In my last post, I looked at the global Income Gap and Digital Divide. I asked why there are, proportionally, more billionaires in San Francisco than people with fixed broadband access in South Sudan.
In this post I’ll ask whether, in addition to an Income Gap and Digital Divide between countries, there is also a Cyber Security Canyon.
How to spot a Cyber Security Canyon
Before we search for a Cyber Security Canyon we should decide what we are looking for. I propose that it would show up in the data as a significant inequality in the level of cyber security between countries. By significant, I mean it would be on a similar, or greater, scale, to the inequality of the Digital Divide, where the top countries have internet access rates 5 times better than the lowest ranked countries.
The chart below illustrates the size of the Digital Divide, using median household income data from Gallup, for the 131 countries they survey, and the corresponding internet access data from the ITU. Liberia is on the far left, with the lowest household income, and Norway is on the far right, with the highest.
If a Cyber Security Canyon exists, the countries on either side of it need not necessarily be the same as those on either side of the Income Gap and Digital Divide. But it wouldn’t be a surprise if they were.
The case for a Canyon
So, what evidence for a Canyon can we find?
I think the search gets off to a fruitful start if we begin by considering countries’ cyber security capacity and vulnerabilities. In the next chart, I’ve plotted an indicator of national cyber capacity in green and an indicator of national vulnerability in red. The trend lines are shown with dashes. The capacity indicator is the ITU’s Global Cybersecurity Index score. For vulnerability, I use the Microsoft malware encounter rate – the percentage of PCs in a country on which Microsoft detects malware in a given time period (Q1 2017 in this case).
Looking first at the national capacity indicator, the lowest income countries have a Global Cybersecurity Index score of around 0.2-0.3. ITU use an ordinal scoring system in which a country with a score of 0.2-0.3 has very basic capacity in some dimensions of cyber security and no capacity at all in others. By contrast the highest income countries have GCI scores around 0.8-0.9, which equates to having advanced levels of cyber capacity in almost all dimensions.
When we turn to the malware encounter rate we see the mirror relationship. In low income countries Microsoft finds malware on around 20-25% of PCs, compared with around 5% in the high income countries.
The malware infection rates in the lowest income countries are 4 to 5 times worse than those in the highest income countries. The ITU capacity scores for the highest income countries are more than 4 times better than those of the lowest income countries (although that could of course change if ITU changed their scoring system).
This is beginning to look like a Canyon. Because of the main indicator, I’ll call it a Cyber Capacity Canyon.
This is not the Canyon you are looking for
Wouldn’t it be useful if we could neatly conclude that cyber security is four times better in the highest income countries than the lowest? Of course, life is never that simple.
Most importantly, we still haven’t defined what we mean by better cyber security. I suggest that in most cases when we dig into what ‘good cyber security’ means we get down to the underlying, and more concrete, concepts of cyber risk and cyber harm.
Bear with me here…. A country or organisation achieves good (or adequate) cyber security when its control measures are sufficient to reduce its cyber risk exposure to the level of its risk appetite. Once a country achieves good cyber security it should find in the future that the cyber harm it actually experiences is at or below the level of harm it was willing to accept as the price of being digitally connected.
So, if we are talking about cyber risk or cyber harm when we talk about ‘good cyber security’, then what can our two indicators tell us about them? Unfortunately, on their own, not as much as we’d like.
The malware encounter rate can be an indicator of cyber harm, but we would need to find some method of translating infection rates to dollar cyber harm values in a way that works whether the PCs are in Canada or Cameroon. I’m not aware of such a method.
As for cyber risk, both indicators can tell us something about that, but they are only part of the equation. I’ll explore competing interpretations of cyber risk in a future blog, but for now let’s use a basic formula from many management textbooks:
(Cyber) Risk = Threat x Vulnerability x Impact
Both the Microsoft malware encounter rate and the ITU GCI score are national indicators for the middle term: vulnerability. They tell us almost nothing about threat or impact and therefore can give us only a very incomplete picture of cyber risk.
When we gather data for cyber risk and cyber harm we may find that there is no Cyber Security Canyon, or that it looks quite different to the Cyber Capacity Canyon we’ve seen so far. I can only speculate.
Can we rely on our indicators?
We need more cyber indicators to capture risk and harm, but can we even be sure the indicators we already have are reliable?
What I find most striking about the two cyber indicators I’ve used in this blog is the difference in their deviation around the trend line. The Microsoft encounter rate sticks pretty closely to its trend line, but the ITU’s GCI score deviates noticeably. In the GCI data we see countries with near identical low incomes where one has almost zero cyber security capacity and the other has a capacity level just short of the most advanced cyber nations. We don’t find that pattern in the ITU’s internet access data.
Suffice to say the lower deviation in the Microsoft data means it’s the cyber indicator in which I have greater confidence. However, I appreciate the effort that has gone into producing both data sets over several years and I expect the trend line in the ITU’s data will be confirmed by other capacity review studies.
The need for further research and cyber security capacity building
I feel fairly confident we have found a Cyber Capacity Canyon, but more is needed to explore its geography. By augmenting ITU’s capacity data with other sources we could be more confident that it is as wide as it looks. By adding other indicators, for example covering threat and impact, we could see if it extends into the territory of cyber risk and cyber harm – meaning we’ve found a Cyber Security Canyon.
Should we wait for this further research before acting? I think that would be a mistake. We have enough data to know that poorer countries are being left behind in terms of their capacity to protect themselves and their populations. That alone is enough reason to act now: for their sake and for the sake of the global systems that are connected to them.
Now is the time for international cyber security capacity building.
Agreed. Actually, we need to look at data sets of one study or another within a prescribed life span of that data with a requisite expiration date, due to the construct of those data sets. Especially those aiming to be more holistic that may not consider or have the capacity to consider the ever-evolving landscape.
You mean every methodology for measuring national cyber security capacity and every data point they collect should be updated/refreshed after a certain time period because cyber evolves so fast? How about a ‘best by’ date instead of an expiration date?