HCSS in the media

Assessing Cyber Security

April 23rd 2015 - 10:45

Over the years, a plethora of reports has emerged that assess the causes, dynamics, and effects of cyber threats. This proliferation of reports is an important sign of the increasing prominence of cyber attacks for organizations, both public and private, and citizens all over the world. Such efforts promote awareness and understanding of cyber threats and pave the way to improved prevention, mitigation, and resilience. HCSS’ Assessing Cyber Security report aims to help in this task by assessing what we know about cyber security threats based on 70 studies published by public authorities, companies, and research organizations from 15 countries over the last few years. It answers the following questions: what do we know about the number, origin and impact of cyber attacks? What are the current and emerging cyber security trends? And how well are we prepared to face these threats?

Our meta-analysis of five rankings of cyber security at the national level indicates that the Netherlands, UK, and the US are best prepared and protected compared to other countries. At the same time, registered cyber attacks and incurred costs are on the rise in these countries, which host many valuable targets. Most attacks are categorized as cyber crime; and although we do not know the identity of perpetrators, a sizeable number of attacks come from ‘insiders’, such as current and former employees (between 6 and 28%, according to four reports). Several reports note that most attacks use IP-addresses in the US and China, although the picture differs per type of attack: one report notes that most cyber crime attacks are launched from US computers, another points to Chinese IP-addresses as being used most often in espionage attacks.

Our study notes that, although there is clearly no shortage in the number of reports on cyber threats, the definitions and methods used make results difficult to compare. If we want to provide a more encompassing and comparable assessment of cyber threats, and create greater awareness thereof, we should develop shared, commonly agreed definitions, metrics, and reporting standards to enhance threat assessments. This will guide for more targeted investments in cyber security, on both company and government level. In addition, we should consider setting up a mechanism to harmonize the collection and reporting of cyber statistics.

The report can be downloaded here.