Cybersecurity: a new methodology for risk assessment

Cyber-attacks are on the rise, and companies are becoming increasingly vulnerable. Thus, the HERMENEUT research project has developed a tool for analysing risks and costs associated with cybersecurity for companies. It is especially useful if accompanied by cyber insurance.


The number of cyber-attacks is increasing, and with them the economic damage to companies. The data presented at the second workshop on cyber insurance, held by the H2020 European project HERMENEUT, leave no doubt. In the last three years, in fact, the number of successful cyber-attacks has increased by 17% (from 62% in 2014 to 79% in 2017). In addition, forecasts indicate that, at a global level, damage will amount to around $6 trillion by 2021. This will make cybercrime economically more relevant than international drug trafficking. These figures were presented during the workshop held on March 5, 2019 at the Cefriel Digital Innovation Center. The meeting centred on cybersecurity insurance and the HERMENEUT methodology for cyber risk assessment.

The HERMENEUT project

HERMENEUT paid particular attention to human factors. In fact, 91% of cyber-attacks use spear phishing, a technique to steal data from the victim’s computer or install malicious software. Another technique is social engineering, which drives the user to open a file or visit an infected website. These attack techniques all rely on the human factor, which is the enabling factor of 90% of the attacks.

All they need is an error, a distraction, or a careless click to be effective. Highly targeted attacks, 60% of the total amount, are carried out almost always as a safe bet on companies. Hackers select the “victims” on the basis of their high exposure on social networks (30%) or susceptibility to phishing. Employees are the category most exposed to attacks (23%), with increasing numbers of deceptive emails.

In particular, damage to intangible assets caused by cyber-attacks is on the rise. These assets include, for instance, brand and company reputation, customer trust, but also intellectual property, elements which account for between 60% and 80% of the overall business value.

That is why HERMENEUT developed a tool to assess the probability of a cyberattack and its costs, starting from the basic information provided by the user and providing a dynamic cybersecurity risk assessment. The project has held its second workshop on “Insurance in cybersecurity”, insurance policies against cyber-attacks. Cyber insurance can, in fact, be a useful tool to minimize economic damage following an attack, though it is not enough. Indeed, this measure needs integration with a strong corporate risk culture, so as to focus on human factors and organizational strategies.

Our role in HERMENEUT

Deep Blue is addressing exactly the human factor and organizational risks within the project. Alessandra explains that “the HERMENEUT tool is able to estimate who could attack the company and with what techniques, and identifies which assets are at risk and the eventual economic impact. It then helps to identify the most suitable solution for each individual case. The project mainly aims at SMEs, small and medium size enterprises.”

For sure, the human element can constitute a liability, exposing companies to cyber-attacks. But the opposite can be true as well: if properly trained and supported by an appropriately designed organizational context, people can also be the best, most reactive and intelligent defense against them.

We can help your company better your organizational cyber-defense:


Vera Ferraiuolo

Senior Dissemination Consultant