Risk Based Security, NIST and University of Maryland Team Up To Tackle Security Effectiveness

The research team at Risk Based Security analyzes and catalogs thousands of data breaches every year. From that work, a few central themes arise time and again.  One such theme is that breaches can happen at even the most security-conscious organizations. Another is the tenacity and skill of attackers when it comes to searching out weaknesses in organizational practices and processes is unrelenting. Watching these themes repeatedly play out to their unfortunate consequences – a data compromise event – has led us to the conclusion there  is no substitute for a methodical and risk-based approach to security management that addresses both the organization’s  security practices as well as the downstream risk posed by vendors, suppliers and other third parties that can be a gateway to a security incident.

Risk Based Security has long been a staunch supporter of leveraging the value of cyber security frameworks like ISO 27001/2 and NIST’s Cybersecurity Framework to create robust security programs based on security best practice.  Management systems such as these bring much needed structure to the day-to-day work of risk assessment, defining security objectives, and selecting and implementing security controls. Until now, what has been missing from the picture, however, are formal tools for assessing how well the organization is performing against these frameworks, measuring the effectiveness of the security controls and a common platform for sharing that benchmarking data with peers.

So we were very excited to learn about a new joint research project launched by NIST’s Computer Security Resource Center and the University of Maryland, known as the Predictive Analytics Modeling Project. The aim of the project  is to conduct the primary research needed in order to build tools that can measure the effectiveness of security controls. In short, the project is taking a deep, data-driven dive into the relationship between security controls, supply chain capabilities and actual data breach results.

Project organizers have an open call out to federal agencies, IT vendors and publicly traded companies in the U.S., looking for organizations interested in participating in the study. In addition to  furthering academic research, participation comes with some very real, near-term benefits. The data gathering mechanism is a risk assessment questionnaire which can be completed online in less than an hour. In addition to providing researchers with much needed data, participants are able to benchmark their current security practices against NIST’s Cybersecurity Framework, providing valuable feedback on how  their program stacks-up and highlighting areas for improvement. Participants will also be able to anonymously compare their results against their peers for a better understanding of how their practices compare to others within their industry.

A website outlining the project  can be found here: https://cyberchain.rhsmith.umd.edu/

The window for participation is only open until March 15th, so be sure to register and start participating soon.