Modern consumers have a lot to worry about. Since 2014, nearly a dozen high-profile companies have made headlines after falling victim to cyber crimes that left their customers’ data vulnerable.
"Cyber crimes are very real and can inflict as much damage as other crimes," says Prof Mingyan Liu. "The theft of the information you have on your computer can lead to blackmail, extortion, and more."
Companies like Sony, JP Morgan Chase, Target, and even some state universities have had sensitive information like credit card numbers and account logins leaked, resulting in far-reaching economic consequences for countless households.
Prof. Liu realized that her own research in cybersecurity and insurance markets could be applied to the problem. So she co-founded the company QuadMetrics to keep companies diligent when it comes to cybersecurity. She also serves as Chief Science Officer of the company.
QuadMetrics offers a pair of services to help companies both assess the effectiveness of their security and decide the best way to allocate (or increase) their security budget.
"When a company understands its security posture, it gives them a very powerful tool to self-evaluate and guage if they’re improving over time."
Their first service, called a Signet Scope, determines how secure an organization is and their vulnerability to certain types of attacks. To do this, QuadMetrics collects internet data measurements from the organization and applies data analytics and machine learning techniques to find the holes in their cybersecurity that might be exploited by cyber criminals..
So far, their methods have proven to be highly accurate.
“We can easily achieve a true-positive rate exceeding 90% and a false-positive rate below 10%,” says Mingyan.
With their second service, the company provides one of the first means to determine premiums for cyber insurance.
Cyber insurance, a fairly new concept, operates on the same principles as home or auto insurance. In this case, an underwriter takes on the risk that a company may face a data breach, and covers the cost of repairing the damage should they be victimized.
Until now, determining what that premium should be for a given company has relied on interviews with IT staff and surveys about their security measures - both of which have proven to be unreliable metrics.
“Rarely do cyber insurance companies get ahold of information that’s really important and indicative of the risk that the company is facing,” says Mingyan.
That’s where QuadMetrics’ Signet Profile product comes in, offering insurers a summary of the company’s security strengths and weaknesses.
“Because we are able to quantify the risks a company is facing, it allows an insurance company to turn that into a cost estimate,” she explains.
Mingyan hopes this will accomplish a shift in how companies view cyber insurance. Right now organizations buy these policies to transfer risk on to an underwriter, but a QuadMetrics profile could create incentives for them to work to reduce their risk. Better security could mean lower insurance premiums – and more secure customer information.
Accurate assessments of a company’s security profile are more vital than ever as cyber criminals continue to innovate new ways to illegally access data. According to Prof. Liu:
“More and more records are now digitized and on the cloud. That has dramtically increased the instances of cyber crimes from remote locations. Often the defending side falls behind, constantly chasing the new attack-type of the day.”
The work done at QuadMetrics stems from Mingyan's research in cybersecurity and insurance markets. Her research group, which includes Parinaz Naghizadeh, Yang Liu, and Armin Sarabi, has published several papers on predicting security breaches and expanding cyber insurance markets.
Earlier this year, Mingyan spoke at the second annual Predictive Modeling Insights Conference. This conference "looks at turning information into insights, getting your data working for you and reaping the rewards of driving your business forward with a data-informed strategy."
Prof. Liu's previous research focused on optimizing resource allocation over wireless networks. This relied heavily on game theory and problems involving several self-interested parties sharing resources. Mingyan found many analogies for these sorts of problems in cybersecurity, and shifted her focus to designing incentive mechanisms for companies to enhance security measures.
June 14, 2016: FICO (NYSE: FICO) has acquired QuadMetrics to accelerate development of the product, which will provide greater transparency into cybersecurity for underwriting, vendor management and self-assessment. [News Release]
Professor, Electrical Engineering and Computer Science, University of Michigan
Co-Founder and former Chief Science Officer, QuadMetrics, Inc.
Founded in 2014
6 full-time employees
Ann Arbor, Michigan
Signet Scope – Allows organizations to see how effective their security measures are, and summarizes which types of attacks may pose the highest threat.
Signet Profile – Gives cyber insurance companies access to risk profiles for their clients, allowing them to factor that information into their premiums and policies.
Mingyan's student, Yang Liu, presented the group's research on cyber security at the 2015 USENIX Security Symposium. He discussed an important aspect of the research, characterizing the extent to which cyber security incidents can be predicted based on externally observable properties of an organization’s network.
Watch the talk
View the slides
Wall Street Journal: "Cybersecurity Startup QuadMetrics Calculates Odds a Company Will be Breached" (1/12/16)
Merit: "Merit Offers QuadMetrics Cybersecurity Tools" (1/28/15)
Canadian Underwriter: "Rising demand for cyber insurance creates opportunity for insurers worldwide" (3/17/16)
Posted May 16, 2016