The loss estimates are astounding! In January, Lloyd’s of London released a report in partnership with the risk modeler, AIR Worldwide, suggesting failure of a top cloud service provider could cost the US economy $15 billion.
Skimming the surface, the average reader might attribute that “failure” to adversarial or criminal activity. It’s hard not to let “CYBERATTACK” spring to mind when the world media cries wolf from the rooftops every time a cyber incident occurs.
Immediate blame being cast upon hackers and cyber criminals is one of the “key misconceptions” surrounding cloud service provider downtime, according to Scott Stransky, assistant vice president and principal scientist in AIR's Research and Modeling group.
In reality, the causes of temporary cloud shutdowns are much more mundane – with many being the result of one fat finger moment or an accidental human error. These are the findings of AIR Worldwide’s comprehensive cyber risk modeling application, ARC (Analytics of Risk from Cyber), which uses a proprietary database of industry exposures to define qualitative, quantitative and probabilistic cyber risks.
“We created our downtime probabilistic model in two parts. The first part involves the qualitative data, where we built a list of hundreds of possible ways a cloud can fail. These range from things like an accidental typo or human error (which happens all the time) to extreme events like a drone dropping a bomb on a data center,” Stransky told Insurance Business at RIMS 2018.
“Then we spoke to the chief engineers at all of the major cloud providers to understand how each of them mitigates against these potential failure mechanisms,” he added. “This qualitative data and research allows us to relatively rank clouds and suggest which providers are more secure against which exposures.”
The ARC model divides the cloud failure mechanisms into four themes: environmental, structural, accidental, and adversarial. Contrary to popular belief, the model finds that adversarial threat factors for only 6% of events - the smallest threat by far out of the four categories. Accidental human error and typos topped the chart by a long way.
AIR Worldwide had access to real data, which allowed them to carry out that analysis. The risk modeler used data from more than 70 historical downtimes from major cloud providers like Microsoft, AWS, Google and so forth. After carrying out statistical modeling on historic downtime data, the company is now able to inject its findings back into the system and simulate new cloud failures.
“Today, a lot of work around cyber is qualitative, with insurers and brokers struggling to access critical data,” Stransky added. “It’s our aim to provide that data aspect. We want to make the world more cyber resilient through our modeling.”