DHS preps Cyber Incident Data Repository
- By Matt Leonard
- Apr 24, 2017
To protect their organizations from threats, cybersecurity professionals must understand both current and historical cyber risk conditions so they can better identify cyber risk trends. Providing that insight is the goal of the Department of Homeland Security’s Cyber Incident Data Repository (CIDAR) pilot, which aims to identify trends, mitigate threats and calculate risks for enterprise risk managers and cybersecurity insurance companies.
DHS started working on the repository after conversations in 2012 on incentivizing security, according to Matt Shabat, the agency’s director of performance management. The idea was that insurance would encourage better practices by providing lower premiums to “entities that demonstrate to insurers that they have certain level of cybersecurity.”
Potential cybersecurity insurers, however, didn’t have actuarial data to be able to make those assessments. “The idea behind the repository” was to provide that data, thinking that “as the data matures, the market matures along with it,” Shabat told GCN.
Unfortunately, insurers told DHS they would need 10 to 15 years of data to make a difference in the insurance market. In the interim, though, a 2015 Cyber Incident Data and Analysis Working Group report suggests the repository of voluntarily shared data about both intentional and accidental cyber incidents still offers several benefits:
Identifying top risks and effective controls to help assess the effectiveness of various “in place” controls and potentially link attacks to their respective sources.
Informing peer-to-peer benchmarking to help organizations assess their cybersecurity postures against their peers and help establish a baseline for reasonable cybersecurity best practices.
Showing return on investment to support cost-benefit analyses, budget justifications for cybersecurity investments and cybersecurity insurance pricing and availability.
Allowing for sector differentiation to show sector-specific cyber risks and appropriate cyber risk management investments.
Supporting forecasting, trending and modeling for analyzing specific threat actors, their likely attack methods and short-, mid- and long-term cascading impacts of attacks.
Advancing risk management culture to promote more holistic approaches to enterprise cybersecurity risk management.
The vision right now is to place CIDAR in a web-based portal and allow enterprises to compare their security practices to their peers, Shabat said. There are already a few databases with similar information, but DHS expects the data in CIDAR to be more encompassing.
The data will be anonymized, but users will see basic information -- like number of employees and revenue -- so they can compare similar organizations. Other data points CIDAR is considering include information on what standards family an enterprise follows or if it has a dedicated security staff and an incident response plan in place. The number of potential data points requested has been narrowed from about 50, Shabat said, to lessen the reporting burden for organizations that volunteer information.
The proof of concept phase, which DHS expects to enter in a couple months, will test the security of the repository and the anonymization.
“We were hoping to be piloting already,” Shabat said, “but the sooner we can get it up and running the better because we have a lot of questions we want to ask.”
For his work on CIDAR, Shabat is a finalist for the (ISC)2 Government Information Security Leadership Awards in the policy and process improvement category. Winners will be announced May 10.
Matt Leonard is a former reporter for GCN.