The Survey Instrument
The survey itself will consist of a limited number of questions, focused on cybersecurity issues that matter to industry professionals, and repeated month after month. For the first run, questions will be as follows. While we want the question set to be stable over the long run, initial jiggles may be indicated.
Responses will be amongst five multiple choices – falling fast , falling , static , rising , rising fast .
ICS survey questions
Each of the survey questions below is responded to on a five point scale, with the respondents rating the risks as having fallen fast, fallen, stayed static, risen or risen fast when compared to the previous month.
Attack Actors
- Insider threat: In your view, the risk from malicious insiders (with both opportunity and motivation)
- Strategic rivals: The likelihood that there exist attacks explicitly targeting economically valuable data within your organization
- Activists/hacktivists: Your exposure to politically or ideologically motivated activity (whether local or abroad)
- Criminals: The threat to your organization from criminally motivated attackers
- Nation-states: The degree to which you are a target for nation-state actors
Weapons
- Botnets
- Mass malware
- Vulnerability exploitation
- Phishing / social engineering
- Attacks customized to your organization
Effect desired by attackers
- Data theft (Confidentiality)
- Data modification (Integrity)
- Business disruption (Availability)
Attack target
- Web facing applications
- Internet exposed devices and appliances
- End point desktops
- Mobile devices
- Public infrastructures you rely upon including cloud
- Third parties (counterparties, vendors, partners etc) who have rightful access to your data
- Network-connected but autonomous devices (collectively known as the “Internet of Things”)
Defenses
- Vulnerability of available defenses to known threats
- Vulnerability of available defenses to unknown threats
The respondents
Survey research is vulnerable to poorly chosen respondents. The respondents to this survey will be privately recruited industry practitioners with operational responsibilities for managing information security risks. It is critical that they have both skill and responsibility. We are currently targeting:
- Chief Risk Officers and their direct reports
- Chief Information Security Officers and their direct reports
- Selected academicians engaged in field work
- Selected security product vendors’ Chief Scientists or equivalent
Survey responses will be collected electronically using a website. Respondents will be functionally anonymous, i.e., they would log in using credentials of their choosing and can be confident that their responses will not be associated with them in any public manner. Only the core project team would have access, and that on paper only, to knowing the true names of the respondents.
People with an interest in the subject matter of the index may request participation in the survey, and such requests will be evaluated by the core project team to allow participation only by people who have first hand knowledge of the cyber security threats facing the industry.