Much like the Internet itself artificial intelligence (AI) and machine learning (ML) are already becoming ubiquitous tools in many organizations. In 2021, private investment in AI totaled around $93.5 billion— nearly double the investment in 2020. Also, as with the Internet, the use of AI and ML tools can provide dramatically enhanced business opportunities in terms of efficiency, innovation, and customer service. At the same time, the use of AI and ML can create vast new risks in terms of cybersecurity. The National Security Commission on Artificial Intelligence found that “AI applications are transforming existing threats, creating new classes of threats, and further emboldening state and non-state actors to exploit vulnerabilities in the US open society.
Just as with the flip side of many other risks, certain applications of AI and ML tools can be used to enhance an organization’s cybersecurity and lessen its risks. It is critical that the board work with management to understand the risk-reward balance of the specific uses of AI/ML their organization should embrace. This toolkit consists of two lists of questions to help guide the board’s oversight of these advanced digital techniques. The first list is for the board’s overall consideration of using various AI/ML techniques. The second list focuses on the specific issues in the use of AI for cybersecurity.
DEFINING ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING
“Artificial Intelligence (AI), a term coined by emeritus Stanford Professor John McCarthy in 1955, was defined by him as ‘the science and engineering of making intelligent machines’. Much research has humans program machines to behave in a clever way, like playing chess, but, today, we emphasize machines that can learn, at least somewhat like human beings do.
Machine Learning (ML) is the part of AI studying how computer agents can improve their perception, knowledge, thinking, or actions based on experience or data. For this, ML draws from computer science, statistics, psychology, neuroscience, economics and control theory.
Source: Professor Christopher Manning, Stanford University, 2020.
GENERAL QUESTIONS FOR THE BOARD TO CONSIDER IN OVERALL USE OF AI/ML
- What is the goal for the company or organization to employ this system?
- What is the plan to build or deploy this AI or ML application responsibly?
- What type of system is the company using: process automation, cognitive insight, cognitive engagement, or some other type? Do our board and management understand how this system works?
- What are the economic benefits of the chosen system?
- What are the estimated costs of not implementing such a system?
- Are there any potential alternatives to the AI or ML systems in question?
- How easy will it be for an adversary to execute an attack on the system based on the technical characteristics?
- What is the organization’s strategy to validate data set collection practices?
- How will the company prevent inaccuracies that may exist in the data set?
- What will be the damage incurred from an attack on the system in terms of the likelihood and the ramifications of the attack?
- How frequently will the company review and update its data policies?
- What is the organization’s response plan for cyberattacks involving these systems?
- What is the company’s plan to audit the AI system?
- Should the company create a new team to audit the AI or ML system?
- Should the company build an educational program for its staff to learn about the use and risks of AI and ML in general?
QUESTIONS FOR THE BOARD OF DIRECTORS TO ASK WHEN DECIDING WHETHER TO USE AI FOR CYBERSECURITY PURPOSES
- What is the company’s overall road map to implementing AI and/or ML in cybersecurity?
- What are the cybersecurity goals that the organization is trying to achieve by implementing this AI or ML solution?
- How will the system toughen the companies’ security stance? How will success be measured?
- What is the estimated harm that the company will face without the system?
- What are the new cybersecurity vulnerabilities that the company will face in employing the system?
- What type of cyberattack is the system designed to detect, predict, and respond to?
- Is the system prepared to detect and weather a ransomware attack?
- How would implementing such a system affect the organization’s cybersecurity team? What are the benefits and risks associated with the tool’s use by the team?
- Should the company expand or update the current cybersecurity team?
- How much would it cost for the company to create a new cybersecurity team?
- Are there any positions that the company doesn’t need any more due to employing the AI or ML cybersecurity system?
- Should the company create a sub-team to monitor the outcomes and findings of the new system?
- Will implementing such a system affect the company’s cyber insurance enrollment?
- Are there any potential legal consequences of not implementing AI/ML in a cybersecurity system?
Review Checklist and Sources Here