The cyber data conundrum part 2: what signals say about the state of the dam

The cyber data conundrum part 2: what signals say about the state of the dam

Insurers looking to supplement their underwriting process with data are faced with a challenge. A challenge they will encounter when evaluating how and where to source cyber risk data. As addressed in the previous blog in the cyber data conundrum series — cyber risk data for cyber insuranceunderstanding differences in data quality, resolution and measurement is key to making informed underwriting decisions. 

In the second part of this series, we’ll dive into how cyber data is used for technical cyber security programs versus how it should be used for cyber insurance, what you need to know about signals, why they’re important, and what to look for when evaluating third party signals, or building your own for a cyber insurance underwriting use case. 

How is cyber security data and insurance data used?

If you imagine an enterprise’s cyber risk surface as a dam that holds all of its operations and data securely within its walls, cyber security data is a blueprint for the potentially weakest points (i.e. defects) on that risk surface. Every flagged defect is a potential source of an incident, which can singularly, or in accumulation with other incidents, break the dam. That is, if these defects are not fixed.

Cyber security professionals use the cyber security data from this blueprint to plug all the potential problems. Using a blueprint, professionals can identify which cyber security problems exist on business critical systems, so that they can be addressed before a cyber incident occurs, or so they can mitigate the severity of such an incident.

In contrast, insurance data does not look solely at the blueprint. It compares the cyber security data from this dam to other dams, along with other comparable metrics. The result is a tailor-made consideration for the likelihood of a cyber incident, the severity of that incident, as well as the likelihood of an incident turning into an insured claim for the insurer, and their risk tolerance for that claim. For example, as a threat actor searches for a victim, cyber security data informs of the weaknesses they might exploit, while the insurance data shows how this dam sticks out in comparison to other dams, as well as the insurance consequences the dam will face.

While the volume of data is massive, using only cyber security data for insurance purposes provides an incomplete view of an insured’s true risk profile. By combining several disparate data sources, insurers can obtain a more complete view — but it should not stop there. Insurers should consider which data is truly indicative of higher likelihood, higher severity, or simply put, higher risk. This is where using the relevant signals comes into play. By taking a multi-disciplinary approach to gathering, analyzing, processing, and curating petabytes of data, we can derive signals that are statistically indicative of higher risk and help inform underwriting decisions.

Why are signals important?

In order to make informed risk decisions, you need to be able to parse the relevant data — and this means having appropriate signals that assist underwriters in making profitable judgment calls on which organizations to underwrite.

Historically, cyber underwriting has been considered more art than science. Today, however, it is as much art as it is science — the art depends on the underwriter's own judgment and experience while the science component is data driven. Complimenting analog pen and paper applications with relevant cyber signals is increasingly powerful.

The signals underwriters need

Cyber signals and data can serve many purposes, from augmenting missing data and corroborating existing data, to getting a wholly unique third-party view of an account’s cyber risk posture. It’s essential, then, that underwriters are using the right signals in order to make informed risk decisions. However, not just any kind of signal will get the job done.

A relevant cyber risk signal is one that aids in decision-making for its user. This signal should be actionable, measurable, and understood

- Actionable - meaning the signal should elicit specific takeaways for the user. These actions could be additional questions they ask, or notes taken to corroborate other feedback channels.
- Measurable - meaning the signal needs to be measured and sized in a context that matters for a user. A signal can range from a single observation to a collection of observations. The definition of which should be fit for purpose based on the intended user and use case.
- Understood - meaning the signal should be digestible, contextualized, and explainable. It is easy in cyber to get carried away with complex concepts, and even more complex logic. The final design of a signal can itself be complicated, so it should be distilled into a format that the user can comprehend.

While signals should be actionable, measurable and understood, they also need to have certain characteristics to ensure they serve the right purpose. 


The resolution of a signal matters. Consider not only the resolution of what should be displayed, but also the resolution of the data upon which the signal is built.

Not all signals need an hourly or daily resolution, i.e. does a company change its cloud hosting provider on a daily or hourly, or even weekly basis? That said, signals that do change more frequently may contain a lot of noise, i.e. code migration, deployment and other development work may temporarily expose common vulnerabilities and exposures, which are patched near instantly, daily, or on a weekly cadence. Seeing a temporary, uncontextualized observation is noise for an underwriting use case, and not necessarily significant.

Positive/negative/neutral observation

Whether an observation is positive, or negative should be defined. In instances where more context is needed before it can be considered either positive or negative — i.e. a neutral observation — this should also be specified.

For instance, simply having open ports is not necessarily a bad thing — some ports are necessary operating ports and are not by their nature risky. However, parsing out and building a signal demonstrating risky ports clearly identifies when there is a negative observation. Similarly, an organization that takes care to close unnecessary risky ports should be flagged by way of a positive signal and representation.

The category of cyber risk

Individual cyber security signals are not necessarily meaningful in isolation. Especially in an underwriting context, they should be categorized and defined by how they impact a wider cyber security program and framework. No singular signal measures or gives a complete picture of a company’s security posture. Building and sourcing signals that cover and address a wide range of security hygiene measurements and security posturing, offers a more complete view.

To see how well a collection of signals inform a company’s risk posture, you can assess signals based on how well they map to the NIST framework, which offers a solid context for a defender's perspective to cyber security. This includes how effective the organization is in identifying, protecting, detecting, and recovering from weak points in its dam blueprint. Having robust signals spanning several cyber hygiene categories demonstrates such effectiveness and maturity, especially when comparing one organization to another.

Company-specific and micro-segment signal approach

At their core, signals are indicators of truth. These indicators can have a direct impact on the outcome of the dam collapsing, or could be the ‘canary in the coal mine’ proxy that hints at shortcuts being taken. In either case, these signals indicate how well a company might be protecting itself. Additionally, as mentioned previously, these signals are most powerful when viewed holistically together amongst several diverse data points. In a similar fashion, using aggregated data that measures observations at a company’s peer group (i.e. companies of the same size, industry and geography) can be powerful when used in combination with company-specific data.

A dual approach to signaling helps establish not only an organization’s posture, but also the baseline expectation of how a company’s peer group (micro-segment) typically performs.

With a micro-segment view you are able to identify trends in areas such as detecting and preventing issues, as well as trends in attacks against similar companies. With the company-specific view, you are able to then see how well the company itself performs in key areas.

Furthermore, benchmarking both types of signals and the observations against relevant comparative populations further contextualizes a company’s performance (i.e. understanding how many vulnerabilities a company has relative to its peer group, or how many targeted attacks a company in a peer group faces relative to the number a company in any industry size or geography faces). This comparison also enables an underwriter to make that company to company distinction used in insurance and underwriting decision making.

Effectively utilizing signals

How cyber data is used is critical to the cyber insurance process — ultimately, it will help underwriters fully comprehend an enterprise’s cyber risk surface. 

Signals and scores are imperative to gaining a more scientific view of cyber risk that leads to informed and accurate underwriting decision-making. Underwriters need to ensure that they’re able to access cyber risk signals with the right characteristics in order to underwrite effectively.

Stay tuned for the next blog in the Cyber Data Conundrum where we cover fitting these relevant signals into your underwriting workflow.

CyberCube, the leading cyber risk analytics provider, is well versed in cyber underwriting and its challenges. Learn more about the signals CyberCube uses and how they’re statistically significant in our free report — Evaluating Cyber Risk Signals as Indicators of Future Incidents.

Evaluating Cyber Risk Signals as Indicators of Future Incidents