How we do it?

The Survey Instrument

The survey itself will consist of a limited number of questions, focused on cybersecurity issues that matter to industry professionals, and repeated month after month. For the first run, questions will be as follows. While we want the question set to be stable over the long run, initial jiggles may be indicated.

Responses will be amongst five multiple choices – falling fast, falling, static, rising, rising fast.

  1. Attack Actors
    • Insider threat: In your view, the risk from malicious insiders (with both opportunity and motivation)
    • Strategic rivals: The likelihood that there exist attacks explicitly targeting economically valuable data within your organization
    • Activists/hacktivists: Your exposure to politically or ideologically motivated activity (whether local or abroad)
    • Criminals: The threat to your organization from criminally motivated attackers
    • Nation-states: The degree to which you are a target for nation-state actors
  2. Weapons
    • Botnets
    • Mass malware
    • Vulnerability exploitation
    • Phishing / social engineering
    • Attacks customized to your organization
  3. Effect desired by attackers
    • Data theft (Confidentiality)
    • Data modification (Integrity)
    • Business disruption (Availability)
  4. Attack targets
    • Web facing applications
    • Internet exposed devices and appliances
    • End point desktops
    • Mobile devices
    • Public infrastructures you rely upon including cloud
    • Third parties (counterparties, vendors, partners etc) who have rightful access to your data
    • Network-connected but autonomous devices (collectively known as the “Internet of Things”)
  5. Defenses
    • Vulnerability of available defenses to known threats
    • Vulnerability of available defenses to unknown threats

The Respondents

Survey research is often vulnerable to poorly chosen respondents. The respondents to this survey will be privately recruited industry practitioners with operational responsibilities for managing information security risks. It is critical that they have both skill and responsibility.

We are currently focussing our survey at:

  • Chief Risk Officers and their direct reports.
  • Chief Information Security Officers and their direct reports.
  • Selected academicians engaged in field work.
  • Selected security product vendors’ Chief Scientists or equivalent.

Survey responses will be collected electronically using a website. Respondents will be functionally anonymous, i.e., they would log in using credentials of their choosing and can be confident that their responses will not be associated with them in any public manner. Only the core project team would have access, and that on paper only, to knowing the true names of the respondents.

People with an interest in the subject matter of the index may request participation in the survey, and such requests will be evaluated by the core project team to allow participation only by people who have first hand knowledge of the cyber security threats facing the industry.

Publication will commence when 100 respondents are in hand and active; the target survey population is 300.