PerspectiveAssessing Cyber Risk from External Information

Published 11 May 2020

There is a vision for the future of assessing cybersecurity: The goal is a system of cyber metrics that are transparent, auditable, practical, scalable and widely agreed upon. To that end, it is useful—indeed, imperative—to evaluate various approaches to cyber risk quantification with the aim of informing the development of a public standard for measuring cybersecurity.

There is a vision for the future of assessing cybersecurity: The goal is a system of cyber metrics that are transparent, auditable, practical, scalable and widely agreed upon. To that end, it is useful—indeed, imperative—to evaluate various approaches to cyber risk quantification with the aim of informing the development of a public standard for measuring cybersecurity.

Paul Rosenzweig writes in Lawfare that in an earlier note before on Lawfare he wrote:

[W]hen governments, commercial actors and private citizens think about new deployments of cybersecurity measures, they either explicitly or implicitly balance the costs to be incurred (whether monetary or nonmonetary, this includes disruptions caused by changes to the enterprise and the resulting, temporary, reductions in efficiency) against the benefits to be derived from the new steps under consideration. And yet there are no generally accepted metrics by which to measure and describe cybersecurity improvements. …

His current post is the first in a series that will look at the problem of cyber metrics from different perspectives. The goal of this series is to lay out in understandable terms various ways in which metrics might be developed and to assess their respective strengths and weaknesses.

He concludes:

When all is said and done, this exercise leaves us with several questions that need to be answered for an effective system of external cyber metrics to be developed:

● First, do we need a standard metric, akin to generally accepted accounting principles, or are divergent standards appropriate?

● If there is a standard, who sets it?

● Is there another macro-risk standard that serves as a good example or reference point?

● And, finally, what would an assurance/audit process look like?

These are by no means trivial questions. Nor can one confidently say that they are capable of being answered definitively at this time. But I suspect that they are capable of resolution and, thus, that the search for cybersecurity metrics can be advanced by looking to external evaluation as one component of a larger suite of tools.