A  People-Centric, Insider Risk Assessment For Cyber Insurance

Q&A with Noam Zolberg, CEO and Dr. Maria Blekher, Head of product & marketing at Psyber

What does Psyber do?

Psyber is a  people-centric, insider risk assessment for Cyber Insurance. It bridges a gap in risk-pricing practices for cyber insurance underwriting by creating a single insider-risk score for the entire company, while protecting privacy and anonymity of employees.

How did you come up with the idea? and what is the story behind it?

Psyber founders bring a wealth of knowledge in both cyber security, from the offensive and defensive sides, as well as years of research and empirical testing of people’s decision making and behavioral patterns as users of smartphones and computers.

Psyber’s founders recognized that cyber insurance companies were among those most affected by cyber attacks, excluding companies themselves.

How behavioral science relates to your product?

Behavioral science relates to our product in two ways. First, our product uses the notion defined within the classical field of psychological assessment in that “stable personality traits” are strong predictors of human behavior. Such traits interact with various contextual and cognitive factors in guiding human decisions. With the notion that personality differences characterize people across time and circumstances, our product uses various personal characteristics as predictors of cyber vulnerabilities. Second, behavioral sciences relate to our product with respect to how we assess personality, cognition and cyber behavior in a cost-effective way while preserving individuals’ privacy and the characteristics of real-world situations. Personality and behavioral assessment methods have recently advanced towards the use of machine learning methodologies. We use machine learning methods to extract and to analyze linguistic markers.
personality and other human-related factors.

 

How many companies are working in the field?

In terms of the competition, there are several existing cyber risk assessment providers, who are focused on modeling technological, infrastructure and process related risk, or intrusive monitoring of behavior. At this point, to the best of our knowledge there is no other company that is modeling and assessing the insider risk factor for the cyber insurance industry.

How does the human factor make cyber security more vulnerable?

Cyber security constitutes a human-machine problem. An expressive amount of our daily tasks are performed through the use of mobile phones and computers that involve data and information sharing and/or transfer. Task accomplishment, and not security, is people’s main objective while performing such tasks. For example, the vast majority of cyber breaches originate from phishing or spear-phishing attacks, which are types of social engineering attacks (SEA). SEA refers to the means used to persuade an individual or an organization to comply with a specific request from an attacker. This type of attack which has the potential to cause substantial losses targets individuals’ choices. SEA exploits the fact that it is the human behind the machine which decides how to act or not to act during daily tasks. Another serious non-modeled risk is the malicious intent of an insider-attack.  Therefore, our personal tendencies, goals, emotional state and work load are strong factors behind our choices, and, therefore, those are the factors that make cyber security more vulnerable.

What research supports your product?

Our research is supported by findings showing that “stable personality traits” predict cyber decisions. For example, conscientiousness constitutes a solid facet of personality. Individuals, who are high in conscientiousness pay attention to details, follow rules and work steady towards long-term goals. In the context of cyber behavior, this stable personality trait has been shown to predict individuals’ engagement in preventive practices such as choosing safe/complex passwords, lock devices and use two-step authentication.

Extroversion is another stable personality trait which is also behind various cyber decisions. Individuals who are high in extroversion are enthusiastic, sociable, talkative, feel comfortable and gain energy in social situations. Extroverts have been shown to be more likely to fall for phishing attacks and also less likely to engage in cyber preventive practices such as using device security options and complex passwords.

The dark side of personality, as defined by dark triad (i.e., Machiavellianism, Narcissism and Psychopathy) has also been shown to predict insiders’ threat intentions and cyber vulnerabilities. With respect to intentions, all dark triad traits predicted intentions to act in a deviant way inside organizations. With respect to end-user vulnerabilities, narcissism has been shown to be a strong predictor of cyber incidents.

How does the process look from the client point of view?

When an employee takes Psyber’s assessment, they conduct a conversation with Psyber’s Assessment platform. During the conversation, Psyber assesses elements such as awareness, cyber hygiene, personality and other relevant attributes; while hashing all personal identifiable information and tokening the actual assessment process outcome.

The outcome of Psyber engine is a single score of organizational insider risk level. The score is then incorporated into the risk-pricing process for underwriters and insurers, increasing risk assessment accuracy and profitability.

How do you do the diagnostic process? (tell me about the BOT), is it collecting personal data?

All personal identifiable information is hashed. Psyber will adhere to and meet privacy laws and regulation. Moreover, Psyber does not collect personal identifiable information. We capture data by running ML assessment and compiling the organization’s aggregate risk score based on the data science and statistical models our AI runs.

What can be the benefits for insurance companies?

The surge in cyber breaches increased both the demand for cyber insurance and at the same time, the number of insurance claims. This increase in loss ratio sharply reduced industry’s profitability, while depleting coverage. Despite the fact that the majority of the claims are driven by insiders actions, until now, the cyber risk insurance industry didn’t have the underwriting practices to assess insider risk.

Psyber fills in a missing element in risk-pricing practices by creating a single insider-risk score for the entire company, while protecting privacy and anonymity of employees. The score incorporated into the risk-pricing process, increases accuracy and profitability.

How does your product help saving money to the insurance company?

Currently the entire insurance value chain has no insights into the biggest risk factor and evaluates premium pricing and even issuing policies altogether after reviewing the technological factors. Psyber will enhance the accuracy, enable proper evaluation and pricing of risks and thus improve profitability.

How does your platform improve the insurance product?

Psyber AI platform would make the underwriting and risk evaluation accurate and efficient, creating a uniform standard across the industry value chain. In the same manner as a surveyor does in home insurance or vehicle insurance.

What investments were made in the company so far?

So far we are boot-strapped, very lean and efficient. We have initial first discussions with private investors, who like to be first in solving big market problems, interested and knowledgeable in multi-disciplinary fields of expertise such as we have in Psyber.

Tell me about your professional background and about other key figures in the company

Noam Zolberg – CEO: With over 25 years of multi-dimensional senior executive management in culturally diverse environments, initiating planning and executing complex processes and operations. Brings business development and out-of-the-box ideas for emerging challenges and needs. Vast experience in the global business world, up to date in cyber technologies, fusing intelligence and interpersonal skills to develop and sell products and concepts. Having been a CEO for a large corporation in the global supply chain and logistics industry, Zolberg managed hundreds of employees, in Israel and abroad, as part of a global supply chain network, Ceva Logistics. In 2016 he was appointed as COO for a leading Israeli cyber intelligence and technology company. Since 2018 Zolberg has been an independent consultant to Israeli startups in transitioning from R&D stage to production and sales, primarily in the cyber security and homeland security sectors.

Dr. Isabel Arend Diskin –  head of behavioral sciences: a cognitive neuroscientist. Dr. Arend Diskin’s research focuses on how the brain learns, and on how information becomes automatic to the point of influencing the brain and behavior. She studied how behavior impacts brain plasticity through  various conditions including synaesthesia (i.e., learned new associations). Her second stream of research focuses on the impact of technology in human decision processes and learning by examining what makes humans vulnerable to cyber incidents. Her research used both cognitive-behavioral protocols and brain imaging techniques. Dr Arend Diskin holds a PhD, University Autonoma of Madrid, Spain,  a Post-doc, Wolfson Center for Clinical and Cognitive Neuroscience, Bangor, UK, held a Research Fellowship, Department of Psychology and Slotowski Center for Neuroscience,  Ben-Gurion University of the Negev, Israel. Currently Dr Arend Diskin collaborates as Brain Researcher Fellow at The Joseph Sagol Center for Neuroscience, Sheba Medical Center, Israel.

Dr. Maria Blekher – head of product & marketing: behavioral scientist, entrepreneur and startup adviser. Adept at extracting consumer insights, validating and honing startups’ value propositions pre- and post-investment, informing investor decisions, increasing the likelihood of product-market alignment, and reducing the risk of failure startups in order to maximize ROI for stakeholding entities. Broad expertise and extensive connections in the burgeoning Israeli startup ecosystem and a wide, international network of founders and funders. Dr. Blekher holds a PhD in Marketing, MBA, and BA in Management, from Guilford Glazer Faculty of Business and Management, Ben-Gurion University of the Negev, Israel.  Dr. Blekher was a visiting Scholar at Stern School of Business, at New York University (NYU). Currently she serves as the Founding Director of YU Innovation Lab, and a Clinical Associate Professor, at the Sy Syms School of Business at Yeshiva University, NYC.

Peter Dolch– Peter Dolch –  CTO. With over 30 years in software development and technology infrastructure, Mr. Dolch brings tremendous expertise to the team. Early in his career he helped revolutionize the global SABRE airline reservation and aircraft maintenance network with its first ever UNIX integration. Later he founded and managed Tgix, a software development company, which he ran for 25 years. While at Tgix, he put the first US Stock exchange on the Web, built some of the earliest and largest e-commerce platforms, helped over 50 startups launch their businesses, and tackled numerous large, global enterprise engagements for companies like Pfizer, HP, Harper Collins and others. Tgix successfully incubated startups, helped a client go from an idea on a napkin to IPO, spun off a cybersecurity company and was twice listed in the Inc. 500 Fastest Growing Companies. Mr. Dolch has a wide skill-set including strategy, technology, operations, product development, customer behavior and user experience, and has experience managing large, diverse and geographically disparate teams. Mr. Dolch has a degree from MIT in Management Information Systems and has spent the past several years advising and launching startups.

Why are insider breaches not modelled for cyber insurance underwriting?

Well, because until today, the human factor has simply been ignored. The underwriting process for cyber risks insurance (traditionally) focused on the technological elements as the most prevalent and relevant vulnerabilities, or risk elements. As attacks evolved and hackers started seeking weak unprotected attack vectors, at the same time as security solutions became more common, they quickly realized the human element is unmitigated and is the weakest link. As long as the loss ratio, or claims payout were acceptable, the cyber insurance didn’t bother to improve the risk pricing processes. 2019-2020 were disastrous in terms of claims and payout and 2021 seems to be a watershed time in this important insurance sector. The contradicting trends of growing need and demand for cyber risks coverage while the insurers pull back, reduce the coverage they are willing to undertake and drastically increase the premium pricing  – calls for a novel new approach to the risk assessment.

What is your business model?

Psyber SaaS subscription will be an integral part of the survey and annual assessment for cyber insurance underwriters, brokers and insurers.