May 09, 2011, 10:07 AM — Are attacks up, spending on network defenses down, or national hacking on the rise? The Index of Cybersecurity could help indicate the general trend in the risks to corporate networks and information in the future.
The index, launched by two security professionals, is a survey that attempts to gauge the state of cybersecurity by measuring the overall sentiment of operational experts. Much like the consumer confidence index that measures U.S. citizen's optimism of their economic future, the index focuses on experts' overall perception of current threats and defenses.
The index is an experiment that could prove to be a useful way to gauge the overall security situation online, says Dan Geer, the co-creator of the index and the chief security officer of In-Q-Tel, the investment arm of the Central Intelligence Agency. While Geer has attempted to create other indices based on measures of threat, good data was not always available, he said.
"It is not like we are overwhelmed with useful numbers; we are short on them," he says. His conclusion: Focus on the data that you know you can get.
"Maybe we shouldn't be trying to measure the concrete, but trying to measure the opinion of people who know something," he says. "Because it may well be that the opinion of people that know something may have more coherence than anything we know how to measure, or have the permission to measure, on a wide scale."
The cybersecurity index measures the outlook of 300 or so security operations managers -- from chief risk officers and chief security information officers to academicians and security firm chief scientists. The index measures their responses over time. Questions vary from whether certain threats -- such as malware, insider threats, or industrial espionage -- have become worse to whether information sharing and defenses have improved. Each respondent answers on a five-point scale: falling fast, falling, static, rising, or rising fast.
Geer and co-creator Mukul Pareek, a risk professional who asked that his company not be identified, believe that the cybersecurity risk index could have practical uses. Cyber risk insurers could use the metric as a way to hedge their risks, for example.