Abstract: Ransomware is currently one of the most pressing cybersecurity threats for enterprises. While the consequences of ransomware have been long known, both firms and governments lack critical information needed to assess progress toward meaningful resilience. In this paper, we propose a new “Ransomware Readiness Index” (RRI) based on in-depth independent analysis of recently issued United States Executive Branch policy guidance on cybersecurity and ransomware. The RRI measures the aggregate level of enterprise readiness by sector (as well as other attributes), identifies the areas most at risk, and tracks progress over time toward full implementation of recent government recommendations. The index allows organizations to privately benchmark themselves against peers and focus on areas of opportunity to better mitigate against ransomware threats. The RRI provides policymakers with critical feedback on the progress of these important control improvement efforts. We will securely compute the new index using MIT IPRI’s SCRAM platform given its ability to aggregate data without requiring organizations to disclose their own sensitive data to other firms, to government entities or even MIT researchers performing the index computation.
de Castro, L., Lo, A. W., Reynolds, T., Susan, F., Vaikuntanathan, V., Weitzner, D., & Zhang, N. (2020). SCRAM: A Platform for Securely Measuring Cyber Risk . Harvard Data Science Review. https://doi.org/10.1162/99608f92.b4bb506a
We develop a new cryptographic platform called SCRAM (Secure Cyber Risk Aggregation and Measurement) that allows multiple entities to compute aggregate cyber-risk measures without requiring any entity to disclose its own sensitive data on cyberattacks, penetrations, and losses. Using the SCRAM platform, we present results from two computations in a pilot study with six large private-sector companies: (1) benchmarks of the adoption rates of 171 critical security measures and (2) links between monetary losses from 49 security incidents and the specific sub-control failures implicated in each incident. These results provide insight into problematic cyber-risk-control areas that need additional scrutiny and/or investment, but in a completely anonymized and privacy-preserving way.