How do we quantify safety and security? That fundamental question underlies almost all modern national security questions (and, naturally, most commercial questions about risk as well). The cost/benefit analysis inherent in measuring safety and security drives decisions on, to cite just a few examples, new car safety devices, airplane maintenance schedules and the deployment of border security systems. In a world where resources are not infinite, some assessment of risk and risk mitigation necessarily attends any decision–whether it is implicit in the consideration or explicit.
What is true generally is equally true in the field of cybersecurity. Governments, commercial actors and private citizens who are considering new deployments of cybersecurity measures either explicitly or implicitly balance the costs to be incurred–whether monetary or in terms of disruptions caused by changes to enterprise and resulting (temporary) reductions in efficiency– against the benefits to be derived from the new steps under consideration.
The problem with this rather straightforward account of enterprise decisionmaking is that no universally recognized, generally accepted metric exists to measure and describe cybersecurity improvements. Unfortunately, for too many, cybersecurity remains more art than science.
Decisionmakers are left to make choices based upon qualitative measures, rather than quantitative ones. They can (and do) understand that a new intrusion detection system, for example, improves the security of an enterprise, but they cannot say with any confidence by how much it does so. Likewise, enterprise leadership can, and does, say that any deployment of a new system (say, an upgrade to an accounting package) will bring with it risks that unknown or previously non-existent vulnerabilities might manifest themselves. Yet, again, they cannot with confidence ask to what degree this is so and measure the change with confidence.
This challenge is fundamental to the maturation of an enterprise cybersecurity model. When a corporate board is faced with a security investment decision, it cannot rationally decide how to proceed without some concrete ability to measure the costs and benefits of its actions. Nor can it colorably choose between competing possible investments if their comparative value cannot be measured with confidence. Likewise, when governments choose to invest public resources or regulate private sector activities, they need to do so with as much information as possible–indeed, prudence demands it.
Because the problem of measuring cybersecurity is at the core of sound policy, law and business judgment, it is critical to get right. The absence of agreed-upon metrics to assess cybersecurity means many companies and agencies lack a comprehensive way to measure concrete improvements in their security. We should strive toward an end state where investment and resource allocation decisions relating to cybersecurity are guided by reference to one (or more than one) generally accepted, readily applicable method of measuring improvements in cybersecurity.
It is a good read focused on software.
One of the challenges of a security program, of course, is how to measure objectively how well the program is working.
It’s not often I can write a piece about cybersecurity that is generally optimistic. But these two new efforts do make me smile a bit.
Progress in Cybersecurity: Toward a System of Measurement by Paul Rosenzweig: