INVITATION TO CYBERSECURITY 112 Like threats, vulnerabilities are also largely inherent in conducting business in cyberspace. However, an organization can opt out of some technologies and business practices that introduce vulnerabilities. For example, an organization might determine a risk of IP theft due to vulnerabilities arising from their work from home policy. They could choose to avoid this particular risk by not allowing employees to work from home. Of course, the decision to cancel a work from home policy would have multiple ramifications beyond cybersecurity, making it a complex business decision. This helps to illustrate the tradeoffs involved in cybersecurity—cyber risk management decisions can have big impacts on the way companies do business. Another way a company can avoid risks is by eliminating cyber assets. Data is an asset that is a big target for hackers. The more data a company stores, the more likely they are to be targeted. Companies typically prefer to save as much data as possible because data storage is cheap, and data has potential value. For example, data analyses could provide cost-saving insights. However, it is sometimes in a company’s best interest to forego the potential value that data holds by permanently deleting it, making it inaccessible to them as well as to hackers. Companies need to evaluate the value of holding onto data versus the risk they accept by retaining it. 5.3.5.2 Transferring Some cyber risks can be transferred. Transferring a risk means passing the risk to another organization. Insurance is the classic way to transfer risk. For example, when a person pays for car insurance, he is passing the financial liability of a car accident to the insurance company. The insurance company agrees to pay to repair the cars damaged in an accident and for any medical costs that result. The financial risk of a car accident is significant. If a person causes a car accident and does not have insurance, he could go bankrupt, and this is an unacceptable personal risk—this is why car insurance is such a vital industry. Insurance companies write policies to indemnify their customers in case of a loss. Indemnify means to compensate for a loss. The insurance policy is a contract stating what is covered by the insurance agency and under what circumstances. Policies state any exclusions and the premium and the deductible. An exclusion is a loss explicitly not covered by the policy. The premium is the cost to purchase the insurance, and the deductible is the amount owed by the insured party for a covered incident. Insurance premiums are based on the amount of exposure. Exposure is the potential losses that could result from an incident. The higher the exposure, the more expensive the insurance. To limit their own exposure, insurance companies might also include a limit of liability in their policies. The limit of liability is the maximum amount the insurance company will pay in case of a loss. Therefore, the insurer will pay for the damages minus the deductible and only up to the limit of liability.
RkJQdWJsaXNoZXIy MTM4ODY=