A June 2015 report reveals that perceptions on the impact of 50 different security issues are worsening across the board. This is one of the latest reports released by the Index of Cyber Security, a sentiment-based measure which helps evaluate the level of risk posed by a number of security threat areas to corporations, governments, and other organizations. Founded by risk professionals Dan Geer and Mukul Pareek, the Index takes into consideration the fact that financial risk differs from information security risks, such as in risk premiums (there is generally no measurable positive return for an information security risk but only the hope that a downslide will be avoided), relative importance (whereas market and credit risks are common factors in a business' failure, the Index's creators judge information security risks to not be as directly associated with bankruptcy), and fungibility (information security risks cannot be hedged against because all assets are not identical). Geer and Pareek have therefore structured their Index as a survey in order to measure the sentiments of security professionals who are active in the industry. This particular format allows the Index to survey personnel on a broad range of security issues with a transparent methodology, which the authors argue translates into better acceptance and credibility for their Index. Using a baseline of 1,000 – the Index's inaugural reading for March 2011 – the Index read 2,764 at the end of June. This figure is 1.7% higher than May's reading at 2,717. The rate of increase also was 0.1% greater than the previous month. Other notable findings of the Index include:
- "Overall: Media & public perception" was voted the top risk perception and the fastest growing risk for June. In May, this sub-index valued at 8,177.7. Respondents have since voted this category up to a value of 8,570.8 – a 4.8% increase.
- The second and third top risk perceptions were only half of "Overall: Media & public perception." "Target: Counterparties" received a value of 4,177.2, with "Target: Web facing applications" close behind at 4,028.3.
- "Attackers: Nation states" experienced the second fastest growth at 4.1%. This sub-index was followed by "Effect desired: Data theft" at 3.3%.
In addition to reviewing the regular sub-indices, June's report asked respondents the following question: "Change management failures can lead to catastrophic operational failures (eg, Knight Capital). Yet, the relationship between change management and security strategy has never really been too clear. "How have security considerations affected your change management processes?" – Approximately 40% of those who participated in the survey answered that their change management processes were evolving as a result of factors other than security, whereas 32% collectively stated that the desire to meet stricter certification requirements and/or to create a "moving target defense" helped spur these changes. The remainder of participants reported that their change management processes had not underwent any variation.
Source: The Index of Cyber Security Of the 50 sub-indices reviewed in June, only "Attackers: Insider threat" and "Overall: False claims of digital identity" reported some improvement in respondents' perception. The remaining categories either remained stagnant or, in the case of areas such as "Weapons: Phishing/social engineering," "Attackers: Criminals," and "Target: End points," showed notable deterioration of perception. These areas reflected respondents' reactions to the Hacking Team leaks and the Office of Personnel Management breach, among other high-profile security incidents. One of the participants in June's Index was Dwayne Melancon, CTO at Tripwire. Here is what he had to say about the Index of Cyber Security:
"I participate in the 'Index' because it provides a good perspective on the current sentiment of IT professionals, with regard to active threats and the perception in the media that contributes to how organizations view security. I think of it as a ‘heat map’ of the issues either impacting or causing concern with companies involved in actually implementing cyber security," said Melancon. "Like most forms of effective information sharing, the data related in the ICS can help inform IT leaders’ decisions and actions based on real-world observations from other companies, while protecting the identities of the organizations involved."
As more people learn of the Index, it is the hope of Geer and Pareek that security researchers, industry professionals, media outlets, product vendors, and even financial markets will appeal to its data in an effort to understand today's emerging security threats. To learn more about the Index of Cyber Security, please click here. Title image courtesy of ShutterStock
