Indexing risk perception

Share this article:
Angela Moscaritolo, senior reporter, SC Magazine
Angela Moscaritolo, senior reporter, SC Magazine

In the complex world of cybersecurity, it often is difficult to know which threats pose the most risk.

A new index developed by leading security thinker Dan Geer and risk management consultant Mukul Pareek aims to tackle that issue by measuring security practitioners' perceptions of various cyber risks. The Index of Cybersecurity, launched in April, is based on a monthly survey of 300 security pros, who are asked whether threats, as well as their own defenses and the extent of information-sharing among peers, are falling, static or rising compared to the previous month.

The index, which has been on a steady ascent since March, provides a baseline to which others can compare their own views, said Geer, chief security officer of the Central Intelligence Agency's investment arm, In-Q-Tel.

“That allows me to make decisions,” Geer said. “My peers see the world as getting better or worse. [The index] is decision support for those outside the survey.”

Some have questioned the effort, however, for measuring perception, rather than actual risks, such as the number of individual attacks or vulnerabilities.

“I'm not sure how useful it will be for aiding decision-making,” said Jon Gossels, president and CEO of consultancy System Experts. “You want to make decisions based on real statistics.”

Even the best security practitioners, who are time-strapped and inundated with vendor hype, lack a complete knowledge of the threat environment, said Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group.

Also, risk is not consistent across the board, said John Pescatore, vice president and research fellow at consultancy Gartner.

“The risk for a bank in Bombay is always going to be different than the risk for a video game manufacturer in Mountain View,” he said.

But Geer pointed out that others have, for some time, been measuring actual cyber risks – with mixed results. Usually such efforts are hampered by disagreements about the definition of reality, such as what constitutes a unique vulnerability. This instead constitutes a wisdom-of-crowds-type approach.

“The reason for creating a sentiment-based index is to say experts are of the following opinion – how ever they came to it,” Geer said.  
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Game theory: Cyber preparedness

Game theory: Cyber preparedness

Business leaders are beginning to fathom the importance of cyber war game simulation exercises, reports James Hale.

Forward progress: How the Denver Broncos really play defense

Forward progress: How the Denver Broncos really play ...

Off the field, demand for bandwidth and protection from network threats set the ball in motion for the Denver Broncos. Greg Masters reports.

Smart defense: A talk with industry veteran Gene Fredriksen

Smart defense: A talk with industry veteran Gene ...

Today's CISO must stay ahead of attackers, says Gene Fredriksen, CISO at PSCU. Teri Robinson talks one on one with the industry veteran.