How to Measure Cybersecurity-Paul Rosenzweig observed recently on Lawfare that there are “no universally recognized, generally accepted metrics by which to measure and describe cybersecurity improvements” and that, as a result, decision-makers “are left to make choices about cybersecurity implementation based on qualitative measures rather than quantitative ones.” Rosenzweig is working with the R Street Institute to build a consensus on useful metrics.
By raising the question of what tools those with the responsibility to make an organization’s cybersecurity investment decisions should use, Rosenzweig has already made a significant contribution. But his search for quantitative metrics and dismissal of qualitative metrics ignores the dynamic nature of the challenge of ensuring cybersecurity, as well as the critical role of processes and procedures. Cybersecurity is a matter not just of the equipment and tools in place but also of how the equipment and tools are used by people, and how the organization ensures that the equipment and tools and methods of use are kept up to date. Qualitative measures that are discernible and reproducible are and will continue to be essential in helping to guide sound investment and operational decisions.
There appears to be a huge societal underinvestment in cybersecurity. If the report of the Council of Economic Advisers (CEA) on “The Cost of Malicious Cyber Activity to the U.S. Economy” (February 2018) is to be believed, the cost that malicious cyber activity imposed on the U.S. economy in 2016 alone ranges from $57 billion to a staggering $109 billion. According to Gartner, firms worldwide spent $81.6 billion on information security in that same year. The comparison between the costs of malicious cyber activity on the U.S. economy and the amount of money spent worldwide on cybersecurity does not tell very much—it’s unknown, for example, how much was spent on cybersecurity in the United States alone; it’s unknown what the costs to the U.S. economy would have been if the amount spent on cybersecurity had not been spent; it’s unknown what the additional costs might have been for the cybersecurity measures that would have eliminated the $57 billion to $109 billion in costs to the U.S. economy (if elimination of all costs would even be possible); and it’s unknown whether the costs of measures necessary to reduce the costs of malicious cyber activity are asymptotic. That is, do the costs of eliminating risk approach infinity as the remaining costs of malicious cyber activity approach zero—and if so, where is the crossover point between cost-effective and money-wasting expenditures on cyber security?
Still, the available information shows that many organizations are simply spending too little. They are not deploying even low-cost measures that could substantially reduce the incidence of malicious cyber activity, and they are failing to keep their defenses up to date. Malicious cyber actors have learned that small and medium-sized entities constitute the soft underbelly of the United States’s cyber infrastructure, and they also know that through this soft underbelly it is possible to impose substantial costs throughout the economy.