ICSThe first annual Index of Cyber Security finds that senior security officers are more concerned than at this time last year about the risk of cyber attack and other online risks, with concerns about ideologically-motivated hacktivists and the threats posed by business partners and other “counter parties” topping the list.

The index finished the year at 1292, up almost 30 percent from the baseline value of 1,000 established when the index launched in April, 2011.* The perception of cyber risk increased consistently throughout the year, despite wide swings in the perception of specific types of threats from month to month, according to a report by the index’s proprietors: Dan Geer of In-Q-Tel and Mukul Pareek of Strativis LLC.

The index is compiled from regular surveys of top IT security professionals. It attempts to measure respondents’ perception of threats and risk over the course of the year, then distill those reports into a number – the index. The idea is to try to chart the advance or retreat of the broad perception of cyber risk from those closest to the problem, according to the first annual report, which was published online.

In a year in which stories about attacks by the ideologically motivated hacking group Anonymous made headlines, concerns about politically and ideologically motivated hackers was the biggest contributor to the rise in the Index, along with concerns about so-called “counter-party risk” – the danger posed by business partners and third party contractors, according to the report.

That said, respondents’ perception of risk varied greatly from month to month, with little consistency, even as the baseline perception of threats across the population of responders steadily increased. The variation makes it difficult to make a clear connection between a particular type of threat and the perception of online risk, the authors point out. Instead, the index reveals the constantly flowing nature of what might be termed “cyber fear.” That constantly changing focus could reveal the influence of the media and news reports about threats on the perception of risk.

Created a year ago, the Index is a measure only of “sentiment” among an influential population: CSOs and other security leaders in both the private and public sector. Participants are asked to respond to questions like “compared to the previous month, the unmitigated threat to you from malware is:” and “compared to the previous month, the probability that you are a plausible targete for nation-state actors is:”.

The idea was to take the temperature of those who are in the trenches with cyber security in order to understand what the actual level of threat and concern were, said Dan Geer, a co-founder of the Index, in an e-mail to Threatpost.

Going forward, the group will be introducing new questions about specific risks (criminals vs. hacktivists vs. nation-state actors). Organizers would also like to develop a means of gauging cyber “fear” going forward, rather than looking back – akin to the Chicago Board Options Exchanges Market Volatility Index (or “Fear Index”). 

(*)This story was corrected to reflect the actual percentage increase for the index over the past 12 months.  – PFR 5/16/2012

Categories: Critical Infrastructure, Government, Hacks, Malware, Vulnerabilities, Web Security