Understanding Cybersecurity

Risk Management,  May 2006  by Davis, Lois,  Anderson, Robert,  Steinberg, Paul

• E-mail
• Print
• Link

Hardly a day goes by when we do not hear about some kind of cyber attack on a business. Anecdotes abound about businesses hit by hackers, viruses and worms, as well as cases where people within companies use computers to carry out crimes, like embezzlement or information theft. The problem with anecdotes is that they tell us we have a problem but not how pervasive the problem is, how vulnerable specific businesses are, or how much such incidents cost businesses in dollars and downtime.

Businesses take precautions to protect their computer systems from the risk of attack, but when businesses make cybersecurity plans based on anecdotes and the "sky is falling" mentality that such media coverage engenders, how effective will their plans be? A recent General Accounting Office (GAO) study puts it even more succinctly: "One of the roadblocks to understanding the importance of cybersecurity is the lack of solid information on the scope and scale of cyber vulnerabilities and the consequences of cyber attacks." Such solid information is critical not only to the businesses in the trenches, but also to policymakers at all levels who must craft policy that cuts across businesses and government.

Not surprisingly, the best way to get the "perspective" the GAO calls for is to survey businesses on a national level. That said, not all surveys are created equal. To be truly valuable, a national computer security survey must be representative of the nation's businesses and industries so we can talk about the population of U.S. businesses as a whole. It must also have a large enough sample size to allow us to paint a reliable picture of the effects of cybersecurity incidents on businesses. And response rates must be high enough so results can be generalized.

While several national computer security surveys have been conducted in recent years, all have problems related to representativeness, sample size and response rate that minimize the value and usefulness of their findings. But a new survey-the Department of Justice/Department of Homeland Security National Computer Security Survey, or NCSS-should go a long way in helping both businesses and policymakers get their heads around the scope and nature of the nation's cybersecurity problem. Sponsored by the DOJ and DHS, the NCSS-which began fielding this Spring-will survey more than 25,000 businesses representing the 5.3 million businesses with paid employees in the country. Just as important, it will cover all industry sectors, concentrating its effort especially on those sectors that comprise the nation's critical infrastructure and whose compromise could pose the gravest risk to the nation's security.

Because of its breadth and sample size, the NCSS will yield a level of detail that will enable businesses and government agencies, for the first time, to make informed decisions and develop policies that effectively target resources in the area of cybersecurity based on nationally and industry-sector representative data.

With data from the NCSS, we should be able to answer some of the critical questions that both businesses and policymakers want to know. How much money do companies in different industry sectors lose because of computer security incidents? Does the cost and severity of computer security incidents decrease as the number of security technologies used increases? What are the most frequently occurring computer security incidents for companies by industry sector? What technologies are companies using to protect themselves from computer security incidents?

The fact that computers are so pervasive in our business and personal lives and so central to how we function in both spheres makes the need to protect them from attack all the more critical. But we must go beyond the reactive mindset we now have. The continuing use of patches to address individual problems or attacks will only leave us with an image of plugging holes in the dike. Getting good-quality, national-level data, on the other hand, should help us begin to address the dike itself.

Lois Davis, Ph.D. and Robert Anderson, Ph.D. are coleading the effort to field the NCSS at RAND. Davis is a senior policy researcher with extensive experience in conducting national surveys in the areas of homeland security and public safety. Anderson is a senior computer scientist conducting research on security and safety issues in cyberspace and on the societal impacts of the continuing information revolution. Paul Steinberg, Ph.D. is a senior research communicator at RAND.

Copyright Risk Management Society Publishing, Inc. May 2006
Provided by ProQuest Information and Learning Company. All rights Reserved