Ransomware Readiness Index (RRI): A Proposal to Measure Current Preparedness and Progress Over Time
2021-09-27 - 3 minutes readBy Rebecca Spiewak.
With increasingly sophisticated threat actor tactics, an expansion of internet-connected services and assets, and a thriving anonymous digital currency ecosystem, the threat of ransomware both within the US and abroad remains significant. From healthcare firms to technology giants, local municipalities to energy infrastructure, high-profile ransomware attacks on these critical sectors has driven policymakers and industry leaders to prioritize this security issue. To help curb this threat, the Biden administration issued security controls guidance specific to ransomware in the Spring of 2021.
While protection against ransomware attacks comes in many forms – investment in new technologies, updating security practices, drafting new US policies – these solutions all require a similar foundation in an area that is lacking: namely accurate, plentiful and timely cybersecurity risk data. The secure data collection and computation capabilities provided by MIT CSAIL’s multi-party computation platform SCRAM (Secure Cyber Risk Aggregation and Measurement), first introduced last year, provides IPRI researchers the opportunity to develop and socialize meaningful metrics that track enterprise-wide progress against ransomware threats over time. This is the main driver for a new proposal for a Ransomware Readiness Index (RRI) that tracks the progress of organizations and municipalities in adopting ransomware-specific security controls.
What is the RRI, and how will the index be built?
The RRI will provide an aggregate view of organizational security readiness and risk in the context of ransomware. To create this view, controls data will be collected across a diverse set of public and private sector participants through SCRAM. To recap, SCRAM generates metrics in an aggregated fashion by performing computations on encrypted data collected from participating stakeholders. By using this platform, the data is completely anonymous, so participating organizations can remain at ease regarding the sensitive nature of the data.
In Phase 1, participating entities will be asked to rate their organization’s level of control maturity (i.e., adoption) across a specific set of ransomware-related controls. These controls were defined through an extensive independent review and analysis performed by MIT CSAIL policy and cybersecurity researchers, with a basis in the White House Executive Order (EO) and related White House Memo issued in Spring 2021. In Phase 2, participants will be asked to provide information on ransomware loss data, with a focus on ransom payments. Data will be tagged to enable the creation of sub-indices by sector, as well as other relevant enterprise attributes.
Below is a high-level depiction of the overall approach:
To build the first RRI, the upcoming Fall 2021 data collection effort will concentrate on municipalities. For more details on the RRI methodology and upcoming computations, we encourage you to check out our recently drafted Ransomware Readiness Index Working Paper the latest addition to the IPRI Working Paper Series.
For more information or to join an assessment/computation, contact scram@mit.edu.
Link to the Ransomware Readiness Index Working paper: https://dspace.mit.edu/handle/1721.1/132615
Tags: cybersecurity, measurement, ransomware