimensions of cyber crime, identity security in cyberspace, privacy and security in the internet-of-things, and fake news and rumours on social media. Prior to joining Kent in 2018, Dr Nurse was a Research Fellow at the University of Oxford for seven years. For his research into the interdisciplinary aspects of cyber, Dr Nurse was nominated as a Rising Star within the UK’s EPSRC RISE Awards Campaign.

James is a member of the Data Protection, Privacy and Security team and undertakes a wide range of information law work including data protection, e-commerce, cyber security, direct marketing and freedom of information.

James is the co-editor of the popular DLA Piper Data Protection Laws of the World Handbook and a regular speaker at external conferences and events. He has an international client base, and particular interest and expertise in the Insurance and Life Sciences sectors.

In a cyber security context, James provides advice on to clients on data breach management, including advising on cross-border notification mandates and managing privileged engagement with third party security consultants.

Stephen is a former Chief Information Security Officer (CISO) in the financial services and insurance/reinsurance sectors with over 20 years experience in IT and security roles. He founded Cyber Risk Aware in 2016, having consistently found that cyber criminals were targeting people not systems. Stephen firmly believes that staff are the greatest security asset in a company and are not the weakest link like so many others would make you believe. An effective information security programme must include a human-centric approach, otherwise it will fail.

Dom is a Director at PwC’s UK Firm. He leads the work in EMEA supporting clients on the topic of Cyber Risk Management and Quantification. His clients include corporations managing their operational resilience and financial exposure to cyber events, as well as insurance companies seeking better understanding of the cyber risks in their portfolio liabilities.

Dom has a deep technical background in risk management and the development of modelling approaches for complex risks. With a team of cyber experts, actuaries and risk modellers, he supports companies around their exposure and management of cyber risk. Dom has helped companies to quantify their cyber operational risk capital requirements, their cyber insurance purchasing needs, and shown the benefit of quantification frameworks to support board risk reporting and cyber security investment decisions. Dom has an engineering and modelling background, and was previously employed for a risk modelling vendor firm.

As part of Marsh JLT Specialty’s London-based FINPRO, Sarah and her team, based in London and throughout Europe, work directly with our clients and network colleagues to make sense of cyber, technology, and media E&O (PI) risks, and create leading edge bespoke insurance solutions in the London and European market.

Prior to joining pre-acquisition JLT in 2015, Sarah spent 12 years with Aon in a variety of roles. Most recently, Sarah was Aon’s Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions. Previously, Sarah spent seven years with Aon’s US cyber and errors & omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the account management group working with large clients and developing a keen eye for excellent client service.

Sarah received a Bachelor of Arts with Distinction from Duke University in Durham, North Carolina in 2002, and earned an Associate in Risk Management (ARM) Certification in 2005. She is a member of the Professional Liability Underwriting Society, and formerly part of the Northern California Chapter Steering Committee and chair of the Europe Chapter Steering Committee. She currently serves on the Cyber Insurance Curriculum Advisory Board.

Eric Durand joined Swiss Re in 1990 as a research scientist in the Natural Perils team, developing new analysis and simulation models for European storms and their effect to insured portfolios. He then worked for Swiss Re Australia as a cat specialist and underwriter for a period of two years before returning to Zurich to take over the leadership of a group of Property/Casualty treaty underwriters.

In 2002 he was appointed to SR-Iberica in Madrid as Chief Underwriting Officer for the Iberian Peninsula, before returning three years later to Zurich as Underwriting Manager Treaty Property. In 2014 Eric transitioned to Swiss Re’s Group Underwriting to lead the newly created Cyber Center of Competence and to coordinate the company’s efforts with regards to Cyber activities. He also leads SwissRe’s project on Solar Storms and their effect to the bulk power grid.

Eric Durand grew up in Neuchatel (Switzerland) and after spending a senior high school year in Michigan (USA) graduated in Electrical Engineering at the ETH in Zürich. He holds a PhD from the same institution in Biomedical Engineering.

Based in London, Christos leads RMS’ Climate Hazards-Dry and Cyber Risk modelling teams researching and developing modelling frameworks and solutions for the reinsurance industry.

He has worked at RMS since 2006 developing mathematical models of catastrophic risk from natural and man-made perils, including the Cyber Accumulation Management System (2016, 2017), Cyber Solutions (2018), typhoon models for South Korea and Taiwan (2016), probabilistic flood maps for Taiwan (2015) and South Korea (2014), the European wind storm model (2011), and the North America winter storm model (2008). He has also researched and developed efficient and scalable computational modelling frameworks.

Before joining RMS, Christos worked as a post-doctoral Associate and an Assistant Scientist at the University of Miami’s Rosenstiel School of Marine and Atmospheric Science (RSMAS) from 2003 to 2006. He holds a PhD in Atmospheric Sciences from the Department of Atmospheric Sciences of the University of Illinois at Urbana-Champaign. He earned an MSc degree from the Department of Atmospheric Sciences of the University of Wyoming. Christos’ bachelors degree in Mathematics is from the Aristotle University of Thessaloniki, Greece.