Researchers Produce First Statistical Evidence that Certain Cyber Practices Can Reduce Specific Breaches
With cyberattacks on U.S. companies and customers proliferating in 2017, Supply Chain Management Center researchers at the University of Maryland’s Robert H. Smith School of Business have developed and effectively tested a process for organizations across all industries — for the first time — to self-assess their cybersecurity needs and vulnerabilities.
The new formula ֫— announced this week by the National Institute of Standards and Technology (NIST) — emanates from an online analysis of 153 companies, via UMD-Smith’s Cyber Risk Management Portal. The timing coincided with a report by the Identity Theft Resource Center (ITRC), a partner in the research, that U.S. organizations in 2017 had 1,140 breaches that in total exposed more than 171 million data records.
The researchers recently presented (video) the work behind this cyber-risk analytics breakthrough at the headquarters of NIST, which co-sponsored the two-year study along with the General Services Administration.
“There are many cybersecurity guidelines and practices out there, but empirical evidence about what’s actually effective in practice has been scarce,” says NIST Manager for Security Engineering and Risk Management Jon Boyens. “This is the first time such evidence has been gained.”
The results, “will be foundational to the further development of predictive analytics that will be critical to the insurance industry, as well as to risk managers and practitioners of cybersecurity,” adds Gerry Kane, cybersecurity segment director for risk engineering at Zurich Services Corp. “Zurich is very grateful to have had the opportunity to participate in this significant project, says.
Kane was among experts from the likes of Beecher Carlson, IITRC and NIST’S Information Technology Lab, who collaborated with the UMD researchers, utilizing the aforementioned portal, which won the IEEE (Institute Of Electrical and Electronics Engineers) Cybersecurity Award for Practice for 2017.
“Our team developed an in-depth, automated self-audit tool used by the participants, fully based on NIST’s Cybersecurity Framework. As an output, the tool included a rich visualization displaying an array of cybersecurity measures and indicating the extent to which these measures have or have not been implemented by the survey participants,” says research professor and Supply Chain Management Center co-director Sandor Boyson. “We then compared the performance profiles of our respondent organizations with their cyber breach profiles over the three-year (2014-2017) period.”
Smith professor Thomas M. Corsi, co-director of the Supply Chain Management Center, says “cross-referencing four cyber breach data bases enabled the researchers to create a comprehensive picture of the breach activity of our respondent organizations.” Then, through econometric modeling, “we could assess the efficacy of respondents’ specific cybersecurity policies and actions in reducing both the total number and specific types of cyber breaches.”
These specific types of breaches were characterized by the researchers as “technical exploits,” i.e., hacking; “deficient access controls,” i.e., inadequate oversight of user permissions; “behavioral vulnerabilities” i.e., phishing; and “theft” involving unauthorized contacts/disclosures and data collections. For example, the researchers found that a statistically significant factor in limiting behavioral vulnerability breaches was strong integration between the chief executive officer and the IT security team. “A strong CEO sets the tone for the whole organization, thus making all corporate IT users more aware of the cybersecurity mandate,” says Boyson.
Also conducting the study, from UMD, with Boyson and Corsi: Smith School Chief Information Officer Holly Mann, PhD student (now Miami University of Ohio Assistant Professor) John Patrick Paraskevas and Research Fellow Hart Rossman.
Boyson says study respondents can take away valuable insights from their performance and cybersecurity profiles and better target where they need to bolster cyber defenses. “We hope the results of our econometric model help lay the groundwork for cyber-risk predictive analytics,” he adds. “All companies can ultimately benefit from an evidence-based set of cybersecurity practices that have compelling operational effectiveness against specific breaches and attacks.”
“In the future, companies will demand more assurance of effectiveness for their investments in cybersecurity solutions,” Boyson adds. “Think of the company in this case as a well-informed patient who will pay for and use in confidence a clinically-tested product.”