Recognition for the industry-leading research our data science team generates to support cyber risk quantification software and services at RiskLens: Data Science Manager Justin Theriot has been nominated for an award as Cyber Risk Person of the Year in the Actuary/Modeler category by Zywave, the major data aggregator, and invited to present at SIRAcon23, the annual meeting of the Society of Information Risk Analysts.
At SIRAcon, May 17, 2023, Justin’s topic will be “How Do Policies and Regulations Impact Secondary Losses?” The Zywave nomination recognizes his work with RiskLens Senior Data Scientist Benjamin Gowan on the paper “Does Decomposing Losses Improve Our Understanding of the Financial Impact of Data Breaches?” (We encourage you to vote for Justin in the awards competition.)
You can find Justin and Ben’s data science research throughout RiskLens offerings, from the data helpers on our SaaS enterprise risk analysis platform that automate entry of updated data on frequency and magnitude of cyber loss events…to our annual Cybersecurity Risk Report…to the My Cyber Risk Benchmark tool for insights into your company’s cyber loss exposure compared to your industry across common risk themes.
Q&A with RiskLens Data Scientist Justin Theriot
Q: How did you get into data science and what keeps you engaged?
A: I was an air traffic controller for 11 years in the Air Force. During that time, I completed master’s degrees in economics and international relations. After separating from the military, I worked for a data analytics company designing models and conducting analyses on labor markets and economic development. RiskLens gave me the opportunity to utilize my economic expertise to understand the financial impacts of cyber events.
Cybersecurity is a constantly evolving field for data science – it keeps me intellectually challenged and provides a net positive for society.
Q: What are the key findings from your SIRAcon presentation?
A: Regulations cost firms their efforts to become compliant, or if they remain non-compliant, and will impact them post-breach. Global F1000 firms will spend $7.8B to become compliant with GDPR, with 78% of small to mid-tier firms spending $100,000. The regulatory climate around data privacy is rapidly changing, with proposals from the European Union, France, Germany, California, Colorado, and more under review. Estimating costs and likelihood of regulator fines or legal judgments is shooting at a moving target, but it’s critical to get that right for the most accurate risk analysis.
Risk treatment analysis on the RiskLens platform. (Image ©RiskLens 2023)
Q: What about the paper on decomposing losses that earned you the Zywave nomination – what’s the importance for cyber risk analysis?
A: Our research aims to open avenues for practical applications in cyber risk quantification today. First, we base our estimates on firm revenue, region, data type, and industry. For example, we can develop a loss estimate specific to a company based in North America, in the healthcare industry, with $4 billion in revenue, with a particular number of PHI records.
Second, by varying the scope of the loss-event scenarios we analyze, we can improve scenario comparisons to help drive prioritization decisions on cybersecurity investments. For example, should budget increases be allocated to improving internal or external access controls across assets?
Third, since this research separately models various costs, this should improve final estimates and facilitate communication with stakeholders, enabling us to express the real risk and proper decompositions of operational costs vs. legal fees in enterprise risk management.
Webinar: Learn about RiskLens Risk Treatment Analysis for Cost-Effective Decision-Making
Q: Is the quality of cyber risk data improving?
A: Data limitations are a known problem in cyber security research – for instance, corporate lawyers coaching firms to not share written data breach reports with insurers, regulators or law enforcement. But as the community continues to push for transparency and SEC regulations begin to require reporting about material cybersecurity incidents, we can enhance our research to equip firms and analysts to make data-driven estimates of their data breach or other exposure using readily available industry firmographics.
Q: What do you do for fun when you’re not crunching numbers?
A: Outside work, I compete in Strongman in the under 105kg Open category. This year, I placed 10th in the Southeast Strongman Classic, held in Montgomery, Alabama. I am also an avid literary reader – I recently read Roth’s American Pastoral, next up is Lem’s Solaris, and Pynchon’s Gravity’s Rainbow. Apart from those two activities, is spending time with my wife and two daughters. We are from Louisiana so cooking is in our blood, the standards such as chicken and andouille sausage gumbo, chicken and tasso jambalaya, and blackened redfish with corn maque choux.
.jpg?width=1024&height=281&name=RL-Banner-1024x281v1%20(1).jpg)