Saturday, February 16, 2013

Measuring and predicting cyber security

Cybersecurity is a hot topic these days as the number of attacks grows and governments try to defend against them. There are questions of policy as well as technology -- which policies work?

Aaron Kleiner, Paul Nicholas and Kevin Sullivan of Microsoft Research have tried to answer that question by looking at the results of scans using MSRT, Microsoft's malicious software removal tool. The MSRT reports back when it removes malicious software and, using this data, Microsoft estimates computers cleaned per mille (thousand) or “CCM,” the number of computers cleaned for every 1,000 times that the MSRT is run. For example, if 50,000 scans resulted in 200 cleans, the CCM would be 200/50 = 4.

The researchers gathered data during the fourth quarter of 2011 and published the results in a report entitled Linking Cybersecurity Policy and Performance. Here you see a visualization of CCM levels for countries in the fourth quarter of 2011.

Analyzing the data, they looked for correlation between policies and CCM. For example, countries signing the Council of Europe Convention on Cybercrime do better than countries that do not. In addition to policies, they looked at various indicators and found correlations as shown below.

Using a model based on demographic and policy variables, the were able to predict CCM well, as shown here.

The authors emphasize that correlation does not imply causation, but this is an interesting big data application. Microsoft provides a valuable service for free, and in return gathers massive amounts of data on incidents of malicious software detection and removal. It is a win-win situation.