Lero researchers develop new cyber risk tool

New tool will help organisations identify and mitigate risk, and inform insurance companies

A new cyber risk tool created by researchers at software research centre Lero is aiming to help organisations assess and mitigate the risks from cyber attacks amid a growing threat to businesses,

The tool will also enable insurance companies to design appropriate insurance products.

Lero researchers working in the emerging risk group at University of Limerick's Kemmy Business School developed the new method of assessment, combining risk matrix and bow-tie models to produce a rating based on the likelihood of a cyber-threat and the potential severity of the outcome.

“Cyber-attacks pose a growing threat to global commerce that is increasingly reliant on digital technology to conduct business. Traditional risk assessment and underwriting practices face serious shortcomings when encountered with cyber threats,” team leader Dr Barry Sheehan said.


“Our cyber-risk classification and assessment framework, QBowtie, is designed to demonstrate the significance of proactive and reactive barriers in reducing companies’ exposure to cyber risk and quantify the risk.

“The QBowtie model can accommodate both historical data and expert opinion and previously known frameworks to score the threats, barriers and escalators for the framework. It also provides a practical framework that allows insurers to assess risks, visualise areas of concern and record the effectiveness of implementing control barriers.”

The framework was tested on a city hospital in Europe but is aimed at organisations. It not only offers a risk score but can also highlight where security measures can be improved.

"While we studied the exposure of a hospital, healthcare settings would be infrequent targets for cyber attacks although, as we have seen in Ireland, there are exceptions," Dr Sheehan said. " This tool would not have prevented such an attack. Instead, it would provide a more robust methodology for cyber risk assessment, which will allow insurance companies, for example, to more accurately assess risk, supporting more granular pricing. This means that the premiums of companies purchasing cyber insurance products will more accurately reflect their cyber risk."

The stakes in cybercrime are high, with the impact on the global economy estimated at just under €1 trillion in 2020, and growing.

“Currently, many companies are significantly exposed and vulnerable to losses and costs associated with cyber threats and crime. It is projected that the cyber insurance market will grow significantly due to growing cyber awareness and the introduction of new regulations,” said Lero’s Prof Finbarr Murphy, a co-author of the study and Dean of UL’s Kemmy Business School. “Today, total global premiums are around $2 billion and are predicted to reach $20 billion by 2025.”

The QBowtie framework could potentially be developed into a fully quantitative cyber-risk classification method as more data becomes available, Dr Sheehan said.

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist