The science of cyber risk looks at a broad spectrum of risks across a variety of digital platforms. Often though, the work done within the field is limited by a failure to explore the knowledge of other fields, such as behavioral science, economics, law, management science, and political science. In a new Science Magazine article, “Cyber Risk Research Impeded by Disciplinary Barriers,” cyber risk experts and researchers at Stanford University make a compelling case for the importance of a cross-disciplinary approach. Gregory Falco, security researcher at the Program on Geopolitics, Technology, and Governance, and lead author of the paper, talked recently with the Cyber Policy Center about the need for a holistic approach, both within the study of cyber risk, and at a company level when an attack occurs.
网络风险科学着眼于各种数字平台上的广泛风险。 但是,通常情况下,由于未能探索其他领域的知识(例如行为科学,经济学,法律,管理科学和政治科学),该领域的工作受到了限制。 斯坦福大学的网络风险专家和研究人员在《科学杂志》( Science Magazine)的新文章“学科障碍阻碍的网络风险研究”中为跨学科方法的重要性提供了令人信服的论据 。 该论文的主要作者,地缘政治,技术和治理计划的安全研究员Gregory Falco最近与网络政策中心讨论了在网络风险研究和公司内部都需要采取整体方法的必要性发生攻击时的级别。
CPC: Your recent perspective paper in Science Magazine highlights the issue of terminology when it comes to how organizations and institutions define a cyber attack. Why is it so important to have consistent naming when we are talking about cyber risk?
每次点击费用:您最近在《科学杂志》上发表的一篇观点文章强调了有关组织和机构如何定义网络攻击的术语问题。 为什么在谈论网络风险时,保持一致的命名为什么如此重要?
Falco: With any scientific discipline or field, there is a language for engaging with other experts. If there’s no consistent language or at least dialect for communication around cyber risk, it’s difficult to engage with scholars from different disciplines. For example: The phrase “cyber event” is contested and the threshold for what an organization considers to be a cyber event varies substantially. Some organizations consider someone pinging their network as a cyber event, others only consider something a cyber event once an intrusion has been publicly disclosed. So there’s a disparity when comparing metrics of cyber events from organization to organization because of the different thresholds of what’s considered an event.
Falco:在任何科学学科或领域中,都有一种与其他专家互动的语言。 如果没有统一的语言或至少没有方言来围绕网络风险进行交流,那么很难与来自不同学科的学者进行交流。 例如:“网络事件”一词备受争议,而组织认为是网络事件的阈值则大不相同。 一些组织将某人将其网络ping作为网络事件,而其他组织仅在入侵被公开披露后才将某事视为网络事件。 因此,在比较组织之间的网络事件指标时,存在差异,这是因为事件的阈值不同。
CPC: We’ve all been sent one of those emails letting us know our data may have been compromised and your paper points out it’s nearly impossible to put foolproof protections into place; attacks are inevitable. Given that, how should companies weigh the various ways they can protect themselves?
CPC:我们都已经收到其中一封电子邮件,让我们知道我们的数据可能已经遭到破坏,您的论文指出几乎不可能实施万无一失的保护措施。 攻击是不可避免的。 有鉴于此,公司应如何权衡他们保护自己的各种方式?
Falco: The first exercise each organization should go through when they decide to be serious about cyber risk is to prioritize their assets. What is business critical? What is safety critical? Then, like all other risks, a cost-benefit analysis must be done for each asset based on its priority. If the asset is safety-critical, then resources should be allocated to help protect that asset or at least ensure its resilience. Trade-offs are inevitable, no company has unlimited resources. But starting with an understanding of where the priorities are, is critical.
Falco:每个组织在决定认真对待网络风险时应首先进行的一项工作是优先考虑其资产。 关键业务是什么? 什么是安全关键? 然后,像其他所有风险一样,必须根据每种资产的优先级对其进行成本效益分析。 如果资产对安全至关重要,则应分配资源以帮助保护该资产或至少确保其弹性。 权衡是不可避免的,没有公司拥有无限的资源。 但是从了解优先级在哪里开始至关重要。
CPC: In companies, cyber security often falls entirely to the Chief Information Security Officer (CISO). Your paper argues that’s shortsighted. What is gained when a company takes a more holistic approach?
CPC:在公司中,网络安全通常完全由首席信息安全官(CISO)负责。 您的论文认为这是短视的。 公司采取更全面的方法会获得什么?
Falco: Distributing responsibility across the organization catalyzes a security culture. A security culture is one where there is a constant vigilance or at least broad awareness of cybersecurity concerns throughout the organization. Fostering a security culture is often suggested as a mechanism to help reduce cyber risk in organizations. The problem with not distributing responsibility is that when something happens, it’s too easy to resort to finger-pointing at the CISO, and that’s counterproductive. Efforts after an attack should be on responding and being resilient, not finding the scapegoat.
Falco:在整个组织中分配责任促进了一种安全文化。 安全文化是指对整个组织始终保持警惕或至少广泛了解网络安全问题的文化。 通常建议建立一种安全文化,以帮助降低组织中的网络风险。 没有分配责任的问题是,当事情发生时,诉诸于CISO太容易了,这适得其反。 袭击后的努力应该是做出React并保持韧性,而不是寻找替罪羊。
CPC: Cyber risk largely focuses on prevention, but your paper argues that it’s what happens after an attack in that needs greater attention. Why is that?
每次点击费用:网络风险主要集中在预防上,但您的论文认为,攻击后发生的事情需要引起更多关注。 这是为什么?
Falco: Every organization will be attacked. However organizations can differentiate themselves from a cyber risk standpoint by appropriately managing the situation after an attack. Some of the most significant damages to organizations can be reputational if communication after an attack is unclear or botched. Poor communication after an attack can result in major regulatory fines or valuation adjustments as seen in cases like Yahoo and that can have major business implications. Communications aren’t the only important element of post-attack response. A thorough post-mortem of the organization’s response to the attack can be an important learning experience and a way to plan for future attacks.
法尔科:每个组织都会受到攻击。 但是,组织可以通过适当地管理攻击后的状况,从网络风险的角度区分自己。 如果攻击后的沟通不明确或受到破坏,则对组织造成的一些最重大损害可能是声誉受损。 攻击后通讯不畅会导致重大的监管罚款或估值调整,例如Yahoo这样的情况,并且可能会对业务产生重大影响。 交流并不是攻击后响应的唯一重要元素。 组织对攻击的响应进行彻底的事后分析可能是重要的学习经验,也是计划未来攻击的一种方式。
CPC: Protecting against cyber attacks and the losses that go with them can obviously be costly for companies. You make a case for collaboration among different fields, say among data scientists and economists. How can that be encouraged?
CPC:防范网络攻击及其带来的损失对于公司而言显然是昂贵的。 您需要为不同领域之间的协作提供依据,例如数据科学家和经济学家之间的协作。 如何鼓励呢?
Falco: We argue that cross-disciplinary collaboration rarely happens organically. Therefore, we call on funding agencies like the NSF or DARPA to specify a preference for cross disciplinary research when funding cyber risk projects. Typically, this isn’t currently a feature of calls for proposals, but for cyber risk programs it should be. We encourage researchers to explore cyber risk questions at the margins of their discipline. Those questions may lend themselves to potential overlap with other disciplines and foster a starting point for cross-disciplinary collaboration.
Falco:我们认为跨学科的合作很少有机地发生。 因此,我们呼吁像NSF或DARPA这样的资助机构在资助网络风险项目时指定对跨学科研究的偏爱。 通常,这目前不是征求建议书的功能,但对于网络风险计划应该是。 我们鼓励研究人员在其学科边缘探索网络风险问题。 这些问题可能使其自身可能与其他学科重叠,并为跨学科合作奠定了起点。
For more on these topics, see a full list of recent publications from the Cyber Policy Center and the Program on Geopolitics, Technology, and Governance.
有关这些主题的更多信息,请参见网络政策中心和地缘政治,技术与治理计划的最新出版物的完整列表。