Professor Daniel Ralph
Academic Director, Cambridge Centre for Risk Studies, and Professor of Operations Research, Cambridge Judge Business School
Professor Daniel Ralph is a Founder and Academic Director of the Centre for Risk Studies, Professor of Operations Research at the University of Cambridge Judge Business School, and a Fellow of Churchill College. Daniel’s research interests include identification and management of systemic risk, risk aversion in investment, economic equilibria models and optimisation methods. Management stress test, via selection and construction of catastrophe scenarios, is one focus of his work in the Cambridge Centre for Risk Studies. Another is the role and expression of risk management within organisations. Daniel engages across scientific and social science academia, a variety of commercial and industrial sectors, and government policy making. He was Editor-in-Chief of Mathematical Programming (Series B) from 2007-2013.
Welcome Address for The Future of Cyber Risk
Dr Andrew Coburn
Chief Scientist, Cambridge Centre for Risk Studies
Dr Andrew Coburn is Chief Scientist of the Centre for Risk Studies, coordinating the inputs of consumers of research into the Centre’s risk agenda. Andrew is the principal coordinator of the research programme on ‘System Shock’ at the Centre.
Andrew is one of the leading contributors to the creation of the class of catastrophe models that over the past 20 years has come to be an accepted part both of business management in financial services and of public policy making for societal risk. He has extensive experience in developing models and using them for business decision support. Andrew has also provided research inputs into government policy, such as House of Congress legislation on terrorism risk management policy and urban planning for disaster mitigation in Mexico, Metro Manila, and Southern Italy.
The Future of Cyber Risk
Cyber risk has been a topic of research at the Cambridge Centre for Risk Studies since it was originally founded 10 years ago. Cyber was originally cited as an ’emerging risk’ – a poorly understood threat to business and the economy that featured in the first published CCRS taxonomy of threats.
The Centre’s research initially focused on developing scenarios to understand the potential for cyber attacks to cause systemic losses across multiple organisations – a poorly understood concept at the time. Over subsequent years, the Centre’s research has explored many different aspects of cyber risk, including categorising causal mechanisms, quantifying loss processes, and monitoring changes in our annual cyber risk outlooks. The Centre’s work on cyber has ranged from applications in supporting the development of the cyber insurance market, understanding risk in critical national infrastructure, potential for cyber to be used by terrorists, and how large businesses should manage their own cyber risk.
At our 10th anniversary, cyber research now forms over a third of the research programme of the Centre. Over that time, cyber risk has transformed and shifted. Loss processes have evolved, different attack technologies have been deployed, and new defence techniques have been developed. The business community has accepted that cyber risk is something that can be assessed at a particular moment in time, and that annual updates of cyber risk are the appropriate outlook for a risk that is this dynamic.
However, the 10th anniversary of the Centre for Risk Studies is also an opportunity to speculate about how the risk could potentially change over the next 10 years. Several of our research partners and community of business supporters have posed questions to us of how organisations should develop strategic multi-year business plans that can be robust against the changes in cyber risk that could potentially occur during the next decade.
This conference is our response to that challenge. We have invited speakers from many different disciplines and areas of cyber expertise. We have brought together practitioners, advisors and risk capital providers to explore the future of cyber risk. We have posed questions to all of the presenters and participants: how might cyber risk continue to change over the next decade? How should businesses plan to accommodate risks to their digital business systems, suppliers, and counterparties in the longer term?
Dr Richard Clayton
Director of Cambridge Cybercrime Centre, Cambridge Computer Laboratories, University of Cambridge
Dr Richard Clayton is a software developer by trade running a software house that created operating systems and word processors used by millions in the 1980s. In 2000 Richard returned to Cambridge to study for a PhD and he has stayed on as an academic because “it is more fun than working”. He is the Director of the Cambridge Cybercrime Centre, based in the Computer Laboratory, leading an interdisciplinary team that not only research cybercrime themselves but also create enormous datasets that allow other academics to do their own cybercrime research with real world data.
Plus Ça Change: Cybercrime, Past Present and Future
We recently revisited our highly cited 2012 paper on “Counting the Cost of Cyber Crime” and found that in seven years the world has seen huge changes, with the smartphone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and with many services moving to the cloud.
Nevertheless, the overall pattern of cyber crime is remarkably little changed with the big losses still being in tax benefit and welfare fraud and the amount we are spending to defend against all those exotic new “cyber” threats far exceeding the actual cost of the crimes. Naturally there are new cyber crimes to worry about including ransomware and Business Email Compromise (and old crimes that have almost disappeared), but perhaps the most interesting questions concern whether we view the deployment of cyber-weapons such as the NotPetya worm as crimes rather than collateral damage from undeclared wars? In this talk I gallop through what is currently going on and what is going to determine whether cyber crime becomes more or less important in the next few years.
Predictions are far too hard to do, especially of the future, but it’s reasonably easy to start to learn how to think rationally about threats, threat actors, how to avoid being a victim and what institutional changes we need to see to make us all safer.
RUSI Distinguished Fellow and Senior Adviser Pool Reinsurance; formerly Director General for Operations GCHQ, and UK Cyber Ambassador
Conrad Prince served from 2008-2015 as the Director General responsible for the intelligence and cyber operations conducted by Britain’s signals intelligence and cyber security agency, the Government Communications Headquarters (GCHQ). In March 2015 Conrad was appointed the first UK Cyber Ambassador, a post he held until February 2018, when he left Government service. As UK Cyber Ambassador he provided strategic advice to a range of partner governments on establishing national cyber security strategies and capability programmes. On leaving Government service Conrad took up a range of advisory roles relating to cyber and security, including as a senior adviser to Pool Reinsurance. He is a Distinguished Fellow at the UK think tank the Royal United Services Institute, and their senior cyber adviser.