Measuring the Immeasurable: IT SecurityA Year After Its Debut, Index of Cybersecurity Rises by 30 Percent
It's been just over a year since Dan Geer and Mukul Pareek teamed up to create the Index of Cybersecurity, which measures IT security and information risk practitioners' perception of cybersecurity risk (see New Index Measures Cyberspace Safety).
In a year and a month since its debut, the index has risen by nearly 30 percent, from a base value of 1,000 in March 2011 to 1,292 in April 2012, averaging about 2 percent a month. Last month, the index grew by 2.2 percent. A higher index value indicates a perception of increasing risk (see chart below).
Factors driving up the index vary from month to month, but the clear takeaway of 13 months of surveys is that those in the trenches of IT security - chief information security officers, chief risk officers, academicians engaged in field work and chief scientists at security product vendors - are getting more apprehensive about safeguarding IT.
"Strictly speaking, it means that the people who are the professionals in the field have viewed the overall risk from their individual positions as having increased substantially over time, and to increase on a relatively regular basis as well," Geer says in a conversation I had with him and Pareek (the interview with Geer and Pareek will be posted here in the coming days).
"Unless you want to argue that the experts in field are in someway misinformed, it is telling us that the risk in the cybersecurity arena is itself growing, and by asking people who have the kinds of job descriptions you mentioned, we think we're getting the best information available for something that is otherwise largely unmeasurable," Geer says.
(The index is Geer's and Pareek's avocation; both have day jobs, and their employers are not involved with the index. Geer is chief information security officer of In-Q-Tel, an independent strategic investment firm that identifies emerging technologies for the U.S. intelligence community. Pareek works as a risk management consultant.)
A key finding from the April survey shows a willingness among organizations to share cyberthreat information with others in their industries, a fact Pareek says doesn't get much attention in the media. Since its inception, the sub-index for information sharing has increased each month, and Pareek says that's very telling. "Clearly, industry groups and consortiums, national CERT (computer emergency response teams) organizations, the ISACs (information sharing analysis centers) and other forums that companies are increasingly participating in are making a noticeable impact," he says.
Still, respondents in April voiced concerns about risks from sharing information with third parties such as outsourcers and those in the extended enterprise as well as threats from hacktivists. As a comparison, the key concerns among IT security practitioners a year earlier, in April 2011, included malware and threats from nation-states.
"In any given month what is the most influential issue - whether it's malware or hacktivism or counterparties or any of the other things we asked about - has varied a great deal," Geer says. "But what hasn't varied (is a) relatively steady ... increase (in the overall cybersecurity index).
"On the other hand, the rate of increase does vary month by month, and the constituents of what contributes to that rate of increase vary even more month to month. This is sort of an open question yet as to what's going on here other than, of course, methodologically speaking, what we are asking experts what they see."
First-Hand Experience in Day-to-Day IT Security
Those experts are vetted by Geer and Pareek to assure they have respondents have first-hand experience dealing with the day-to-day dynamics of cybersecurity. The list of survey takers isn't large, about 200, though on average about 100 take the survey online each month. The index's co-publishers want to expand that list significantly, and are taking suggestions from current respondents for new participants.
For taking the survey, the respondents receive a report that provides a far more detailed analysis of each month's findings than what appears on the index's website. Neither Geer nor Pareek mind if respondents share the monthly analysis with others; in fact, they encourage it.
If you feel you're qualified, you can ask Geer and Pareek to consider you, but they caution that they're very picky on whom they'll add to the list of respondents. Interested? Contact them by e-mail at email@example.com or firstname.lastname@example.org.
In the coming months, Geer and Pareek will tweak the survey, jettisoning some current questions they feel no longer add value, and adding new ones, such as on cloud security. The addition of new and deletion of old questions won't have an impact on the overall cybersecurity index, just as the adding and removing companies on the Dow Jones Industrial Average don't change that measurement. But will a revised cybersecurity index mirror the rollercoaster ride of the stock index or continue its upward movement that reflects the anxiety of the IT security professionals in the trenches? Stay tuned.