Search for: All records

There are two strategic and longstanding questions about cyber risk that organizations largely have been unable to answer: What is an organization's estimated risk exposure and how does its security compare with peers? Answering both requires industry-wide data on security posture, incidents, and losses that, until recently, have been too sensitive for organizations to share. Now, privacy enhancing technologies (PETs) such as cryptographic computing can enable the secure computation of aggregate cyber risk metrics from a peer group of organizations while leaving sensitive input data undisclosed. As these new aggregate data become available, analysts need ways to integrate them into cyber risk models that can produce more reliable risk assessments and allow comparison to a peer group. This paper proposes a new framework for benchmarking cyber posture against peers and estimating cyber risk within specific economic sectors using the new variables emerging from secure computations. We introduce a new top-line variable called the Defense Gap Index representing the weighted security gap between an organization and its peers that can be used to forecast an organization's own security risk based on historical industry data. We apply this approach in a specific sector using data collected from 25 large firms, in partnership with an industry ISAO, to build an industry risk model and provide tools back to participants to estimate their own risk exposure and privately compare their security posture with their peers. 

Most users of smartphone apps remain unaware of what data about them is being collected, by whom, and how these data are being used. In this mixed methods investigation, we examine the question of whether revealing key data collection practices of smartphone apps may help people make more informed privacyrelated decisions. To investigate this question, we designed and prototyped a new class of privacy indicators, called Data Controller Indicators (DCIs), that expose previously hidden information flows out of the apps. Our lab study of DCIs suggests that such indicators do support people in making more confident and consistent choices, informed by a more diverse range of factors, including the number and nature of third-party companies that access users’ data. Furthermore, personalised DCIs, which are contextualised against the other apps an individual already uses, enable them to reason effectively about the differential impacts on their overall information exposure.