- The Washington Times - Monday, September 15, 2008

How do you measure the cost-effectiveness of cybersecurity efforts?

An 80-member group brought together by the nonprofit Center for Internet Security says that because most methods of evaluating cybersecurity count what measures are taken rather than how successful they are, there is no way to gauge their cost-effectiveness.

The experts aim, according to the center’s chief executive officer Bert Miuccio, is to create measurements that are “unambiguous and specific.” And for the first time, any enterprise - whether it is a small or large business, government office or whole agency - will have methods for measuring key aspects of information security status.

Mr. Miuccio said what is being measured now are the security procedures adopted by a business or government department, and there is no way of judging what the outcomes are.

“There is no way to consistently correlate [compliance with cybersecurity measures] with specific outcomes,” like a reduction in the number of attacks, or improved response times to security incidents, said Mr. Miuccio.

Thus, there is no way to judge the cost-effectiveness of such measures and executives end up making security investment decisions “on an intuitive basis,” he said.

Existing standards fit well with a bureaucratic mindset, said Arthur Coviello, president of computer security firm RSA. “If you focus on [the real] risks [of a cyberattack] and something happens and you are not in compliance, you can get fired,” he said. “No one ever got fired for being in compliance,” no matter how many times they got attacked.

The new standards, said Mr. Miuccio, will give security executives and officials an objective way to count the success or failure of various security initiatives by including measures such as the average time between security incidents, and how long it takes the enterprise to recover from them.

“It has been well-documented that cybersecurity breaches cost American consumers and businesses billions of dollars a year,” said John Noftsinger, of James Madison University´s Institute for Infrastructure and Information Assurance. But to turn the tide against hackers and cybercriminals and “produce a downward trend of cyber intrusions,” standards “must contain a reliable system of metrics that can determine what outcomes are realized as a result of cybersecurity efforts.”

“What makes this effort particularly attractive to those of us in cyberdefense and homeland security policy,” he added, is the “consensus-based” process in which the center “collaborated with industry, government, and academia to develop the metrics, as the National Institute for Standards and Technology has been working on this issue for at least three years.”

Lawrence Gordon, a professor at Maryland University´s Robert H. Smith School of Business, agreed there was a need for “well-defined, quantitative metrics associated with cybersecurity,” like those the center was trying to develop. But he remained unsure whether they could fulfill what he saw as one of most important tasks confronting cybersecurity experts: “the need to develop a rigorous economic metric for evaluating the cost-benefit aspects of cybersecurity investments.”

“Without such a metric, it is difficult, if not impossible, for organizations to efficiently allocate resources to cybersecurity activities,” he said.

Mr. Miuccio said the new standards would be developed by the end of the year, based on eight conceptual categories that they published this week. But the real work is still ahead.

“If you ask 10 people how to measure any one of (the eight conceptual categories), you would receive 10 different answers.” The challenge now is to develop consistent, specific benchmarks “prerequisites for understanding and communicating an enterprise’s security status over time,” he said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide