Mitigating Cybercrime Through Meaningful Measurement Methodologies

Abstract

Fear, Uncertainty and Doubt (FUD) has become a staple in the cyber-attack measurement and reporting diet. Be it sensationalist and hyperbole-filled language, or the lack of any meaningful and consistent measurement methodology, the end result is the same: zero clarity concerning an already complex subject matter that serves to continue rather than counter the cyber-crime threat.The public discussion (via media reports) and business insight (through myriad methodologies of mis-measurement) need to be better framed if we are to truly confront the growing problem of cyber-crime. Who the criminals were is of less import than how they got in; compromise indicators are more valuable to other businesses than the financial cost to that particular victim.The measurement metric dial has moved too far towards attribution and needs to be reset to prevention and a business-based analysis of risk once more. The data upon which threat intelligence and attack surface trend analysis resources are based must become more granular if it is to be more relevant across all business sectors. If we continue to go down the road of never disclosing or identifying the security components that failed or the components that were not in place when a breach happened, we will never make any progress against an elusive enemy.Fredrick the Great of Prussia said it best when he declared, “he who defends everything, defends nothing”. We need data on how to defend and this is only derived from an open sharing of relevant and accurate attack information without fear of punitive litigation.