The 80-strong group, brought together by the non-profit Center for Internet Security, says that because most ways of measuring cybersecurity at the moment -- including the federal government's own internal standards -- count what measures are taken, rather than how successful they are, there is no way to make cost-effectiveness judgments about spending on cybersecurity.
The experts' aim, according to the center's CEO Bert Miuccio, is to create metrics that are "user-originated, in the sense that they are products of consensus … among a large group of security experts from leading commercial, government and academic organizations."
The measurements must be "unambiguous and specific," Miuccio told United Press International in an interview. And for the first time, any enterprise, whether it is a small or large business, government office or whole agency, will have "methods for measuring key aspects of the(ir) information security status."
"Current regulatory requirements (for cybersecurity) are focused on compliance with process- and practice-based standards," Miuccio said.
That means that what is being measured are the security procedures adopted by a business or government department, and there is no way of judging what the outcomes are.
"There is no way to consistently correlate (compliance with cybersecurity measures) with specific outcomes," such as a reduction in the number of attacks or improved response times to security incidents, said Miuccio.
Thus, there is no way to judge the cost-effectiveness of such measures, and executives end up making security investment decisions "on an intuitive basis," he said.
Existing standards fit well with a bureaucratic mindset, said Arthur Coviello, president of computer security firm RSA. "If you focus on (the real) risks (of a cyberattack) and something happens and you are not in compliance, you can get fired," he said. "No one ever got fired for being in compliance," no matter how many times they got attacked.
The new standards, said Miuccio, will give security executives and officials an objective way to count the success or failure of various security initiatives by including measures like the average time between security incidents and how long it takes the enterprise to recover from them.
"It has been well documented that cybersecurity breaches cost American consumers and businesses billions of dollars a year," said John Noftsinger of James Madison University's Institute for Infrastructure and Information Assurance. But to turn the tide against hackers and cybercriminals and "produce a downward trend of cyber intrusions," standards "must contain a reliable system of metrics that can determine what outcomes are realized as a result of cybersecurity efforts."
Noftsinger lauded what he called the Center for Internet Security's "effort to refocus the attention on outcomes."
"What makes this effort particularly attractive to those of us in cyberdefense and homeland security policy," he added, is the "consensus-based" process in which the center "collaborated with industry, government and academia to develop the metrics, as the National Institute for Standards and Technology has been working on this issue for at least three years."
Professor Lawrence Gordon of the University of Maryland's Robert H. Smith School of Business agreed there was a crying need for "well defined, quantitative metrics associated with cybersecurity" such as those the center was trying to develop. But he remained unsure whether they could fulfill what he saw as one of most important tasks confronting cybersecurity experts: "the need to develop a rigorous economic metric for evaluating the cost-benefit aspects of cybersecurity investments."
"Without such a metric, it is difficult, if not impossible, for organizations to efficiently allocate resources to cybersecurity activities," he told UPI.
Miuccio said the new standards would be developed by the end of the year based on eight conceptual categories that they published this week. But the real work is still ahead.
"If you ask 10 people how to measure any one of (the eight conceptual categories), you would receive 10 different answers." The challenge now was to develop consistent, specific benchmarks -- "prerequisites for understanding and communicating an enterprise's security status over time."
In time, he added, the new measures also would allow enterprises to "analyze their outcomes compared to others in their industry verticals" because the center would provide anonymized data from other businesses or departments against which they could measure their own performance.
Suppose September 11 never happened
The politics of revenge