The Index of Cyber Security, run by Dan Geer and Mukul Pareek, seeks to deal with the quick change of specific security threats by establishing a consensus among security professionals, using what they call "sentiment-based" metrics.An intriguing new project to measure cyber-security risks has launched.
The index starts out at base 1,000 and increases or decreases based on active threats. The report is monthly. The inaugural report, for April, gives a cyber-security threat index of 1,021.6.
With the increase in the amount of sheer data available to anyone, access to it only takes one so far. How do we process data so it produces actionable information, even knowledge? Expert consensus is a reasonable measurement. We use it already when it comes to recommendations from friends, peers and experts. Why not security professionals?
how their index is created. The short version is, they have created an absolute index (vs. one which is relative month-to-month) based on a list of questions, each of which is weighed equally on a five-point Rikert scale.It is not just a rule-of-thumb calculation, however. It seems clear these gentlemen aren't afraid of math and they go into some detail on
Key findings from their inaugural report include the recognition that nation-states are a problem.
- Most respondents feel that the biggest increase in threat over the past month has been from malware in its countless forms.
- The threat from nation-states is considered an increasing threat, as is the threat of targeted attempts to steal industrial data.
- The risk due to a compromise at a third-party with access to data is also considered a rising threat.
- Overall, security professionals felt that cyber security in the aggregate has worsened, including that of online transactions they conduct as part of their personal lives.
- On the positive side, respondents believe that the value and protection received from government and regulators is improving, though the cost of regulation is also going up.
- Threats from malicious insiders, internet based attacks, and political- or ideology-based attacks are only marginally up compared to the previous month.
"An index produced without collaboration with industry professionals/CISOs may intrigue their curiosity, but may never get adopted," they said on the ICS site. "By involving 100 up to 300 CISOs or security practitioners in a survey based process, we gain better acceptance of the index and adoption by their organizations as their participation means they are 'invested' in the index."
It will be interesting to see if the ICS is accepted as a standard metric.