"How Do We Know When Cyber Defenses Are Working?"

Josephine Wolff, associate professor of cybersecurity policy at the Fletcher School at Tufts University, points out that measuring and communicating defensive victories in cyberspace continues to be difficult. Successful attacks are often visible and generate their own headlines, without the need for government officials to issue formal statements, but successful defense is primarily demonstrated by the absence of any headline-making attacks. Even when that absence is noticed and discussed by the media and the general public, outside observers have no way of knowing whether it is due to a lack of attempted attacks or a strong defensive posture. These difficulties are not unique to cybersecurity, as measuring the impact of security measures is always difficult when success is dependent on eliminating or reducing relatively rare, large-scale threats. However, certain characteristics of cyber threats and defenses make this type of analysis particularly difficult. To answer the question of how effective cyber defenses are against cyberattacks, more information is needed about what these attempted attacks look like and how they are mitigated. Various cybersecurity metrics have been proposed for measuring the resilience and security of computer networks. These include the speed with which a computer system recovers from various types of interference, the time it takes for an organization to detect an intrusion, and the percentage of devices compromised or infected with malware in any given incident. Other proposals have focused on reporting information and metrics related to cybersecurity "near misses," which can be more difficult to quantify because there is often no downtime or other obvious measurable damage. This article continues to discuss measuring success in cyber defense.

The Brookings Institution reports "How Do We Know When Cyber Defenses Are Working?"