This is the fifth and final in a series of posts about particular proposals in the recent US cybersecurity report.

Action Item 1.4.1 suggests that “NIST, in coordination with the NCP (National Cybersecurity Public-Private Program), should establish a Cybersecurity Framework Metrics Working Group to develop industry-led, consensus-based metrics.” These metrics could then be used in a number of ways:

  • Private companies could use the metrics to “voluntarily assess relative corporate risk,”
  • the Department of Treasury and insurers could use the metrics to “understand insurance coverage needs and standardize premiums,” and
  • the Department of Homeland Security could use the metrics to “implement a nationwide voluntary incident reporting program for identifying cybersecurity gaps.”

In other words, this allows us to finally find a way to quantify cybersecurity risk!

If undertaken, this would be a really significant measure in the realm of cybersecurity. Just a couple of weeks ago, we wrote about the promises and challenges of quantifying cybersecurity risk. As my colleague explained, there are great reasons to try: The report identifies things like assessing one’s own risk, pricing insurance, and identifying cybersecurity gaps. But don’t forget others—pricing target companies in M&A transactions, valuing potential investments, submitting information to regulators, measuring the efficacy of countermeasures… and more.

There are challenges, too. First, quantifying cybersecurity risk will, in many cases, mean quantifying the value of data. But that’s a challenge in itself. How do you make sure your methods reliably reflect the nuances of different businesses so that, for example, you don’t treat social media credentials as having the same value as bank account credentials? Second, quantifying cybersecurity risk means crunching numbers, but where do you get the numbers? The perpetual suggestion is using a centralized, government-sponsored database to which private companies contribute. But will companies really be willing to submit their data to a central program? What about the privacy rights of data subjects? What about the risk that this information will fall into the wrong hands and, ironically, reveal vulnerabilities to wrongdoers? Finally, is this enterprise even feasible, or will the light-speed evolution of our information society inevitably doom any “consensus-based metric” to obsolescence?

* * *

Well, that’s it for our highlights of the US Cybersecurity Report. We hope that we’ve raised the right questions for companies to be asking themselves, even if answering those questions is an enormous job for cadres of lawyers. Of course, only time will tell which of these proposals come to fruition. But it’s also a near certainty that at least some will make headway, so it’s time for companies to at least start thinking through these issues. Many thanks for your attention.