The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
Despite the prevalence of cyber attacks, we still have a limited understanding of the relationship between security control failures and financial loss. A very few firms build their own cyber risk models internally but lack external data to ensure they are robust. The industry has done a good job sharing threat and vulnerability information but that provides little guidance to shape overall strategy either for individual firms or policymakers looking to manage risk at a societal level. MIT’s SCRAM (Secure Cyber Risk Aggregation and Measurement) is a new cyber risk measurement research platform that provides security benchmarking and return-on-security-investment data to CISOs, Chief Risk Officers and CFOs so that they can better protect their networks, direct security investments, and improve the state of global cybersecurity. SCRAM uses secure multiparty computation based on threshold homomorphic encryption to compute aggregate benchmarks and risk metrics, without ever requiring firms to disclose their sensitive data to anyone else. This new approach to cybersecurity will provide currently unattainable cyber risk pricing metrics to guide private investment decisions, make cyber insurance markets more efficient, and shape cybersecurity regulations.