May 14, 2017
The OECD has invited the CSISAC to take part in the OECD Expert Workshop n Improving the measurment of digital security risk incidents and risk management, to be held in the Swiss-Re Centre for Global Dialogue, Zurich (Switzerland).
While the frequency and severity of digital security incidents has grown, our ability to measure, analyse, understand and manage them efficiently has not kept pace. A long standing problem is the lack of consensus on definitions, typologies and taxonomy, as well as a paucity of historical data on "digital security incidents, threats and vulnerabilities". The lack of data-sharing on such incidents and the resulting challenges in quantifying exposure to digital security risk has been an important impediment to the development of the cyber insurance market (among other
The development of a more reliable and comprehensive data set on digital security incidents and digital risk management practice would likely require:
- consensus on typology and taxonomy;
- trusted public-private digital security incident repository;
- incentives (e.g., mandatory notification requirements) to promote reporting of incidents and data sharing by organisations.
At the workshop, organised on the basis of Chatham House rules, different experts shared their expertise on the topic, contributing to the improvement of the knowledge about the scarcity of data and statistical models capable to assess digital security incidents risk.
The potential un-insurability of digitalisation, and the insufficient characterization of the potential incidents, happened to be illustrated by the case of the difussion of the eternal-blue based ransomware, indicating the need to assess the role of issues such as a mass surveillance, or the militarization of cyberspace, in addition to those linked to the spread of software mono-cultives and the vulnerabilities derived from a commercially oriented intellectual property framework for algorithms.
Finally, two approaches have been proposed to solve the difficulties to addr need for further collaboration between data sources: the first one, based on a shared repository, and the second one based on standards to ensure the consistency in the collection and comparability of the data.