The Ransomware Readiness Index leverages the existing SCRAM platform to securely collect and aggregate public and private sector ransomware-specific information for 10 security control areas and associated financial losses.


Municipal cyber risk modeling using cryptographic computing to inform cyber policymaking

Avital Baral, Taylor Reynolds, Lawrence Susskind, Daniel J. Weitzner, Angelina Wu


Municipalities are vulnerable to cyberattacks with devastating consequences, but they lack key information to evaluate their own risk and compare their security posture to peers. Using data from 83 municipalities collected via a cryptographically secure computation platform about their security posture, incidents, security control failures, and losses, we build data-driven cyber risk models and cyber security benchmarks for municipalities. We produce benchmarks of the security posture in a sector, the frequency of cyber incidents, forecasted annual losses for organizations based on their defensive posture, and a weighting of cyber controls based on their individual failure rates and associated losses. Combined, these four items can help guide cyber policymaking by quantifying the cyber risk in a sector, identifying gaps that need to be addressed, prioritizing policy interventions, and tracking progress of those interventions over time. In the case of the municipalities, these newly derived risk measures highlight the need for continuous measured improvement of cybersecurity readiness, show clear areas of weakness and strength, and provide governments with some early targets for policy focus such as security education, incident response, and focusing efforts first on municipalities at the lowest security levels that have the highest risk reduction per security dollar invested.


Ransomware Readiness Index: A Proposal to Measure Current Preparedness and Progress Over Time

R. Spiewak, T. Reynolds (Sept 2021). Ransomware Readiness Index: A Proposal to Measure Current Preparedness and Progress Over Time. IPRI Working Paper Series, IPRI/2021/WP/02 I


Ransomware is currently one of the most pressing cybersecurity threats for enterprises. While the consequences of ransomware have been long known, both firms and governments lack critical information needed to assess progress toward meaningful resilience. In this paper, we propose a new “Ransomware Readiness Index” (RRI) based on in-depth independent analysis of recently issued United States Executive Branch policy guidance on cybersecurity and ransomware. The RRI measures the aggregate level of enterprise readiness by sector (as well as other attributes), identifies the areas most at risk, and tracks progress over time toward full implementation of recent government recommendations. The index allows organizations to privately benchmark themselves against peers and focus on areas of opportunity to better mitigate against ransomware threats. The RRI provides policymakers with critical feedback on the progress of these important control improvement efforts. We will securely compute the new index using MIT IPRI’s SCRAM platform given its ability to aggregate data without requiring organizations to disclose their own sensitive data to other firms, to government entities or even MIT researchers performing the index computation.


SCRAM: A Platform for Securely Measuring Cyber Risk

de Castro, L., Lo, A. W., Reynolds, T., Susan, F., Vaikuntanathan, V., Weitzner, D., & Zhang, N. (2020). SCRAM: A Platform for Securely Measuring Cyber Risk . Harvard Data Science Review.


We develop a new cryptographic platform called SCRAM (Secure Cyber Risk Aggregation and Measurement) that allows multiple entities to compute aggregate cyber-risk measures without requiring any entity to disclose its own sensitive data on cyberattacks, penetrations, and losses. Using the SCRAM platform, we present results from two computations in a pilot study with six large private-sector companies: (1) benchmarks of the adoption rates of 171 critical security measures and (2) links between monetary losses from 49 security incidents and the specific sub-control failures implicated in each incident. These results provide insight into problematic cyber-risk-control areas that need additional scrutiny and/or investment, but in a completely anonymized and privacy-preserving way.