Quantifying the safety or danger of cyberspace is tough. But a highly respected IT security practitioner and an experienced risk management consultant have teamed to develop an index they contend reflects the relative security of cyberspace by aggregating the views of information security industry professionals.
"You don't have much to compare to in this field because hard numbers are very hard to get," says Dan Geer, who along with Mukul Pareek developed the Index of Cybersecurity, a sentiment-based measure of the risk to the corporate, industrial and governmental information infrastructure from a range of cyberthreats.
Geer and Pareek launched the index in April, and in an interview with Information Security Media Group's GovInfoSecurity.com say it could be months before its value to government and private-sector information security officers will be known.
But Geer says he suspects the index will serve as a baseline for information security officers to compare their organizations' performance against the general state of IT security. "An information security officer has among other questions the perpetual one of: Am I being targeted, am I different, what are other people seeing, is there a baseline I can compare myself to?" Geer says. "And, it's a constant problem. In fact, unless you do some sort of information sharing, there is little way to tell whether your observations are unique or typical or altogether ordinary except for one feature or the like."
The cybersecurity index features 15 sub-indices that measure malware threats, intrusion pressures, insider threat, industrial espionage, information sharing and media and public perception, to name a few. "It allows (security officers) to compare their views with what others are reporting and if their efforts are focused on the right track," Pareek says.
In the interview, Geer and Pareek also explain how the index works and ways it could be employed, such as a metric to assess cybersecurity insurance policies.
Geer is chief information security officer of In-Q-Tel, an independent strategic investment firm that identifies emerging technologies to support the missions of the U.S. intelligence community. Geer says In-Q-Tel was not involved in the creation of the cybersecurity index.
Pareek has worked as a vice president at a major investment bank and as a senior manager for a Big 4 accounting and consulting firm.