Measuring Cyber Crime – how do you quantify how serious is it ?

The Open group Cloud Computing Work Group (http://www.opengroup.org) have been working on a Cloud Performance Metrics Paper that explores a range of measures with example formulas and units of measure to try to define the scope and context of on-demand cloud enabled performance. We hope to publish this soon in which we give eighty potential metrics covering a range of performance contexts:

• Business processes,

• Technology

• Financial,

• Integration and orchestration,

• Development and devops,

• People and organization,

• Markets and social networks, gamification

• Sustainability,

• Legal and contracts management

• Security and compliance

In this blog I would like to draw attention to a specific area of performance impact and cyber security, this drew my attention recently in a great article on this subject in the Communications of ACM in how the dynamic of government, corporations and the public play out in terms of reporting, trust and mis-information. http://cacm.acm.org/magazines/2013/3/161196-cybercrime-its-serious-but-exactly-how-serious/fulltext

The article introduces four key affects, but I think these are subjective and qualitative and not quantitative in terms of what is really needed. That is , hard measurement basis of the risks and impacts.

• Failure to report

• Self-selection bias

• No standard mechanisms for accounting losses

• Undetected losses

I particular want to focus on the third bullet point about no standard mechanisms for accounting losses. I’ve had this come up on several occasions where the question is how do you value and measure the cost of cyber security? Implementing a full range of systems that recognise the end to end systems and the protection points needed at devices , gateways , firewalls and encryption hardening is one thing but the reporting and certification mechanisms may focus on the auditor needs and not the end-user rights and needs. Its understandable trust is a fickle issue when the domains of service maybe difficult to describe and track and that company and governmental reputational risk is a huge weighting compared to the potential ease at which mistaken or deliverable misuse can potential occur in IT services use.

What I think is needed is more focus on metrics that define how the impact of security issues can be measured. Most all the current standards on security seem to focus on qualitative judgements and policy guidelines with the caveat that its “context” driven. I don’t think this can be just a judgement but the need for a set of measures of security and compliance is a useful area for define and then applied in context of the user or organizational situation. Tools exist to track every digital aspect of a system usage and even when the “unknown unknowns” occur (the point four of the article) it’s still a probabilities battle which I argue some information is better than no information and that it can mature with an effective cyber security strategy.

In the article the quotes are telling of these issues but again point to a media driven perspective of the effects and not the underlying causes and remediation needed.

Cynics have charged that cyber crime stats are artificially inflated to scare more people into buying security software.

and

“Many organizations simply don’t want to report to the government that they have had losses because they don’t trust how that information will be used.”

I think what is needed is a stronger focus on metrics and quantification of cyber risks and security such that real quantification impact is possible. After all, in other industries failure modes and effects analysis FMEA, disaster recovery DR and business continuity BC are embedded into the aerospace and homeland security sectors. Yet why not applied these to everyday impacts and services. With the pervasiveness of big data in its true manifestation of billions of bytes and multitudes of devices and connections this is not a single sector issues any longer.

#CyberSecurity #Risk