Getting reliable data
At the National Cyber Leap Year Summit last week, the thing that the cyber-economics working group though was the most important is how to deal with the current lack of reliable data about information security. Right now, there’s really no reliable data on the frequency of security incidents, the effects of security incidents, the effectiveness of security technologies at mitigating risks, and so on. Without accurate data, it’s hard to determine what the best way to defend against both existing and future threats is, and the cyber-economics working group spent a significant amount of time talking about ways to ensure that better data is available.
Unfortunately, this particular working group had almost no representation from industry, so the most favored solutions weren’t ones that for-profit businesses would tend to favor. Instead, solutions like government-mandated reporting of security incidents and their effects were popular.
I hope that the government finds a way to collect more data about the nature of security incidents, but I also hope that they avoid any type of mandatory reporting. If they really feel that mandatory reporting is the best way to proceed, they should try it at government agencies first. If they can find a way to create a workable system of mandatory reporting that works there, then they might want to consider extending it to the people for which time is actually money.
Until then, they should rely on other ways to gather data. I don’t see any reason why a sampling of incident data isn’t almost as useful as all of the incident data, for example, and you can collect a sampling of incident data through surveys. Several thousand surveys is almost certainly less of a problem to American business that several million mandatory reports, and will probably give data that’s just as useful.
We definitely need more and more accurate information about the nature of information security incidents. But because we also don’t want to make gathering the data more damaging than the security incidents themselves, the government should be careful about requiring too much information from businesses.