Upload File

metrics for organizational cybersecurity practices

  • Home
  • Documents
  • Metrics for Organizational Cybersecurity Practices
15
Metrics for Organizational Cybersecurity Practices Benjamin C. Dean Consultant to OECD Secretariat Metricon X Stevens Institute of Technology Jersey City, NJ, USA March 22, 2019

Upload: others

Post on 12-Jan-2022

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Metrics for Organizational Cybersecurity Practices

Metrics for Organizational Cybersecurity Practices

Benjamin C. DeanConsultant to OECD Secretariat

Metricon XStevens Institute of Technology

Jersey City, NJ, USA

March 22, 2019

Page 2: Metrics for Organizational Cybersecurity Practices

Agenda

• The problem • OECD project overview• Framework• Lessons + recommendations• Q&A

20 2 , @ . 2

09 01 09 0 A 1 2 2 0 2

Page 3: Metrics for Organizational Cybersecurity Practices

The Problem: unanswerable questions

3

Cybercrimes against businesses, US Dept. of Justice, 2005

Page 4: Metrics for Organizational Cybersecurity Practices

The Problem: laundry lists

4

ABACUS survey, Australia, 2009

Page 5: Metrics for Organizational Cybersecurity Practices

The Problem: not technically informed

5

Survey on information security in businesses, Korea, 2015

20 2 , @ .

09 01 09 0 A 1 2 2 0 2

Page 6: Metrics for Organizational Cybersecurity Practices

The Problem: poorly worded concepts

6

Community survey on ICT usage and e-commerce in enterprises, Eurostat, 2019

20 2 , @ .

09 01 09 0 A 1 2 2 0 2

Page 7: Metrics for Organizational Cybersecurity Practices

Project overview

• Goals: Establish a measurement framework of digital security risk management practices (particularly SMEs)• Make it:• Conceptually clear• Succinct• Organisational – not technical• Focus on what is done i.e. practices• Relevant to policymakers

720 2 , @ .

09 01 09 0 A 1 2 2 0 2

Page 8: Metrics for Organizational Cybersecurity Practices

Project overview

• Timeline: 2-year project• Audience: policymakers, national statistical offices, insurers• Final report (soon to be published):• Section 1: methodological issues• Section 2: the measurement framework• Section 3: pilot results• Recommendations

820 2 , @ .

09 01 09 0 A 1 2 2 0 2

Page 9: Metrics for Organizational Cybersecurity Practices

Framework built on OECD principles

9

Page 10: Metrics for Organizational Cybersecurity Practices

Short framework explanation

• Six modules with eighteen indicators

• Uses OECD “model survey” framework• Governance – who is in charge, how are decisions made, do you communicate

internally?

• Risk assessment – what do you do to assess your risks?

• Risk treatment:• Risk reduction – what do you do to reduce your risks? Is it informed by risk assessment?

• Risk transfer - what do you do to transfer your risks? Why?

• Risk awareness & training – what do you do to raise awareness and teach people about managing their digital risk exposure?

• See appendix for full framework

1020 2 , @ .

09 01 09 0 A 1 2 2 0 2

Page 11: Metrics for Organizational Cybersecurity Practices

Lessons learned + recommendations

Cognitive testing and pilot yielded insights

1. Further reduce number of indicators2. Simplify language3. Move toward maturity model4. Better assess the ‘depth’ of practices

1120 2 , @ .

09 01 09 0 A 1 2 2 0 2

Page 12: Metrics for Organizational Cybersecurity Practices

ANNEXES

12

Page 13: Metrics for Organizational Cybersecurity Practices

The full framework (1)

13

Module/Indicator

Description

A DEMOGRAPHICSA1 Proportion of enterprises by geographic locationA2 Proportion of enterprises by sizeA3 Proportion of enterprises by economic activityA4 Proportion of enterprises by turnoverA5 Proportion of enterprises by digital intensityB DIGITAL SECURITY RISK GOVERNANCEB1 Proportion of enterprises that have responsibilities for digital security risk

allocated to a specific role within the organisation B2 Proportion of enterprises that have a policy in place to manage digital

security riskB3 Proportion of enterprises that have a process in place to monitor and

review digital security risk management B4 Proportion of enterprises that had structures or processes in place to

enable cooperation and for reporting on digital security risk management within the enterprise

Page 14: Metrics for Organizational Cybersecurity Practices

The full framework (2)

14

Module/Indicator

Description

C DIGITAL SECURITY RISK ASSESSMENT PRACTICESC1 Proportion of enterprises that assess digital security risk as part of the overall enterprise risk

management C2 Proportion of enterprises that regularly take specific actions as part of the digital security risk

assessment

D DIGITAL SECURITY RISK REDUCTION PRACTICESD1 Proportion of enterprises that took risk reduction measuresD2 Proportion of enterprises that share information on threats, vulnerability, incidents and risk

management practices or security measures

C DIGITAL SECURITY RISK ASSESSMENT PRACTICESC1 Proportion of enterprises that assess digital security risk as part of the overall enterprise risk

management

C2 Proportion of enterprises that regularly take specific actions as part of the digital security risk assessment

Page 15: Metrics for Organizational Cybersecurity Practices

The full framework (3)

15

Module/Indicator

Description

E DIGITAL SECURITY RISK TRANSFER PRACTICESE1 Proportion of enterprises that use insurance to transfer digital security risk

E2 Proportion of enterprises that did not purchase an insurance policy, by reason for non-adoption

E3 Proportion of enterprises that transfer digital security risks through an insurance policy, by type of risks transferred

E4 Proportion of enterprises that adopt other risk transfer practices

F DIGITAL SECURITY RISK MANAGEMENT AWARENESS AND TRAINING

F1 Proportion of enterprises that adopted awareness-raising and training practices on digital security risk management


Organizational Change Through Metrics - PMIH · Implement Agile Practices • Defined Agile Development Process Communities • Established Agile Center of Excellence • Established

Metrics for Organizational Life · 2018. 4. 1. · 16 Classifications: The 4 Types of Metrics Static Metrics This classification provides a snapshot of the overall health, and available

,./,t - Amazon S3...metrics together provide a more comprehensive picture of an agency’s cybersecurity performance. CIO and IG Reporting: OMB and DHS will use both sets of metrics

Annual Report 2016 - Theatre Ontario · Theatre Ontario Annual Report for 2016 7 ORGANIZATIONAL SCORECARD 2016 The Organizational Scorecard shows metrics on the outputs of Theatre

HR & Organizational Development Metrics - CUNA

Expert assessment of organizational cybersecurity programs ...€¦ · be the first step in increasing employee cybersecurity-related knowledge, promoting security-conscious decision-making,

Information Technology Cybersecurity Dashboard on a ... · Cybersecurity Dashboard on a Shoestring Budget May 16, 2017. Metrics Quote "Most consumers don't have a good metric for

National Infrastructure Advisory Council NATIONAL ... · 17/09/2013  · Metrics for Measuring Efficient Effectiveness of Critical infrastructure Cybersecurity Information Sharing

Using Security Metrics to Drive Action · Using Security Metrics to Drive Action ... Today’s cybersecurity challenges are more complex than ever ... he states. “They have to be

Extending CMMI Level 4/5 Organizational Metrics Beyond ... · 5 Major Pitfalls 1. Getting the cart before the horse - business needs not driving metrics definition 2. ... development

The State of Cybersecurity and Digital Trust 2016...not on technology state-of-the-art, but instead on state-of-the-art cybersecurity as an organizational mindset—one that continually

Metrics for Mitigating Cybersecurity Threats to Networks · Metrics for Mitigating Cybersecurity Threats intelligence or intellectual property, loss of repu-tation, and share-price

Developing Metrics to Evaluate HRs Contribution to the Achievement of Organizational Goals

FISMA Cybersecurity Performance Metrics and Scoring Moses_DOT... · Metrics and Scoring ... Identify – Develop the organizational understanding to manage cybersecurity risk to

National Center for Advancing Translational Sciences - HN9 Functional Statements.pdfinformation technology cybersecurity efforts around various functional areas; (3) develops the organizational

BENCHMARKING - Supply Chain Insightssupplychaininsights.com/wp-content/uploads/...4Benchmarking_Flyer… · satisfaction, performance on supply chain financial metrics, and organizational

Testimony on “Cybersecurity: Risks ... - … Testimony 5-24...introduce cutting-edge technologies need to infuse cybersecurity risk management practices ... talent and organizational

PROTECT ORGANIZATIONAL RESILIENCE CYBERSECURITY … · CYBERSECURITY SERVICES Managing cyber risk to protect your business PROTECT ORGANIZATIONAL RESILIENCE .COM Mazars USA LLP is

Comparative Analysis of Cybersecurity Metrics to …web.mit.edu/smadnick/www/wp/2011-08.pdf · Comparative Analysis of Cybersecurity Metrics to ... This report aims to provide an

CYBERSECURITY ORGANIZATIONAL STRUCTURE & GOVERNANCE€¦ · A frequent question, along with the most effective organizational structure, is what supporting processes and technologies

Organizational Metrics

Cybersecurity Innovation for Cyberinfrastructure (CICI) individual can participate as PI, ... Network-connected remote or local ... collection of quantitative security-related metrics

The Misura Internet Project - ITU · 3 of 29 Outline Silvio De Nicola –New metrics for broadband and cybersecurity: The Misura Internet Project 1.Different metrics: a digital Tower

Linking Process and Performance Metrics Connecting process improvements to organizational performance gains

Metrics for Mitigating Cybersecurity Threats to …dtipper/3350/Paper3.pdf · JANUARY/FEBRUARY 2010 65 Metrics for Mitigating Cybersecurity Threats intelligence or intellectual property,

Economic Incentives & Metrics of Cybersecurity › class › msande91si › slides › lecture...2 What’s an Economic Incentive? •Economics –Buzzword: Rational Actor –Utility

Metrics for Measuring the Efficacy of Critical-Infrastructure-Centric Cybersecurity Information

Metrics and Key Performance Indicators for Robotic ...nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8177.pdf · NISTIR 8177 . Metrics and Key Performance . Indicators for Robotic Cybersecurity

Butterflies, Black Swans, and Beautiful Security …...Butterflies, Black Swans, and Beautiful Security Metrics Curtis Coleman Visiting Assistant Professor Cybersecurity Program Director

Locating Optimal Destabilization Strategies · • Network and node metrics are based on the social network analysis of the input organizational structure • Metrics are responsible

The Seven Cybersecurity Misconceptions Every CIO Should …...5% 65% 5% 62% 4% 58% 6% 57% 6% 55% 8% Figure 1: Organizational collaboration in addressing security concerns 1 Once cybersecurity

Where to start implementing organizational cybersecurity

INTERACT FOR IMPACT: Adding Strategic Value with HR …...HR METRICS •Link HR metrics to organizational strategy and departmental and organizational goals •Leadership’s objectives

Measuring Security Tevans/pubs/sos2011/... · computer security: metrics. Cybersecurity Metrics Despite Lord Kelvin’s oft-repeated maxim that you can’t really claim to understand

Systems Engineering Metrics: Organizational Complexity€¦ · Systems Engineering Metrics: Organizational Complexity and Product Quality Modeling 1.o Introduction The field of Systems