New index a step to trading IT security risks

Dan Geer, the highly regarded chief information security officer for the CIA’s investment arm, In-Q-Tel, will next month launch the Cyber Security Index, which could be a precursor to trading IT risks on financial markets.  

The “sentiment-based” Cyber Security Index (CSI), set up by Greer and investment consultant Mukul Pareek, will boil 300 CISO's views on security down to a number.

Base month March has been set at 1000 and CSI flagged on its website that April rises to 1021.6. 

“In short, the Index of Cyber Security aggregates the views of information security industry professionals as expressed through a monthly survey. Its form is an index for reasons that will become apparent,” the pair explain. 

The survey covers improvements or degradation in security based on movements in the rates of malware, intrusion and attacks on web-facing applications as well as the likelihood of insider attacks, being a target for nation state actors or industrial espionage. It also covers security investments and the cost of complying with cybersecurity legislation. 

Greer and Pareek’s vision for the index is big. The pair claim their index would be useful in establishing a means for financial market players to buy and sell IT security risks, and for end-user organisations to buy such insurance.

“Financial instruments on a security index will not have buyers or sellers in individuals or organisations exposed to the risks.  Because the risk is specific and not systematic, they would prefer to buy insurance," they argued. 

"The insurance company will buy the derivatives because it is the insurance company that will be exposed to the "average" risk represented by the index.” 

The index could be refined through “sub-indices such as the ‘top-10’ vulnerabilities and the like that would provide significant specific risk exposure.”

Although the index could solve one obstacle to establishing an instrument suitable for hedging IT security risks, a major barrier remains. 

“Financial instruments that allow people to take real dollar positions are legally complex and require extensive legal considerations and regulatory approvals, for example, from the Commodity Futures Trading Commission (CFTC) in the US.  At this time, no such markets or instruments are planned,” they said. 

In the absense of such a market, the two will begin by distributing the index to media, researchers, vendors, and, unlike other security reports, financial markets.

Key findings from the survey of chief information security officers that informed the forthcoming April index included:

• Most respondents feel that the biggest increase in threat over the past month has been from malware in its countless forms.
• The threat from nation-states is considered an increasing threat, as is the threat of targeted attempts to steal industrial data.
• The risk due to a compromise at a third-party with access to data is also considered a rising threat.
• Overall, security professionals felt that cyber security in the aggregate had worsened, including that of online transactions they conduct as part of their personal lives.
• Respondents believe that the value and protection received from government and regulators is improving, though the cost of regulation is also going up.
• Threats from malicious insiders, internet based attacks, and political- or ideology-based attacks are only marginally up compared to the previous month.