Quantifying Risk: Innovative Approaches to Cybersecurity

Summary

The Framework for Improving Critical Infrastructure Cybersecurity, published by the National Institute of Standards and Technology (NIST) in 2014, helped drive a heightened focus on risk-based approaches to addressing cybersecurity concerns. The framework’s impact on the practice of cybersecurity has been universal but diffuse: while it put risk at the center of how organizations across the economy think and talk about cybersecurity, it did not provide the tools for cybersecurity professionals to measure and manage that risk. By any measure, the cyber ecosystem is in worse shape today than ever, and efforts—including the framework—to improve cybersecurity have not garnered the hoped-for results.

In virtually all other domains where critical assets or infrastructure are under threat, risk management involves rigorous, quantitative analysis to direct cost-effective investments in prevention or mitigation. Despite citing risk as the most important means to assess cybersecurity, quantitative risk analysis remains absent from most cybersecurity programs today. Neither the awareness of the problem nor the need for practical risk-based approaches to solve it is new. To cite just one example, a 2003 report on challenges in achieving trustworthy computing identified the need for the development of risk measurement for cyber risk within a decade. Instead, the situation today is worse than it was in 2003 when the experts met.

Making risk-based cybersecurity decision-making a reality requires the development of a measurement system that allows meaningful comparisons of risk among different organizations across industries. Even in the few organizations that make the effort to build metrics based on cyber risk, those apply only to the organization for which they were developed. One organization cannot measure its risk in a way that aligns with how its peers do or conduct any normal­ization against a generic baseline.

Some of the groundwork for developing a common set of cybersecurity metrics has already been done. For example, a Department of Homeland Security working group of insurance industry experts, convened in 2015, described the characteristics of the data that needs to be collected. The insurance industry has thus far failed to implement the requirements identified in that effort.

Changing the status quo to enable meaningful orga­nizational cybersecurity decision-making requires that the U.S. federal government play the role of honest broker and facilitate the development of a more quan­titative approach to cybersecurity, including by:

• Collecting broad-based data about past incidents and releasing anonymized data sets based on inci­dent reports that the private sector can use to build the tools and help organizations build cybersecu­rity capacity,
• Developing actuarial models that project the impact and likelihood of future incidents in quan­titative terms, and
• Facilitating the creation of metrics to enable concrete comparisons within and among a diver­sity of organizations.

This paper offers four recommendations to the U.S. federal government, to jump-start the effort at quan­tifying cybersecurity risk and making true risk-based analysis of cybersecurity a reality:

• The president should issue an executive order charging NIST with revising the Cybersecurity Framework in a way that focuses on quantifying cybersecurity risk and the secretary of commerce with developing initial quantitative cyber risk models from available data sources.
• Congress should create a Bureau of Cyber Statistics at the Commerce Department with a mandate to collect private-sector incident information.
• Congress should create a National Cyber Safety Board to investigate cyber incidents.
• The federal government should run an open innova­tion grand challenge to demonstrate how quantitative models can lead to better cybersecurity outcomes.