Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metrics for Organizational Cybersecurity Practices

Published byHamdani Susanto Modified over 5 years ago

Similar presentations

Presentation on theme: "Metrics for Organizational Cybersecurity Practices"— Presentation transcript:

1 Metrics for Organizational Cybersecurity Practices
Benjamin C. Dean Consultant to OECD Secretariat Metricon X Stevens Institute of Technology Hoboken, NJ, USA March 22, 2019

2 Agenda The problem OECD project overview Framework
Lessons + recommendations Q&A Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

3 The Problem: unanswerable questions
Cybercrimes against businesses, US Dept. of Justice, 2005

4 The Problem: laundry lists
ABACUS survey, Australia, 2009

5 The Problem: not technically informed
Survey on information security in businesses, Korea, 2015 Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

6 The Problem: poorly worded concepts
Community survey on ICT usage and e-commerce in enterprises, Eurostat, 2019 Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

7 Project overview Goals: Establish a measurement framework of digital security risk management practices Make it: Conceptually clear Succinct Organisational – not technical Focus on what is done i.e. practices Relevant to policymakers Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

8 Project overview Timeline: 2-year project
Audience: policymakers, national statistical offices, insurers Final report (soon to be published): Section 1: methodological issues Section 2: the measurement framework Section 3: pilot results Recommendations Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

9 Framework built on OECD principles

10 Cognitive testing & Pilot
Survey instrument with six modules & eighteen indicators Uses OECD “model survey” framework Cognitive testing in Brazil: Jan – Apr 2018 Pilot testing with FERMA: Jun – Sept 2018 Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

11 Industries to which the respondent enterprises belong
A DEMOGRAPHICS A1 Geographic location A2 Size A3 Economic activity A4 Turnover A5 Digital intensity Size of respondent enterprises, by headcount Size class Number of responses Percentage of total Under 10 1 10 to 49 3 4 50 to 249 5 250 to 499 6 500 to 999 8 1000 to 2499 32 40 2500 to 4999 5000 to 9999 10000 or more 18 23 Total 80 Industries to which the respondent enterprises belong Manufacturing: 24% Financial and insurance: 16% Transportation & storage: 13%

12 Who is in charge of managing digital security risk of the enterprise?
B DIGITAL SECURITY RISK GOVERNANCE B1 Responsibilities for digital security risk allocated to a specific role within the organisation B2 Policy in place to manage digital security risk B3 Process in place to monitor and review digital security risk management B4 Structures or processes in place to enable cooperation and for reporting on digital security risk management within the enterprise Who is in charge of managing digital security risk of the enterprise? N = 80

13 C DIGITAL SECURITY RISK ASSESSMENT PRACTICES C1 Assess digital security risk as part of the overall enterprise risk management C2 Regularly take specific actions as part of the digital security risk assessment Who carries out the following activities as part of digital security risk assessment for your enterprise? N = 80

14 D DIGITAL SECURITY RISK REDUCTION PRACTICES D1 Took risk reduction measures D2 Share information on threats, vulnerability, incidents and risk management practices or security measures Do you share information on digital security threats, vulnerability, incidents and risk management practices or security measures? N = 80

15 E DIGITAL SECURITY RISK TRANSFER PRACTICES E1 Use insurance to transfer digital security risk E2 Did not purchase an insurance policy, by reason for non-adoption E3 Transfer digital security risks through an insurance policy, by type of risks transferred E4 Adopt other risk transfer practices Which of the following risks are covered through your insurance policy/policies? N = 44

16 F DIGITAL SECURITY RISK MANAGEMENT AWARENESS AND TRAINING F1 Adopted awareness-raising and training practices on digital security risk management Over the past year did your enterprise perform any of the following practices? N = 80

17 Lessons learned + recommendations
Cognitive testing and pilot yielded insights Further reduce number of indicators Simplify language Move toward maturity model Better assess the ‘depth’ of practices Metricon X 22 March 2019, New Jersey, USA Benjamin C. Dean @benjamindean |

Download ppt "Metrics for Organizational Cybersecurity Practices"

Similar presentations

1 Establishing Performance Indicators in Support of The Illinois Commitment Presented to the Illinois Board of Higher Education December 11, 2001.

1 Establishing Performance Indicators in Support of The Illinois Commitment Presented to the Illinois Board of Higher Education December 11, 2001.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Workshops for implementing the Strategic Plan for Biodiversity through the National Biodiversity Strategies and Action Plans Module 2 The Biodiversity.

Workshops for implementing the Strategic Plan for Biodiversity through the National Biodiversity Strategies and Action Plans Module 2 The Biodiversity.
26 June 2003Aarno Airaksinen DEVELOPING A SURVEY TOOL ON IMPACTS OF ICT USAGE IN ENTERPRISES NESIS WORK PACKAGE 5.4 NESIS workshop.

26 June 2003Aarno Airaksinen DEVELOPING A SURVEY TOOL ON IMPACTS OF ICT USAGE IN ENTERPRISES NESIS WORK PACKAGE 5.4 NESIS workshop.
NCHRP 20-59 (48) 2014 TRB ANNUAL MEETING Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents Dave Fletcher, Co-PI.

NCHRP (48) 2014 TRB ANNUAL MEETING Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents Dave Fletcher, Co-PI.
Key National Indicators and Supreme Audit Institutions: U.S. and INTOSAI Perspectives Bernice Steinhardt Director, Strategic Issues U.S. Government Accountability.

Key National Indicators and Supreme Audit Institutions: U.S. and INTOSAI Perspectives Bernice Steinhardt Director, Strategic Issues U.S. Government Accountability.
EU-Regional Policy and Cohesion Structural Funds and Accession 1 SPP BUILDING IMPLEMENTATION CAPACITY Training seminar on evaluation Prague 26-27 February.

EU-Regional Policy and Cohesion Structural Funds and Accession 1 SPP BUILDING IMPLEMENTATION CAPACITY Training seminar on evaluation Prague February.
Key Elements of Legislation For Disaster Risk Reduction Second Meeting of Asian Advisory Group of Parliamentarians for DRR 5-7 February, 2014, Vientiane,

Key Elements of Legislation For Disaster Risk Reduction Second Meeting of Asian Advisory Group of Parliamentarians for DRR 5-7 February, 2014, Vientiane,
Assessing The Development Needs of the Statistical System NSDS Workshop, Trinidad and Tobago, July 27-29, 2009 Presented by Barbados.

Assessing The Development Needs of the Statistical System NSDS Workshop, Trinidad and Tobago, July 27-29, 2009 Presented by Barbados.
Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.

Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.
United Nations Oslo City Group on Energy Statistics OG7, Helsinki, Finland October 2012 ESCM Chapter 8: Data Quality and Meta Data 1.

United Nations Oslo City Group on Energy Statistics OG7, Helsinki, Finland October 2012 ESCM Chapter 8: Data Quality and Meta Data 1.
2 What conceptual framework should we use? How should the studies be carried out? How do we select the countries and is the timetable feasible?

2 What conceptual framework should we use? How should the studies be carried out? How do we select the countries and is the timetable feasible?
High level seminar on the implementation of the System of National Accounts 2008 in the GCC countries Muscat, Oman, 27 May 2010 United Nations Statistics.

High level seminar on the implementation of the System of National Accounts 2008 in the GCC countries Muscat, Oman, 27 May 2010 United Nations Statistics.
Implementation of Insurance Core Principles and FSAP Evaluations The Portuguese FSAP experience Gabriel Bernardino Instituto de Seguros de Portugal.

Implementation of Insurance Core Principles and FSAP Evaluations The Portuguese FSAP experience Gabriel Bernardino Instituto de Seguros de Portugal.
EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final} Digital Enlightenment.

EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final} Digital Enlightenment.
Research Activities in Response to IPCC TAR John Christensen UNEP.

Research Activities in Response to IPCC TAR John Christensen UNEP.
Capacity Building for the implementation of the Cartagena Protocol on Biosafety by the German Development Co-operation: German Federal Ministry for Economic.

Capacity Building for the implementation of the Cartagena Protocol on Biosafety by the German Development Co-operation: German Federal Ministry for Economic.
Module 2 National IEA Process Design and Organization Stakeholder’s consultative workshop/ Training on Integrated assessments methodology ECONOMIC VALUATION.

Module 2 National IEA Process Design and Organization Stakeholder’s consultative workshop/ Training on Integrated assessments methodology ECONOMIC VALUATION.
The elaboration of the 2020-2023 ITU STRATEGIC and financial PLANs Doreen Bogdan Martin Chief, Strategic Planning & Membership Dept., ITU April 19,

The elaboration of the ITU STRATEGIC and financial PLANs Doreen Bogdan Martin Chief, Strategic Planning & Membership Dept., ITU April 19,
INSPIRE and the role of Spatial Data Interest Communities (SDIC)

INSPIRE and the role of Spatial Data Interest Communities (SDIC)

Similar presentations

Ads by Google