Font Size: A A A

Home > News > Interviews > Cyber and the metrics problem


Cyber and the metrics problem

The world is experiencing a massive growth in highly connected systems and infrastructures – ranging from smart cities to critical infrastructure such as financial systems, power grids, energy, water and manufacturing systems. So writes Professor Awais Rashid, Director of Security-Lancaster, which is Lancaster University’s research centre on security and protection science and one of the UK government’s recognised academic centres of excellence in cyber security research.

While this connectivity opens up a whole new space for innovative products and services, it also increases the attack surface of such systems, making them potentially vulnerable to cyber attacks. As a result cyber security is now a pervasive requirement, one that we cannot and must not ignore.

It is, therefore, important that decision-makers are able to effectively understand and respond to cyber security risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, doing so is far more complex than one may envisage. We lack any effective metrics for articulating cyber risk as business risk. Most metrics for articulating cyber risk tend to be rooted in technical measures. Though technical measures are important at a lower level of abstraction, they often bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.

The problem is compounded by the fact that most metrics are ordinal – there is a propensity to derive a single numerical figure, which often results in masking or losing knowledge that is essential to business risk decision-making. Such tendency to over-simplify also makes it difficult nigh impossible to articulate the risk of second and third order business impacts, that is, across space and time. Furthermore, cyber security risks are not merely a technical issue. They often arise when technologies, people and organisational cultures intersect. Thus we must not only understand the technical factors but also the social and organisational factors shaping such risks and our responses to them.

We are tackling these issues within project MUMBA, funded by the Engineering and Physical Sciences Research Council as part of the Research Institute in Trustworthy Industrial Control Systems. While our focus is on cyber-physical infrastructures, the problem is not limited to such systems. Our modern digital economy relies on these connected systems and infrastructures. And we cannot hope to manage cyber security risks in such an environment effectively unless we tackle the challenges highlighted above.

For more articles by Prof Rashid visit


Related News