Managing Cyber Risk with SCRAM, an Innovative Cryptographic Platform

2020-09-04 - 4 minutes read

An increasingly large amount of our society and economy depends on our ability to keep sensitive data secure and defend the information technology infrastructure. Despite this, measuring cybersecurity risk and determining what security measures help prevent successful attacks is no easy task. The details of cyberattacks are often kept secret for a variety of reasons, such as the the potential to reveal sensitive information to competitors, risk litigation, and cause damage to a firm’s reputation. Unfortunately, criminals are the ones who benefit when information about cybercrime is not disclosed, enabling them to use their previous, successful methods on new, unsuspecting victims. Adding to the urgency of this issue is the fact that cyberattacks have been increasing over time.

It is this challenge that led Leo de Castro, Andrew W. Lo, Taylor Reynolds, Fransisca Susan, Vinod Vaikuntanathan, Daniel J. Weitzner, and Nicolas XY. Zhang to develop an innovative solution called SCRAM.

The MIT SCRAM logo.

An Introduction to SCRAM

SCRAM (Secure Cyber Risk Aggregation and Measurement) is a cryptographic platform that allows multiple entities to compute aggregate cyber risk measures, all without requiring any entity to disclose its own sensitive data on cyberattacks, penetrations, and losses.

With SCRAM, firms don’t need to rely on a third-party; instead, a novel cryptographic tool calculates aggregate statistics while keeping attack and loss data hidden from all parties. “The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with a third party,” says Reynolds.

In short, SCRAM works as follows:

  1. Each firm individually generates its own key pair, where each key pair contains a public encryption key and a private decryption key.
  2. All firms submit their public keys to the server.
  3. The server combines all firms’ public keys into a single joint/shared public key.
  4. This new joint/shared public key is distributed from the server to all firms.
  5. Each firm encrypts its private data using this new joint/shared public key, generating a ciphertext (an encrypted block of data).
  6. Each firm sends the ciphertext of its private data to the server. This ciphertext completely hides the firm’s data.
  7. The server runs computations on all the encrypted data, producing an encrypted result of the computation.
  8. The server sends the encrypted result back to each firm.
  9. Each firm uses the private key they generated in Step 1 to partially decrypt the answer.
  10. Each firms sends this partially decrypted answer back to the server. Note that without all the partial decryption pieces from all firms, the result is still completely hidden.
  11. The server combines the results of all the partial decryptions it receives from firms to produce the decrypted result that is then shared with all firms.

To try out SCRAM, the team invited seven large companies to contribute data on cyberattacks and their individual network defenses. Through studies like this, firms can generate data via SCRAM that enables them to better invest in cybersecurity defenses with the highest returns on investment. A graph showing one of the findings of this initial study is seen below.

Graph showing results from an MIT SCRAM calculation into cyberrisk incidents.
Sum of Losses Across 49 Incidents, by CIS Control Category, in USD ’000

In addition to helping firms improve their cybersecurity defenses, the SCRAM team hopes that their work will help provide guidance to policymakers, regulators, and insurers, as well as show the data science community that firms can be willing to share sensitive information.

Learn more about SCRAM: