ISA Mission

Collective Security Mission

“Combining technology, public policy, and economics to create a sustainable system of security” – ISA Mission

“the mission of this paper is to combine advanced technology with business economics and public policy to create a shared and sustainable cyber ecosystem that shifts the advantage to cyber defenders.”

“Simply altering the assessment and compliance process by moving it away from the “pass-fail” audit model to a more useful maturity model can create incentives without any demonstrable increase in government spending. And

if incentives do require increased funds, the government needs to realistically assess whether it is more appropriate to spend taxpayer money to promote the common cyber defense as opposed to hiding and off-loading costs on consumers.

There is adequate precedent for an incentive approach. We have market incentives deployed in multiple industry sectors—agriculture, aviation, ground transport, environment, and even physical security—to assist the private sector in reaching public-policy goals. We simply need to apply this creativity and will to cybersecurity.

For the incentives to be of value, they must be targeted to specific goals as economic models differ substantially from sector to sector. Incentives must also be powerful enough to affect investment decisions. This is another reason why the research such as pilot testing the NIST framework to develop metrics cost-effectiveness data advocated above are so important.

Although there may be some useful generic incentives (e.g., liability benefits or insurance discounts), a menu of incentives also needs to be developed as different incentives will be attractive to different industry sectors. – ISA Social Contract (p. 41)

“The broader economy and U.S. history have plenty of examples of, non-regulatory market incentives, many of which are at a low cost to government and have promoted important outcomes that would have been challenging on a purely commercial basis. Incentive models in varying forms exist in many industries and sectors including: agriculture, aviation, pharmaceuticals, transportation, and even physical security. Industry requests, that together with the help of the Federal Government, other creative, non-regulatory and cost-effective incentive concepts that may help close the gap between commercial and national security, be explored.”

“The new administration should engage in a multitiered program to bolster cyber law enforcement. More broadly, a review of legacy law-enforcement spending with an eye toward properly resourcing efforts to stop cybercrime is needed.

– ISA Social Contract (p. 29)

“Cybercrime (which research suggests costs up to $1 trillion annually) has a tremendous impact on our shared cybersecurity. While the government’s initial prioritization of national-level attention toward critical infrastructure protection was warranted to address existential risks, a substantially increased focus on other forms of cybercrime should now supplement those efforts.”

“Similarly, research on framework use could be modeled to demonstrate cost effectiveness. Being able to define what elements of the framework are cost effective for defined industry segments would provide a major boost for the voluntary nature of the framework. Companies will naturally deploy cost-effective measures. Being able to demonstrate such is in the public interest.

Finally, such research could identify framework elements that are effective in enhancing security but are perhaps not cost effective. These too would be valuable data as they would provide the president and Congress with an empirical guide for what needs to be incentivized (as is also called for in Executive Order 13636) and how strong the incentive must be to achieve implementation of proven successful security practice.” – ISA Social Contract (p. 31)

“Small organizations with limited funds and expertise find it difficult to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework), because of its lack of cost effectiveness and prioritization. Fortunately, the market has responded and several competing models have been developed (e.g., FAIR, X-Analytics, and BSI) that assist smaller entities in tailoring use of the Framework to their unique needs. The USG should build on the progress made by developing the Framework in a consensus effort focused on measuring its effectiveness and cost effectiveness.”

Money saved by these reductions can be rechanneled into future cost-benefit analysis of cybersecurity regulations so that funding from the agency perspective will be neutral.” – ISA Social Contract (p. 40)

“Regulatory Streamlining: Research undertaken by the USG found that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risk to critical systems and information.  With support of its industry partners, the USG is open to identifying federal regulations that are excessively burdensome, conflicting, or ineffective.”

“One critical issue industry and government have in common is the scarcity of cybersecurity resources. Especially while facing a vastly expanding threat, it is critical that industry and government use their scarce resources efficiently.”

“These competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level is essential. As a result, managing and mitigating the impact of these aspects of cyber risk requires strategic thinking that goes beyond the IT department.” – NACD-ISA Director’s Handbook on Cyber-Risk Oversight (p. 4)

“Board members can and should play an active role in ensuring that their companies’ cybersecurity processes, policies, and practices stay fit-for-purpose as the nature of the threat continues to evolve. This requires directors to stay informed about cyber risks, integrate cyber issues into a wide range of boardroom discussions, set clear expectations with management, and ask tough questions when necessary. The director community is rising to that challenge.” – ISA Social Contract (p. 186)

“Innovations should expand beyond simply technological developments to include tools for training boards of directors, such as the National Association of Corporate Director’s Handbook on Cyber-Risk Oversight, an example of a successful partnership between industry and government.  Guidance documents can be adapted for training on cybersecurity for government agency leaders and general counsels, among others. A more collaborative partnership on technology development can foster implementation of more reliable tools for cyber defense and attribution.”

We need to reach kids where they are and integrate cybersecurity into what they want to do, not teach them what they ought to do. One neglected vehicle is the gaming community. Much as the government has reached out to IT companies in Silicon Valley, a similar collaboration should commence with game developers. Cybersecurity principles and techniques could be integrated into an activity young people easily gravitate toward.” – ISA Social Contract (p. 37)

“Further opportunities exist to promote cyber curriculums in environments that incentivize students to pursue and support national interests. We need an integrated, multifaceted and targeted program with research-based messaging to promote joining the cyber workforce.  Efforts should be cognizant of the overall perception of the career field and undertake creative approaches to incentivize new members to join the workforce.”

Fully utilizing these partnerships, but also identifying the gaps in needed collaboration to achieve our goals will be necessary to protect critical assets and to build creative new ideas. It is also imperative we enhance the existing frameworks and policies government and industry have established, by honing the most effective ways to work in partnership. All partnership entities should also leverage the best practices for public-private partnerships as agreed upon by DHS and the IT SCC, which were endorsed by the Partnership for Critical Infrastructure Security (PCIS).

“The interconnectedness of our society and our reliance on critical infrastructure to maintain our way of life has led to the formation of systemic risks within our country. We must be more aware of single points of failure, concentrated dependencies, and cross-cutting underlying functions.”