Metrics for Organizational Cybersecurity Practices

Slides:

Advertisements

Similar presentations

1 Establishing Performance Indicators in Support of The Illinois Commitment Presented to the Illinois Board of Higher Education December 11, 2001.

Advertisements

Course: e-Governance Project Lifecycle Day 1

Workshops for implementing the Strategic Plan for Biodiversity through the National Biodiversity Strategies and Action Plans Module 2 The Biodiversity.

26 June 2003Aarno Airaksinen DEVELOPING A SURVEY TOOL ON IMPACTS OF ICT USAGE IN ENTERPRISES NESIS WORK PACKAGE 5.4 NESIS workshop.

NCHRP (48) 2014 TRB ANNUAL MEETING Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents Dave Fletcher, Co-PI.

Key National Indicators and Supreme Audit Institutions: U.S. and INTOSAI Perspectives Bernice Steinhardt Director, Strategic Issues U.S. Government Accountability.

EU-Regional Policy and Cohesion Structural Funds and Accession 1 SPP BUILDING IMPLEMENTATION CAPACITY Training seminar on evaluation Prague February.

Key Elements of Legislation For Disaster Risk Reduction Second Meeting of Asian Advisory Group of Parliamentarians for DRR 5-7 February, 2014, Vientiane,

Assessing The Development Needs of the Statistical System NSDS Workshop, Trinidad and Tobago, July 27-29, 2009 Presented by Barbados.

Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.

United Nations Oslo City Group on Energy Statistics OG7, Helsinki, Finland October 2012 ESCM Chapter 8: Data Quality and Meta Data 1.

2 What conceptual framework should we use? How should the studies be carried out? How do we select the countries and is the timetable feasible?

High level seminar on the implementation of the System of National Accounts 2008 in the GCC countries Muscat, Oman, 27 May 2010 United Nations Statistics.

Implementation of Insurance Core Principles and FSAP Evaluations The Portuguese FSAP experience Gabriel Bernardino Instituto de Seguros de Portugal.

EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final} Digital Enlightenment.

Research Activities in Response to IPCC TAR John Christensen UNEP.

Capacity Building for the implementation of the Cartagena Protocol on Biosafety by the German Development Co-operation: German Federal Ministry for Economic.

Module 2 National IEA Process Design and Organization Stakeholder’s consultative workshop/ Training on Integrated assessments methodology ECONOMIC VALUATION.

The elaboration of the ITU STRATEGIC and financial PLANs Doreen Bogdan Martin Chief, Strategic Planning & Membership Dept., ITU April 19,

INSPIRE and the role of Spatial Data Interest Communities (SDIC)

Thoughts on IT Enterprise Architecture Maturity Models for the

Disaster and Emergency Planning

New EGNRET Concept Notes

Training Course on Integrated Management System for Regulatory Body

INTER-AMERICAN DEVELOPMENT BANK CAPACITY BUILDING AND TRAINING.

Role of non-state actors in the implementation of Czech Republic 2030

Quality assurance in official statistics

Head Statistics and Data Unit

IT and Project Management Best Practice Training

Supporting Kenya and Uganda in developing and strengthening environmental-economic accounting for improved monitoring of sustainable development Alessandra.

ESCM – Chapter 1.

13th Governing Council 4th and 5th December,2017 Chiba, Japan

8 Building Blocks of National Cyber Strategies

Working Group Meeting: Statistics on Crime and Criminal Justice 15 March 2017, Luxembourg Ongoing work on developing the ICCS manual and translations.

Eurostat's open data and experimental statistics

in Construction Industry

Implementation of the UN DA 10 project “The African context”

MBML_Efficient Testing Methodology for Machine Learning

EU instruments of funding and technical assistance

Economy-wide Material Flow Accounts (EW-MFA) (point 4 of the agenda)

Predetermined Objectives – 2013/14

Trust and Security Unit

Idendification of and Consultation with Census Data Users

Organization of efficient Economic Surveys

National accounts and SDGs

Evaluation in the GEF and Training Module on Terminal Evaluations

9. Quality and Experimental data

Cyber Risk & Cyber Insurance - Overview

National-level ICT training strategy

Objective of the workshop

Cybercrime and Canadian Businesses

Culture Statistics: policy needs

Culture Statistics: what next?

The SDGs in Flanders November 27, 2018.

Energy Statistics Compilers Manual

IMPLEMENTATION PROGRAMME OF SNA 2008 (Dominica)

UNDMTP Presentation, Session V: Early Warning Symposium 24 May 2006

Risk management in the Ghanaian insurance industry

Marleen De Smedt Geoffrey Thomas Cynthia Tavares

Cyber Security in a Risk Management Framework

Transformation of the National Statistical System: Experience

RESOURCE MOBILISATION FOR SNA 2008 PROJECT

Communication & Technology Research

Silvia Losco, ISTAT, Strategies and approaches for managing risks in the official statistics production: ISTAT experience in the.

CDM Capacity Development Lessons learnt in Ghana, India, Indonesia, South Africa and Tunisia Anja Wucke DNA Forum, Addis Ababa, 6 October 2007.

Objective of the workshop

Enabling environments for technology transfer under the UNFCCC

National level Objective:

Presentation transcript:

Metrics for Organizational Cybersecurity Practices Benjamin C. Dean Consultant to OECD Secretariat Metricon X Stevens Institute of Technology Hoboken, NJ, USA March 22, 2019

Agenda The problem OECD project overview Framework Lessons + recommendations Q&A Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech

The Problem: unanswerable questions Cybercrimes against businesses, US Dept. of Justice, 2005

The Problem: laundry lists ABACUS survey, Australia, 2009

The Problem: not technically informed Survey on information security in businesses, Korea, 2015 Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech

The Problem: poorly worded concepts Community survey on ICT usage and e-commerce in enterprises, Eurostat, 2019 Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech

Project overview Goals: Establish a measurement framework of digital security risk management practices Make it: Conceptually clear Succinct Organisational – not technical Focus on what is done i.e. practices Relevant to policymakers Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech

Project overview Timeline: 2-year project Audience: policymakers, national statistical offices, insurers Final report (soon to be published): Section 1: methodological issues Section 2: the measurement framework Section 3: pilot results Recommendations Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech

Framework built on OECD principles

Cognitive testing & Pilot Survey instrument with six modules & eighteen indicators Uses OECD “model survey” framework Cognitive testing in Brazil: Jan – Apr 2018 Pilot testing with FERMA: Jun – Sept 2018 Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech

Industries to which the respondent enterprises belong A DEMOGRAPHICS A1 Geographic location A2 Size A3 Economic activity A4 Turnover A5 Digital intensity Size of respondent enterprises, by headcount Size class Number of responses Percentage of total Under 10 1 10 to 49 3 4 50 to 249 5 250 to 499 6 500 to 999 8 1000 to 2499 32 40 2500 to 4999 5000 to 9999 10000 or more 18 23 Total 80 Industries to which the respondent enterprises belong Manufacturing: 24% Financial and insurance: 16% Transportation & storage: 13%

Who is in charge of managing digital security risk of the enterprise? B DIGITAL SECURITY RISK GOVERNANCE B1 Responsibilities for digital security risk allocated to a specific role within the organisation B2 Policy in place to manage digital security risk B3 Process in place to monitor and review digital security risk management B4 Structures or processes in place to enable cooperation and for reporting on digital security risk management within the enterprise Who is in charge of managing digital security risk of the enterprise? N = 80

C DIGITAL SECURITY RISK ASSESSMENT PRACTICES C1 Assess digital security risk as part of the overall enterprise risk management C2 Regularly take specific actions as part of the digital security risk assessment Who carries out the following activities as part of digital security risk assessment for your enterprise? N = 80

D DIGITAL SECURITY RISK REDUCTION PRACTICES D1 Took risk reduction measures D2 Share information on threats, vulnerability, incidents and risk management practices or security measures Do you share information on digital security threats, vulnerability, incidents and risk management practices or security measures? N = 80

E DIGITAL SECURITY RISK TRANSFER PRACTICES E1 Use insurance to transfer digital security risk E2 Did not purchase an insurance policy, by reason for non-adoption E3 Transfer digital security risks through an insurance policy, by type of risks transferred E4 Adopt other risk transfer practices Which of the following risks are covered through your insurance policy/policies? N = 44

F DIGITAL SECURITY RISK MANAGEMENT AWARENESS AND TRAINING F1 Adopted awareness-raising and training practices on digital security risk management Over the past year did your enterprise perform any of the following practices? N = 80

Lessons learned + recommendations Cognitive testing and pilot yielded insights Further reduce number of indicators Simplify language Move toward maturity model Better assess the ‘depth’ of practices Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean | ben@iconoclast.tech