search menu icon-carat-right cmu-wordmark

Cyber Insurance and Its Role in Mitigating Cybersecurity Risk

January 2015 Podcast
Presenter James J. Cebula, David W. White Interviewer Julia H. Allen

In this podcast, Jim Cebula and David White discuss cyber insurance and its potential role in reducing operational and cybersecurity risk.



The goal of any cybersecurity investment is to reduce the potential impact from cyber risk. Initial investments should be in capability development—the implementation of controls to protect and sustain operations that depend on technology. As capability increases, additional capability investments produce diminishing returns—the curve flattens. At that point, investment in cyber insurance becomes an efficient means to further reduce risk.

In this podcast, Jim Cebula, the Technical Manager of CERT’s Cybersecurity Risk Management Team, and David White, Chief Knowledge Officer with Axio Global, discuss cyber insurance, its potential role in reducing operational and cybersecurity risk, and how organizations are using it today. We also discuss ongoing CERT research on this topic.

About the Speaker

James J. Cebula

Jim Cebula is the Technical Manager of the Cybersecurity Risk Management Team within the CERT Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Jim's current work focuses on risk management and information resilience, critical infrastructure resilience assessment, cloud computing, and cyber insurance. Jim joined CERT in 2009 after spending nearly 15 years in project management, IT, and security roles with Bechtel Corporation, most recently as a cybersecurity manager. He is a Certified Information Systems Security Professional (CISSP) and is a member of IEEE, ACM, and InfraGard.

David W. White

David White is a senior member of the technical staff in the CERT Program at the Software Engineering Institute (SEI), a college-level unit at Carnegie Mellon University. David is a core member of the development team for the CERT Resiliency Management Model (RMM), a process improvement model that provides guidelines for converging and managing security and business continuity from an operational risk perspective. In this role, David is performing technical development on the model and associated products and is leading numerous projects to assist organizations with their adoption and use of the model. David is an instructor for the Introduction to the CERT Resiliency Management Model course and lead appraiser for the RMM appraisal. Prior to his work in CERT, David held several other positions at the SEI, including management responsibilities for product strategy, contracts and licensing. Before joining the Software Engineering Institute, Mr. White served as vice president of a robotics company and had various responsibilities, including project management, software and hardware engineering, and business development. David has a bachelor's and a master's degree in engineering from Carnegie Mellon University. He is currently based in New York City.

Julia H. Allen

Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a Bachelor’s of Science in Computer Science (University of Michigan) and a Master’s of Science degree in Electrical Engineering (University of Southern California). Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).