Risk and Responsibility in a Hyperconnected World, a joint effort between the World Economic Forum and McKinsey & Company, assesses the action areas necessary, and examines the impact of cyberattacks and response readiness. The report sets these against three alternative scenarios in which economic value from technological innovations is realized or lost depending on models of cyber resilience. It draws on knowledge and opinions derived from a series of interviews, workshops and dialogues with global executives and thought leaders to estimate the potential value to be created through 2020 by technological innovations. It examines the value that could be put at risk if the adoption of such innovations is delayed because more frequent, intense cyberattacks are not met with more robust cyber resilience. Finally, the report draws conclusions from the analysis and research, and offers a 14-point roadmap for collaboration.
Chapter 1. Developing a Clear Set of Action Areas presents a unified agenda for key action areas that global leaders across the spectrum of private and public sectors and civil society can collectively explore to increase cyber resilience. Based on the interviews, workshops and dialogues with senior global executives and thought leaders, this chapter is intended to serve as an ongoing, evolving resource to be continually developed and improved over time.
Discussions to date have produced a series of action areas for leaders to consider, organized as required solutions.
Chapter 2. Findings: Understanding Cyber Risks and Response Readiness looks at key findings from the interviews and workshops, with a particular focus on institutional readiness.
Pervasive digitization, open and interconnected technology environments, and sophisticated attackers, among other drivers, mean that the risk from major cyber events could materially slow the pace of technological innovation over the coming decade. Addressing the problem will require collaboration across all participants in the “cyber resilience ecosystem”. But many questions remain on direction and responsibilities. In contrast, a much clearer picture is emerging of the actions that institutions should take to protect themselves. They should act now to enhance capabilities while a broader model for resiliency develops. Finally, given the strategic decisions required, chief executive officers (CEOs), government ministers and other key stakeholders from civil society must engage directly with one another to put the right policies and plans in place.
Findings from the research include:
- Risks of cyberattacks are starting to have a business impact. Controls put in place to protect information assets have at least a “moderate” impact on front-line employee productivity for nearly 90% of institutions. Moreover, security concerns are already making companies delay implementation of cloud and mobile technology capabilities. And while direct cyber resilience spend represents only a small share of total enterprise technology expenditure, some chief information officers (CIOs) and chief information security officers (CISOs) estimate that indirect or unaccounted security requirements drive as much as 20-30% of overall technology spending, crowding other projects that could create business value.
- Current trends could result in a backlash against digitization, with huge economic impact. Major technology trends like massive analytics, cloud computing and big data could create between US$ 9.6 trillion and US$ 21.6 trillion in value for the global economy. If attacker sophistication outpaces defender capabilities – resulting in more destructive attacks –a wave of new regulations and corporate policies could slow innovation, with an aggregate economic impact of around US$ 3 trillion.
- Large institutions lack the facts and processes to make and implement effective decisions about cyber resilience. Overall, a large majority of firms have only nascent or developing cyber risk management capabilities. Most large institutions do not systematically understand which information assets need to be protected, who are their attackers, what is their risk appetite or which is the most effective set of defence mechanisms. Companies that spend more on cyber resilience do not necessarily manage cyber resilience risks in a more mature way – many are simply throwing money at the problem.
- More collaboration required, but key questions remain. Almost all CIOs and CISOs say they cannot “do it alone”. They believe a broader cyber resilience ecosystem must be put in place that spans not only the enterprise users of technology, but also technology providers, regulators, law enforcement and other related institutions. However, views vary widely on the responsibilities and effectiveness of several possible public-sector actions.
Chapter 3. Future Scenarios presents three alternative settings for 2020, and is based on the opinions and thoughts gleaned from the interviews and extensive workshop sessions. The scenarios estimate the conceivable value created from technological innovations that could be affected by a changing cyber resilience environment:
- Scenario One: Muddling into the Future. In this baseline scenario, attackers retain an advantage over defenders who continue to respond to threats reactively, albeit successfully. The level of threat increases incrementally, and more sophisticated attack tools consistently leave defenders behind attackers. Adoption of innovative technologies slows. In this scenario, as much as US$ 1.02 trillion in value from technological innovation is left unrealized over the next five to seven years.
- Scenario Two: Backlash Decelerates Digitization. In this scenario, the frequency of attacks significantly escalates, and international cooperation to combat the proliferation of attack tools proves elusive. Government cyber resilience regulations become more directive, disturbing adoption of innovative technologies. As much as US$ 3 trillion in potential value creation from these technologies remains unrealized.
- Scenario Three: Cyber Resilience Accelerates Digitization. In this scenario, proactive action from the public and private sectors limits the proliferation of attack tools, builds institutional capabilities and stimulates innovation. A vital cyber resilience ecosystem serves to facilitate and connect company operations. Technological innovation is enabled, accelerating digitization and creating between US$ 9.6 trillion and US$ 21.6 trillion in value over the remainder of this decade.
Chapter 4: Conclusions and Roadmap for Collaborative Action proposes a framework for collaboration and suggests a path forward. Acknowledging the interdependence of the public and private sectors in today’s hyperconnected milieu, the Forum’s Partnership for Cyber Resilience, launched in 2012, has developed a framework to help chief executives and other leaders to build effective cyber risk management platforms. The tool offers a rough composite score to locate an organization on the five stages of maturity. By assessing their positions on the maturity scale, companies can make the necessary plans and take the necessary action to enhance their cyber resilience. A core Forum team and its partners will enable and advise participants in their approach to cyber risk management. The team also will be a storehouse for insights garnered from participants that can be used to build up the framework for broader sharing.