Commonwealth Sought a Quantitative Cybersecurity Measure
Some states have adopted a standard developed by the U.S. National Institute of Standards and Technology. It specifies a three-tier structure, ranking the effect of a potential vulnerability as “high,” “medium,” or “low.” VITA did not find this standard “precise enough for effective cybersecurity budgeting,” StateScoop says.
Virginia started instead with the Factor Analysis of Information Risk (FAIR) model, which is an international standard quantitative model for information security and operational risk. “FAIR provides a model for understanding, analyzing and quantifying information risk in financial terms,” the FAIR Institute says.
Calling cybersecurity risk “a business issue, not just a technology issue,” the FAIR Institute notes, “Organizations are increasingly transitioning to risk-based approaches to information security and operational risk, as compliance to regulations alone provide only a minimum layer of security and fail to adequately protect them.”
The commonwealth also turned to “the Center for Internet Security’s list of 20 security controls and resources, Verizon’s annual Data Breach Investigations Report and research from the Ponemon Institute to calculate state records’ risk values,” according to StateScoop.
Slow Speed of Government Creates Limitations
“Across the globe, more and more organizations [including governments] are reaping the benefits of these cyber risk quantification approaches to efficiently limit their cyber risk exposure,” says FICO's Global Cyber Risk Quantification Network in a 2018 report, “Quantifying Systemic Cyber Risk.”
The report observes, “Individual governments have several limitations in effectively governing the cyber commons. The first limitation is that direct control over cyberspace is not economically feasible given its global scale and trans-jurisdictional nature.”
Government also often moves slowly, passing legislation only after several years. While lawmakers are deliberating, the pace of technology continues to accelerate, meaning disruption could change the entire threat landscape before lawmakers have gained a footing in the last one, the report says.
Still, state governments can adopt means to prepare for cyberdefense of any nature. The U.S. Department of Homeland Security Cyber and Infrastructure Security Agency lists cybersecurity resources available to state, local, tribal and territorial governments. A state cybersecurity strategy may include these resources as elements in its overall defense planning.