Indexing risk perception
Angela Moscaritolo, senior reporter, SC Magazine
In the complex world of cybersecurity, it often is difficult to know which threats pose the most risk.
A new index developed by leading security thinker Dan Geer and risk management consultant Mukul Pareek aims to tackle that issue by measuring security practitioners' perceptions of various cyber risks. The Index of Cybersecurity, launched in April, is based on a monthly survey of 300 security pros, who are asked whether threats, as well as their own defenses and the extent of information-sharing among peers, are falling, static or rising compared to the previous month.The index, which has been on a steady ascent since March, provides a baseline to which others can compare their own views, said Geer, chief security officer of the Central Intelligence Agency's investment arm, In-Q-Tel.
“That allows me to make decisions,” Geer said. “My peers see the world as getting better or worse. [The index] is decision support for those outside the survey.”
Some have questioned the effort, however, for measuring perception, rather than actual risks, such as the number of individual attacks or vulnerabilities.
“I'm not sure how useful it will be for aiding decision-making,” said Jon Gossels, president and CEO of consultancy System Experts. “You want to make decisions based on real statistics.”
Even the best security practitioners, who are time-strapped and inundated with vendor hype, lack a complete knowledge of the threat environment, said Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group.
Also, risk is not consistent across the board, said John Pescatore, vice president and research fellow at consultancy Gartner.
“The risk for a bank in Bombay is always going to be different than the risk for a video game manufacturer in Mountain View,” he said.
But Geer pointed out that others have, for some time, been measuring actual cyber risks – with mixed results. Usually such efforts are hampered by disagreements about the definition of reality, such as what constitutes a unique vulnerability. This instead constitutes a wisdom-of-crowds-type approach.“The reason for creating a sentiment-based index is to say experts are of the following opinion – how ever they came to it,” Geer said.