Speaker: Adam Bobrow
Abstract: Risk-based cybersecurity decision-making requires a standardized measurement system that allows meaningful comparisons of risk among different organizations across industries. Even in the few organizations that make the effort to build metrics based on cyber risk, those metrics apply only to the organization for which they were developed. Organizations need to be able to measure cyber risk in consistent ways as they do across many other disciplines.
Changing the status quo to enable meaningful organizational cybersecurity decision-making requires that the U.S. federal government play the role of honest broker and facilitate the development of a more quantitative approach to cybersecurity, including by:
- Collecting broad-based data about past incidents and releasing anonymized data sets based on incident reports that the private sector can use to build the tools and help organizations build cybersecurity capacity,
- Developing actuarial models that project the impact and likelihood of future incidents in quantitative terms, and
- Facilitating the creation of metrics to enable concrete comparisons within and among a diversity of organizations.