A Q&A with Josephine Wolff of Tufts University
Josephine Wolff, associate professor of Cyber Security and Policy at Tufts University and published author, will be speaking at the 2023 NetDiligence Cyber Risk Summit next week. The Summit will take place at the Loews hotel in Philadelphia from May 31–June 2, 2023. Josephine will be the keynote speaker at the Women in Cyber Luncheon on Wednesday, May 31. She will also participate in a panel about systemic cyber risk on Thursday, June 1.
We caught up with her ahead of the conference to learn more about what she’s working on, current trends in the industry, and why “best practices” are not always the best.
Give us a bit of background on your work in cybersecurity. What interests you most about the industry at this moment in time?
The thing that I’ve found most interesting about cybersecurity for a long time is how we divide up responsibility for cybersecurity among all of the different stakeholders, companies, individuals and governments involved in the online ecosystem. Exactly how you take a network as decentralized and diverse and global as the Internet and sort out who should be responsible for which types of security, as well as who should be held accountable when those security efforts fail, is an endlessly complicated question and one that I find both fascinating and important.
Broadly speaking, I’m interested in questions of liability—specifically, the insurance industry, because that’s who is paying for cybersecurity incidents and, by extension, who has an incentive to invest in cybersecurity and how.
You’ll be at the NetDiligence Cyber Risk Summit in Philadelphia. What are you most excited to discuss with and/or learn from fellow speakers and attendees?
I’m excited to discuss the changing landscape of the cyber insurance industry, and in particular, how different insurers are reformulating the exclusions in their policies to deal with state-backed cyber attacks. What will the implications of those new exclusions be? What should we make of the differences in language across carriers and what will the impacts be for the industry as a whole? How will these exclusions influence government efforts towards developing a backstop for cyber risk?
Tell us about your recent publication: Cyber Insurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks. What are the key takeaways for readers from this work?
For me, the key takeaways from this project are that the cyber insurance industry remains fairly nascent, that underwriters still have a high degree of uncertainty about their ability to model many types of cyber risks, and that it’s not yet clear exactly how—or even whether—insurance will be able to help organizations reduce their exposure to cyber risk.
Certainly that’s the hope, but there’s still a tremendous amount of work to be done to better understand cyber risk and also to measure the effectiveness of the various security controls and questionnaires that insurers currently use to help vet their policyholders and combat moral hazard.
In your opinion, what current trends/findings should the industry be paying attention to right now?
I’d like to see the cybersecurity industry paying more attention to questions of measurement and whether the “best practices” we’re encouraging (or in many cases, requiring) individuals and businesses to adopt are actually working to reduce exposure to cyber risk. Too often, I think, we assume that because everyone is doing something (requiring employees to change their passwords every 90 days, for instance, or labeling emails that originate from outside the recipient’s organization), it means it’s a proven and productive way to improve security. But often we’re just doing those things because everyone else is doing them, and not because we have any real, empirical data to show that they work.
To learn more about Mark Greisiger, visit this page.