There is no common scoring system for understanding a company’s cyber risk. In an era where business-to-business and integrated supply chains face approximately one new zero attack per day and a billion stolen records, cyber worthiness may be just as important as credit worthiness.

The US government and its business partners would benefit from a scoring system, similar to the FICO credit scoring system that provides a common yardstick for scoring companies. Over the past few years, frameworks for cyber assessments have been developed, such as the Cyber Security Capability Maturity Model (CMM), NIST 800-53r4, FFIEC, ISA, ISO, the Cyber Security Framework, etc. But none have been adopted writ large or designed for the purpose of cyber security scoring. We propose a scoring system with an algorithm tuned to a known standard – FICO. The key to market acceptance would be the participation of government and of a well-known set of companies that might serve to attract others. Why a score like FICO? To state the obvious, FICO is ubiquitous, with over 100 billion scores issued to date; virtually everyone understands the implications of a good and bad credit score.

There are many who would benefit from a standardised score. For example, insurance companies could use a scoring system to provide an empirical foundation for issuing policies and pricing insurance premiums. It gives high risk companies a clear benchmark and incentive to purchase insurance and prioritise internal investments to mitigate specific cyber risk areas.

Jul-Sep 2016 Issue

Virginia Modeling, Analysis & Simulation Center