While not many would argue that there is a shortage of data available detailing every minutia of risk and vulnerability in cyberspace, many will agree that what is in short demand is reliable analysis of what the data means and how security professionals should utilize it.
Security vendors produce reports that provide impetus to purchase their products and services; industry groups produce studies that seek to focus the public's attention on particular issues they advocate for; and government agencies release data that generally seeks to one-up other departments in the never ending battle for funding and relevance.
In short, there is a great deal of knowledge being produced by special interests whose focus is on self-perpetuation.
What security professionals on the front-lines in both the public and private sector thirst for is a resource that provides impartial and actionable intelligence free of interpretations driven by underlying agendas.
The Index of Cyber Security (ICS), founded by security practitioners Dan Geer and Mukul Pareek, is aiming to be that resource.
According to the ICS website, "the Index of Cyber Security is a sentiment-based measure of the risk to the corporate, industrial, and governmental information infrastructure from a spectrum of cybersecurity threats. It is sentiment-based in recognition of the rapid change in cybersecurity threats and postures, the state of cybersecurity metrics as a practical art, and the degree of uncertainty in any risk-centered field. In short, the Index of Cyber Security aggregates the views of information security industry professionals as expressed through a monthly survey. Its form is an index for reasons that will become apparent."
What makes the ICS endeavor unique is that it does not focus on the aggregation of raw security data and statistics, but instead seeks to measure the broader consensus of information security experts in the field.
The ICS looks at trending issues in security and provides an overview of what issues are resonating with leading security professionals in the field, and seeks to gauge how the industry as a whole is reacting to rapidly changing threats.
"It is not like we are overwhelmed with useful numbers; we are short on them. Maybe we shouldn't be trying to measure the concrete, but trying to measure the opinion of people who know something. Because it may well be that the opinion of people that know something may have more coherence than anything we know how to measure, or have the permission to measure, on a wide scale," said Geer.
Key findings in the inaugural report include:
- Most respondents feel that the biggest increase in threat over the past month has been from malware in its countless forms.
- The threat from nation-states is considered an increasing threat, as is the threat of targeted attempts to steal industrial data.
- The risk due to a compromise at a third-party with access to data is also considered a rising threat.
- Overall, security professionals felt that cyber security in the aggregate has worsened, including that of online transactions they conduct as part of their personal lives.
- On the positive side, respondents believe that the value and protection received from government and regulators is improving, though the cost of regulation is also going up.
- Threats from malicious insiders, internet based attacks, and political- or ideology-based attacks are only marginally up compared to the previous month.
The creators of the index seem to be approaching the project with their eyes wide open, and readily acknowledge the challenges inherent in developing a meaningful tool that can have a measurable impact on day to day security operations:
"The task of creating an information security index suitable for hedging such security risks faces two key challenges. The first is how the index can be calculated in a credible way, and, second, the specification for the securities that could be based on such an index and the design of the markets where these could be traded. This project deals with the first problem. The second challenge may be addressed as a subsequent project upon the success of the first one."
The ICS website gives plenty of indications that development of the index will be an ongoing effort that is open to adaptation through some trial and error, as well as being responsive to the input of participants. The evolution of the project will be quite interesting to follow.