Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Dan Geer, the highly regarded chief information security officer for the CIA’s investment arm, In-Q-Tel, will next month launch the Cyber Security Index, which could be a precursor to trading IT risks on financial markets.
The “sentiment-based” Cyber Security Index (CSI), set up by Greer and investment consultant Mukul Pareek, will boil 300 CISO's views on security down to a number.
Base month March has been set at 1000 and CSI flagged on its website that April rises to 1021.6.
“In short, the Index of Cyber Security aggregates the views of information security industry professionals as expressed through a monthly survey. Its form is an index for reasons that will become apparent,” the pair explain.
The survey covers improvements or degradation in security based on movements in the rates of malware, intrusion and attacks on web-facing applications as well as the likelihood of insider attacks, being a target for nation state actors or industrial espionage. It also covers security investments and the cost of complying with cybersecurity legislation.
Greer and Pareek’s vision for the index is big. The pair claim their index would be useful in establishing a means for financial market players to buy and sell IT security risks, and for end-user organisations to buy such insurance.
“Financial instruments on a security index will not have buyers or sellers in individuals or organisations exposed to the risks. Because the risk is specific and not systematic, they would prefer to buy insurance," they argued.
"The insurance company will buy the derivatives because it is the insurance company that will be exposed to the "average" risk represented by the index.”
The index could be refined through “sub-indices such as the ‘top-10’ vulnerabilities and the like that would provide significant specific risk exposure.”
Although the index could solve one obstacle to establishing an instrument suitable for hedging IT security risks, a major barrier remains.
“Financial instruments that allow people to take real dollar positions are legally complex and require extensive legal considerations and regulatory approvals, for example, from the Commodity Futures Trading Commission (CFTC) in the US. At this time, no such markets or instruments are planned,” they said.
In the absense of such a market, the two will begin by distributing the index to media, researchers, vendors, and, unlike other security reports, financial markets.
Key findings from the survey of chief information security officers that informed the forthcoming April index included:
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.