Upload
msftsir
View
21
Download
0
Embed Size (px)
DESCRIPTION
This Microsoft Security Intelligence Report (SIR) special edition white paper introduces a methodology Microsoft created to measure how non-technical cybersecurity public policy affects national cybersecurity efforts. Initial results of the research demonstrate the value of efforts to form more reliable risk reduction metrics in cyberspace.
Citation preview
Linking Cybersecurity
Policy and Performance
Aaron Kleiner
Paul Nicholas
Kevin Sullivan
Microsoft Trustworthy Computing
2 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Linking Cybersecurity Policy and
Performance
Authors
Aaron Kleiner
Microsoft Trustworthy
Computing
Paul Nicholas
Microsoft Trustworthy
Computing
Kevin Sullivan
Microsoft Trustworthy
Computing
Contributors
Bruce Cowper
Microsoft Trustworthy
Computing
Andrew Cushman
Microsoft Trustworthy
Computing
Dave Forstrom
Microsoft Trustworthy
Computing
Cristin Goodwin
Microsoft Trustworthy
Computing
William Howerton
Good Harbor Security Risk
Management
Jacob Olcott
Good Harbor Security Risk
Management
Tim Rains
Microsoft Trustworthy
Computing
Travis Scoles
Schireson Associates
Neil Shah
Schireson Associates
The Microsoft Malware
Protection Center
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
This document is provided “as-is.” Information and views expressed in this document, including URL and other
Internet website references, may change without notice. You bear the risk of using it.
Copyright © 2013 Microsoft Corporation. All rights reserved.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 3
Foreword
This special edition of the Microsoft Security Intelligence Report (SIR) was authored by Microsoft’s
Global and Security Strategy and Diplomacy (GSSD) team. GSSD works collaboratively with gov-
ernments, multilateral organizations, industry, and non-profit groups to enhance security across the
cyber ecosystem. Leveraging technical depth and public policy expertise, GSSD supports public and
private sector initiatives that promote trustworthy plans and policies, resilient operations, and in-
vestments in innovation.
While Microsoft has long reported on the technical measures of cybersecurity through the SIR and
other sources of information, we have been looking to better understand the full environment that
leads to a given cybersecurity outcome. We believe that is dependent on a range of technical and
non-technical measures including use of modern technology, mature processes, user education, law
enforcement and public policies related to cyberspace. Each of these measures may contribute di-
rectly or indirectly to the cyber security performance measures reported in the SIR.
This paper introduces a methodology for examining how the non-technical socio-economic factors
in a country or region impact cybersecurity performance. With this methodology we can build a
model we hope can help predict the expected cybersecurity performance of a given country or re-
gion based on our observation of non-technical socio-economic data. From that prediction, we can
attempt to better understand the public policies that distinguish the performance of different coun-
tries and regions.
We are excited by the initial results of our research that demonstrate significant differences in secu-
rity outcomes between countries that have, for example, signed or ratified the Council of Europe.
Both policy makers and technology experts face increasing demands for innovation and impact. It is
our hope that this work catalyzes additional research into the holistic factors impacting cybersecuri-
ty around the world as well as a data-driven approach to policy making.
Paul Nicholas
Senior Director of Global Security Strategy and Diplomacy
Trustworthy Computing, Microsoft
Tim Rains
Director
Trustworthy Computing, Microsoft
4 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Introduction
The world is in the midst of an unprecedented technological transition, characterized by growth in
the volume and diversity of people, devices, and data connected to the Internet. Across the globe,
billions of people are using information and communications technology (ICT) infrastructure to
conduct business, interact with governments and each other. The World Economic Forum recently
observed that “more than 70 percent of the world’s citizens live in societies that have just begun
their digitization journeys. 1” With so many people moving towards an increasingly digital lifestyle,
the world that emerges at the conclusion of this transition will likely be very different than the world
we know today.
Cybersecurity is critical for the success of the world’s digital future.2 Building a safer, more trusted
Internet nationally and internationally requires policymakers, business decision makers, and ICT
providers to collectively develop technical and policy solutions that will enable citizens, enterprises,
and governments to meet their computing objectives in a secure, private, and reliable manner.
Over the past decade, national policymakers and the international policy community have under-
taken a variety of initiatives that have been fundamental to establishing effective non-technical
cybersecurity public policy. As a company, Microsoft has participated in many of these initiatives
because we believe these efforts improve and enhance global cybersecurity. Through our participa-
tion, we have come to appreciate and understand the difficulty that policymakers face when evalu-
ating the success of their initiatives designed to reduce cyber risks today and in the future.
Understanding whether certain policies can measurably reduce cyber risks at a national level is a
critical exercise for policymakers seeking effective solutions to these challenges. In this vane, Mi-
crosoft set out to create a methodology to evaluate the impact of policy solutions on national cy-
bersecurity efforts. Using a reasonable statistical measurement for evaluating cybersecurity on a
national level, a framework was created to examine various factors that distinguish levels of cyber-
security performance among countries and to identify whether adoption of certain policies or stra-
tegic actions are related to cybersecurity performance.
The results of our analysis have implications for current and future policy initiatives. We found that
countries adopting or implementing certain policies, including international treaties like the Council
of Europe Convention on Cybercrime and voluntary codes of conduct like the London Action Plan,
are more likely to over-perform on a key cybersecurity metric compared to countries that have not
adopted the same policies. For policymakers seeking ways to improve national cybersecurity, these
policies represent activities that are likely to have a meaningful and measurable impact. While we
believe that these specific policy actions are critical steps for policymakers to consider when ad-
dressing cybersecurity on a national level, the manner in which these policies were created and
adopted – through international partnership or joint public/private efforts – likely serve as im-
portant models for how successful cybersecurity policies might be created in the future.
Recognizing the limitations of our study, we nevertheless hope that this whitepaper adds value to
other efforts to form more reliable risk reduction metrics in cyberspace and serves as a useful tool
for national policymakers considering various approaches towards achieving greater cybersecurity.
1http://www3.weforum.org/docs/Global_IT_Report_2012.pdf
2Cybersecurity: Cornerstone of a Safe, Connected Society, http://aka.ms/TwC_Cyber_Paper
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 5
How We Measure Cybersecurity:
Infected Computer Data
Today, a multitude of reports from antivirus vendors, security experts, networking providers and our
own Microsoft Security Intelligence Report (SIR) provide technical insight into the cybersecurity
problem. Technical reports are an important tool to helping understand the pervasiveness of mali-
cious code on machines. Microsoft’s own technical measure of cybersecurity is derived from our
broad deployments of enterprise and consumer software products as well as global investments in
online services such as search engines and e-mail systems. Our results are based on findings from
our Malicious Software Removal Tool (MSRT), an anti-malware utility that checks Windows comput-
ers for prevalent threats and helps remove any malware or infections found. Delivered primarily
through the Windows Update process, MSRT runs on more than 600 million devices per month.
This represents a large proportion of the global personal computer install base, making the results a
reasonable proxy for overall cybersecurity levels.
The MSRT evaluates the current level of malicious code infections on computer systems across the
globe. To produce a consistent measure of infection that can be used to compare different popula-
tions of computers to each other over time, Microsoft reports infection rates using a metric called
computers cleaned per mille (thousand) or “CCM,” which represents the number of computers
cleaned for every 1,000 times that the Malicious Software Removal Tool (“MSRT”) is run. For exam-
ple, if the MSRT is run 50,000 times in a particular country/region in the first quarter of the year and
removes infections from 200 computers, the CCM for that country/region in the first quarter of the
year is 4.0 (200 ÷ 50,000 × 1,000). For the purposes of this analysis and paper we use CCM as a
proxy for cybersecurity performance. A higher CCM number indicates a higher incidence of malware
removed in a given geographical area, which we interpret as a lower level of cybersecurity perfor-
mance.3 Lower CCM numbers denote fewer malware removals and thus a higher level of cybersecu-
rity performance. Figure 1 illustrates the CCM number for countries/regions around the world in the
fourth quarter of 20114.
3 Since Q1 of 2011, the CCM has been reported based on geographic location rather than the adminis-
trator defined location. http://blogs.technet.com/b/security/archive/2011/11/15/determining-the-
geolocation-of-systems-infected-with-malware.aspx
4 Microsoft Security Intelligence Report Volume 12: July - December 2011.
http://www.microsoft.com/security/sir/archive/default.aspx
6 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Figure 1 - Infection rates by country/region in 4Q11, by CCM
CCM, like other technical cybersecurity metrics used in the industry, is an imperfect one. For in-
stance, CCM does not measure and report important cybersecurity outcomes, including actual
damage caused by infections. While we chose to use the CCM metric as an indicator of cybersecuri-
ty for purposes of our study, we hope that industry, government, and academia continue develop-
ing other useful metrics in order to create a more complete understanding of the impact of cyber
risk.
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 7
Identifying Relationships
Between Cybersecurity and
National-Level Factors
Microsoft began this research with an interest in understanding whether countries with similar CCM
metrics shared other “non-technical” traits. More than 80 national indicators or factors were identi-
fied, including Gross Domestic Product (GDP), governance model, and broadband penetration rate.
We then applied statistical modeling techniques to identify patterns between the indicators and a
country or region’s cybersecurity risk profile as indicated by CCM. It was found that 34 of the 80
original indicators had a potential correlation with CCM.
In general, most of the indicators we identified were negatively correlated with CCM; as the indica-
tor rises, CCM will decrease. It is important to emphasize that these relationships demonstrate cor-
relative, not causal, relationships. For example, with respect to education, the data show that lower
CCM rates are related to the length of time that a country’s citizens spend in school. The chart be-
low contains a sample of our findings:
Table 1 - Sample Indicator Variables for Analysis5
Indicator Variable Correlation with CCM
Computers Per Capita -0.6
Gross Income Per Capita -0.5
Rule of Law -0.5
Demographic Instability 0.6
Secure Net Servers -0.5
Broadband Penetration -0.6
R&D Expenditure -0.5
Facebook Usage -0.3
Use of mobile devices -0.3
Literacy Rate -0.5
5 See Appendix for full list of sources and descriptions
8 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Predicting Cybersecurity
Performance
With an understanding of how certain national-level indicators correlate with CCM measurements,
we set out to build a model that predicts levels of cybersecurity performance based on these na-
tional indicators. Building a predictive model enables policymakers to explore a series of potential
explanations for the disparity between actual and predicted CCM.
The graph below shows a scatter plot of the actual and expected cybersecurity performance of over
100 countries. We omitted the names of individual countries in this report because our intention is
to understand the drivers of cybersecurity performance rather than discuss the performance of any
individual country.
By identifying the underlying principles of certain policies that are correlated with over-
performance in cybersecurity, such as intergovernmental frameworks for cooperation and voluntary
codes of conduct, policymakers can develop future approaches that are more likely to be effective
in combating the evolving threats in cyberspace.
Figure 2 – Actual vs. Predicted Cybersecurity Performance per Country or Region
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 9
The elements of the graph include:
2011 Average CCM - Along the X-axis, is the average quarterly CCM numbers reported in the SIR
for 2011.
Expected/Predicted CCM - Along the Y-axis, we report the predicted level of cybersecurity for
each country. This accounts for the variation among countries and gives us an expected/predicted
CCM number based on the 34 variables identified above.
Model Line - The diagonal line from the lower-left to the upper-right of the graph represents a
perfect fit of the model. If we were able to perfectly predict the levels of cybersecurity performance
for each country, each would fall on this line.
Since the model is not perfect, individual countries are on, above, or below the model line. Coun-
tries above the line are considered to be out-performing the model. That is, their actual levels of
cybersecurity performance are better (lower CCM) than our model predicts based on the non-
technical indicators. Conversely, countries located below the line are under-performing the model.
Their actual levels of cybersecurity are worse (higher CCM) than our model had predicted.6
We then used latent class segmentation7 to classify each country into one of three clusters, based
on both their actual and predicted CCM. The end result is a model with three distinct clusters of
countries, which we call Maximizers, Aspirants, and Seekers.
6 Note on our methodology: We expect that countries’ positions on the chart will change over time as
both non-technical and technical conditions evolve. We also expect that CCM changes will be more fre-
quent and erratic, relative to some of the other indicator variables; this is based on past observations of
CCM fluctuating between quarters relatively more than other government indicators, such as GDP. For
this reason, we have chosen to model and report on annualized averages where possible, as this mini-
mizes potentially misleading data that is a direct result of quarterly fluctuation. In some cases, the pre-
dicted CCM is extremely low, and potentially below 0, which cannot happen from a practical standpoint.
This is a result of using a linear regression model – the model cannot understand that the practical floor
for CCM is 0. Negative CCM results should be interpreted as a small positive number that is approaching
zero, from a real-world standpoint.
7 Vermunt, Jeroen K. and Jay Magidson. Latent Class Models for Classification.
In latent class segmentation, we create variables (known as latent variables), and assign each of the coun-
tries to belong to one of those variables. The variables act to explain the variance between expected and
predicted CCM – countries with similar variance are grouped together. The optimal clustering model is
determined by maximizing the explainable difference, and is found by testing varying number of latent
variables (varying numbers of clusters) and varying combinations of countries included in each cluster.
Strength of Our Predictive Model
The strength of this model is expressed by the term R2 which explains how much of the
predicted value can be explained by the regression formula. Generally, ranging from 0
to 1 an R2 of 0 would indicate no predictive power, 0.1-.03 weak prediction, 0.4-0.6
moderate prediction and 0.7-1 strong prediction. Our model has an R2 of 0.68, mod-
erate predictive ability. While purely scientific studies may strive for R2 values of .9 or
above, we consider our model to be a good starting point for this discussion.
10 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Figure 3 – Cluster Analysis of Cybersecurity Performance
Maximizers: Maximizers are countries with more effective cybersecurity capabilities and out-
perform the model. This cluster has a moderate level of predicted cybersecurity, but relatively, it
has the best cybersecurity performance of all clusters. This over-performance of the model is the
defining attribute of the cluster. Within the countries that comprise the cluster, we see that they
often have better performance in key indicator variables (as defined by CHAID analysis8, which de-
termines the strength of relationship between predictor variables and cluster membership), includ-
ing personal computers in use per capita, health expenditure per capita, regime stability, and
broadband penetration. Maximizers include a relatively high percentage of European countries.
8 An Exploratory Technique for Investigating Large Quantities of Categorical Data
G. V. Kass
Journal of the Royal Statistical Society. Series C (Applied Statistics) , Vol. 29, No. 2 (1980), pp. 119-127
Published by: Wiley for the Royal Statistical Society
Article Stable URL: http://www.jstor.org/stable/2986296
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 11
Aspirants: Aspirants are countries who are on a par with the model and are still developing
cybersecurity capabilities. This cluster has a moderate level of predicted cybersecurity, and in real-
ity it performs on par with those predictions. This predictability of cybersecurity performance is the
defining attribute of the cluster. Of all three clusters, Aspirants is also the largest. Within the coun-
tries that comprise the cluster, we see that they often have average to above average performance
in key indicator variables, including broadband speed, secure Internet servers per capita, R&D ex-
penditure, and consumer telecommunications expenditure. Countries from around the world com-
prise the Aspirants cluster, but it contains a slightly higher percentage of Latin American/Caribbean
nations than others.
Seekers: Seekers are countries with higher cybersecurity risk who underperform on model
expectations. While this cluster has a moderate to low level of predicted cybersecurity, in reality it
has a low level of cybersecurity, as measured by high CCM. As such, Seekers underperform with
regards to their cybersecurity potential. Of the three, the Seekers cluster is the smallest. The coun-
tries that comprise the cluster often poorly perform in key indicator variables, including literacy,
offences (crime) per capita, broadband speed, and broadband penetration. Compared to the key
attributes of Aspirants, we see that Seekers may be less likely to invest in technological infrastruc-
ture development. Countries from around the world comprise the Seekers cluster, but it contains a
higher percentage of Middle Eastern/African nations than the others.
Figure 4 – Geographic Distribution of Cluster Members
12 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Impact of Cybersecurity Policies
on National Performance
Why do countries with similar predicted CCM perform so differently on actual CCM? In other words,
if our model already accounts for key differences between countries (GDP, broadband penetration,
rule of law, etc.), why does the actual CCM number vary so much? We hypothesized that this dis-
crepancy can be partially attributed to policies and programs implemented by the country to limit
cybersecurity risk. We believe that these factors can help to explain part of the difference between
predicted and actual performance.
Evolution of Cyber Policy
Over the last decade, national policymakers have considered myriad cybersecurity policies of vary-
ing focus, size, scope, intent, and budget. The growth of Internet users and new threat actors
helped spur international dialogue around cybersecurity, which resulted in the development of the
Council of Europe Convention on Cybercrime in 2001. The Convention on Cybercrime created the
first-ever international treaty aimed at cybersecurity issues, and it has since been ratified by 37
countries.
As spam, phishing, and spyware began to merge to create substantial threats to large enterprises,
the formation of new public/private partnerships became necessary. For instance, in response to
growing international pressure to contain the malware problem, government agencies from 27
countries convened in October 2004 to form the London Action Plan. The Plan was created to
“promote international spam enforcement cooperation and address spam related problems, such as
online fraud and deception, phishing, and dissemination of viruses.”9 The Plan also created a volun-
tary code of conduct for private companies in order to elicit greater spam enforcement coopera-
tion.
Policymakers must also consider the growing theft of intellectual property and rising rates of soft-
ware piracy. Though actual financial costs are impossible to gauge, the theft of intellectual property
through cyber means is thought to be in the multi-billions per year, a number that has only grown
over time. The decade witnessed soaring piracy rates that inflicted significant economic damage on
companies. In 2003 the commercial value of the pirated software market was $28.8 billion;10
by
2011 the figure had increased to $63.4 billion. High piracy rates were particularly fueled by PC
shipments to emerging economies where piracy rates are highest.11
Software piracy also directly
impacts indicators such as CCM where in the first half of 2012, the most commonly detected mal-
ware globally was typically bundled with counterfeit software.12
National cybersecurity strategies evolved throughout the decade, incorporating elements of resili-
ency and reciprocity, and also the role of militaries. For example, in 2006 the U.S. Department of
Homeland Security and the private sector jointly developed sector specific plans focused on risk
management and resiliency of critical functions. Cyber attacks on Estonia in 2007 led the European
Union to create a new public/private partnership designed to enhance preparedness, security, and
9 http://londonactionplan.org/the-london-action-plan/
10
http://www.bsa.org/country/Research%20and%20Statistics/~/media/5536D2D93FA746E69CBC12ECBCE0
F319.ashx
11 http://portal.bsa.org/globalpiracy2011/downloads/study_pdf/2011_BSA_Piracy_Study-InBrief.pdf
12 http://www.microsoft.com/security/sir/story/default.aspx#!unsecure_distribution
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 13
resilience. Sophisticated attacks against the U.S. government resulted in the creation of the Com-
prehensive National Cybersecurity Initiative (CNCI) in 2008, an effort representing a significant in-
crease in policy, operational, and financial commitments that spanned the whole of government. As
attacks continued, militaries increasingly looked to develop specific military doctrines, policy state-
ments or military strategies related cyberspace. By 2011, 33 countries that had done so.13
Identifying Policies that Correlate with Cybersecurity Performance
How are these and other policies related to a country’s cybersecurity performance? To test our the-
ory about the role of policy in cybersecurity, we distilled the variety of types of cybersecurity poli-
cies into certain initiatives that can be measured by a binary rather than a substantive evaluation.
For example, we queried whether a country was a signatory of the Council of Europe Convention on
Cybercrime, but did not further evaluate the extent or effect of the policies that a country adopted
in order to implement the treaty. Additionally, we considered whether or not a country had devel-
oped a military cyber defense strategy, but did not evaluate the robustness of the strategy. Fur-
thermore, in order to expand the data set, we evaluated policies adopted in a statistically significant
number of countries and regions.
We initially identified four policy factors that satisfy these criteria and ran them against our model:
Maximizers Aspirants Seekers
Piracy 42% 62% 68%
London Action Plan Membership 46% 20% 10%
COE Convention on Cybercrime 51% 17% 7%
Defense Strategy for Cybersecurity 51% 15% 21%
Table 2- Impact of Policy upon Cybersecurity Performance
Council of Europe Cybercrime Treaty
We found the Council of Europe Convention on Cybercrime (COE) to be one of the strongest accel-
erators of cybersecurity for the countries in our survey. The COE is an international treaty that aims
to create a common policy environment for cybercrime, to provide the legal powers necessary to
effectively investigate and prosecute cybercrime offenses, and to establish methods of international
cooperation that can help match the speed of cybercrimes.
Fifty-one percent of the countries in the Maximizer (over-performing/low-CCM) cluster had either
signed or ratified the treaty. While the COE rates and relative CCM performance relationship may
not be causal, there is a clear link between CCM performance, relative to expectations, and COE
accession. Interestingly, we noticed a declining trend of COE accession in countries with higher
CCM scores relative to predictions.
London Action Plan
Membership in the London Action Plan is also an indicator of over-performance in cybersecurity,
significantly distinguishing the low-CCM cluster from the other two clusters. The London Action
13 James A. Lewis and Katrina Timlin, Center for Strategic and International Studies, Cybersecurity and
Cyberwar: Preliminary Assessment of National doctrine and Organization, in Resources: Ideas for Peace
and Security (U.N. Inst. for Disarmament Research, 2011), http://www.unidir.org/pdf/ouvrages/pdf-1-92-
9045-011-J-en.pdf.
14 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Plan aims to promote international cooperation in addressing spam, online fraud, and malware. 9
Rather than create new legally binding obligations for members, the Plan outlines activities for both
public and private sector participants to fight spam, fostering better cooperation between organiza-
tions in order to defend against cyber threats.
Forty-six percent of the over-performing cluster’s countries are members of the London Action
Plan. Also similar to the COE signatory trends, membership in the London Action Plan is linked with
CCM performance, relative to expectations. As with COE signatory rates, there exists an implied
relationship between membership in the London Action Plan and relative cybersecurity. While the
relationship between CCM performance and the London Action Plan may not be causal, we can
definitively say that membership in the London Action Plan would be part of a profile for a country
that has relatively good cybersecurity.
Military Cyber Defense Strategy
Military cyber defense strategy differs from London Action Plan membership and COE Signatory
status in that it does not trend with relative CCM performance. As Table 2 shows, countries with
publically acknowledged military cyber defense strategies comprise fifty-one percent of the low-
CCM cluster. However, twenty-one percent of the high-CCM underperforming cluster also had mili-
tary cyber strategies. We also examined the countries with civil cyber strategies but found no clear
relationship with cluster membership; countries with only civil cyber strategies were equally likely to
be in any one of the three clusters.
It is possible that future analysis will show a correlation between military cyber defense strategies
and cybersecurity performance. Many military strategies are still in their formative phases having
been created in the past few years, and it can take time for the impact of new policies and capabili-
ties to be fully observed. As more countries around the world adopt both military and civil based
cyber defense strategies it will be worth watching to see if there is a notable difference in their se-
curity outcomes.
Piracy Rate
Though we did not evaluate individual policy approaches towards reducing piracy, the average pi-
racy rate of countries in the low-CCM cluster was drastically lower than the other clusters. The im-
plications of this observation are complex. Countries that do a better job managing cybersecurity
may also do a better job mitigating piracy, or countries with higher piracy rates may have a more
difficult time containing malware and other cyber threats. This is a topic for further research, but we
found the relationship between piracy rates and CCM scores compelling enough to highlight here.
As opposed to the other profiling factors discussed above, piracy rate is an outcome rather than a
policy tool. However, this does show the potential benefit of protecting intellectual property as
higher rates of piracy are positively correlated with higher CCM. This is unsurprising, as pirated
software poses a serious security risk to its users. A 2008 study by the Harrison Group found that
companies that used unlicensed software were seventy-three percent more likely than those com-
panies that use fully licensed software to experience loss or damage of sensitive data, and were 43
percent more likely to suffer critical computer failures.14
14 http://go.microsoft.com/fwlink/?LinkId=143927
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 15
Summary of Quantitative
Analysis
The goal of our quantitative research was to gain a clearer understanding of what factors distin-
guish cybersecurity performance among countries, and whether any relationship exists between
certain national cybersecurity policies and a country’s cybersecurity performance.
We applied various statistical tools and models to freely available predictor data with the intention
of taking country-level developmental markers and predicting cybersecurity performance.15
The
result was a model that predicts CCM based on a set of 34 predictor variables. This model also pro-
vided greater insight into the relationship between predicted and actual cybersecurity performance.
We did this by taking the model predictions to create another model that clustered countries into
one of three groupings. By profiling those groupings, we assessed a link between cybersecurity
performance and key government policies.
This research also resulted in the identification of specific markers that can not only signal above
average cybersecurity performance, but can also signal countries that have better cybersecurity
performance than we would expect, given attributes that are not necessarily easily controlled, such
as GDP. Specifically, those countries that sign the Council of Europe Cybercrime treaty and/or the
London Action Plan are more likely to outperform a predictive model of cybersecurity performance.
15 For a more detailed description of methodology, refer to Appendix
16 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Evolving Policy Initiatives for
Future Impact
Having identified a correlation between certain policy tools and national cybersecurity performance,
policymakers may wish to focus their attention on adopting or evolving these types of tools to ad-
dress future challenges. Policy developments in the previous decade sought to lay a foundation to
build a more connected society and promote e-commerce. The next decade will focus on the secu-
rity and protection of that infrastructure, both domestic and international in order to continue to
grow.
Figure 5 - Progression of Cybersecurity Policy
As policymakers consider future initiatives designed to impact national cybersecurity, it will be im-
portant to draw lessons from the policy discussions of the previous decade. Policymakers should
pay particular attention to the lessons from policies that this study identifies to have a positive cor-
relation on national cybersecurity, such as the Council of Europe Convention on Cybercrime and the
London Action Plan. As a participant in some of these initiatives, our company has observed
firsthand the reasons for their effectiveness, and offers the following impressions:
Evolving Context for Cybersecurity Policy: New Demographics of Global In-
ternet Users
In considering cybersecurity policy initiatives, it is important for policymakers to consider the global
demographics of Internet users. During the creation of many of the initiatives noted above, such as
the Council of Europe Convention on Cybercrime and the London Action Plan, Internet users were
largely concentrated in North America and Western Europe. Because of this and other factors,
countries in those regions took leading roles in developing and leading global cybersecurity policy
initiatives.
However, in coming years, shifts in Internet user demographics will create new centers of gravity in
the global online population. As demonstrated in the data visualization (figure 6), which shows a
map of the world in 2020 with countries sized by their relative population of Internet users and col-
ored according to the total number of Internet users relative to their population, countries such as
China, India, Nigeria, and other emerging economies will be home to the bulk of global Internet
users.
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 17
Figure 6 - Projected Distribution of Global Internet Users in 202016
This shift in demographics does not mean that these new centers of gravity will necessarily drive
policy initiatives, but it does mean that global-scale initiatives – as well as some regional and na-
tional-level initiatives – will need to be responsive to these emerging demographic changes. More
than ever, policymakers will have to consider the unique and diverse perspectives that different
countries bring to cybersecurity while maintaining currently established policy frameworks that
have proven key to promoting the growth of the global ICT industry.
International Treaties (e.g., Council of Europe Convention on Cybercrime)
Though international treaties are difficult to develop and enact, the Council of Europe Convention
on Cybercrime (COE) has had a strong and positive impact on global initiatives to combat cyber-
crime. In essence, the COE has succeeded because it has helped to spur governments to enact cy-
bercrime legislation domestically and work to combat international cybercrime. and focuses on
problems of cross-jurisdictional importance that serve the interests of many states rather than few.
Though there is clearly contention among nations regarding the need for new international treaties
related to cybersecurity, these principles — of establishing enabling mechanisms for intergovern-
mental action and advancing the interests of a large number of nations — should guide any future
treaty with significant relationship to cyberspace.
In the future, as noted below, increased participation from countries with growing user populations,
as well as private industry, will be critical. The emerging centers of gravity must play a constructive
and credible role in creating and promoting global agreement on mechanisms to enable security in
cyberspace in the future. Participation from the private sector is also important in articulating effec-
tive and practicable cybersecurity mechanisms. As governments engage in the emerging discus-
sions for developing norms and rules of behavior in cyberspace, they should incorporate the input
of the private sector, as industry plays a critical role in carrying out many cybersecurity policies once
articulated.
16 Please see Appendix C for this map-style data visualization, which includes an explanation of the rela-
tive sizing and coloring of countries. Additionally, Appendix C includes similar data visualizations for a
subset of countries during the years 2000, 2005, 2010, and 2015, to demonstrate the growth of Internet
user populations.
18 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Voluntary Codes of Conduct (e.g., London Action Plan)
As the global ICT industry continues to grow, so will the importance of voluntary and affirmative
programs to tackle cybersecurity challenges. As an example of such efforts, the London Action Plan
is instructive for two reasons. First, it demonstrates that when governments collaborate to articu-
late common principles and commit to cooperative action to promote cybersecurity, it creates an
environment that encourages industry to support such principles and actions. Second, the volun-
tary and affirmative approach allows for multi-stakeholder engagement and input. The resulting
bottom-up approach creates an effective framework for resolving some of the most vexing cyber-
security challenges, such as spam and botnets, which are likely to continue to pose a threat in the
future. More recently, voluntary codes of conduct for ISPs to help address botnet threats have been
developed in both Australia and the United States.
Given the sheer size and complexity of the globally distributed ICT industry, policymakers should
consider voluntary codes of conduct that allow for participation by industry from development to
implementation when addressing future cybersecurity policy challenges. As our model shows, there
is a correlation between the London Action Plan and cybersecurity performance, demonstrating the
quantitative impact of voluntary codes and their value for policymakers.
Military Defensive Strategies for Cybersecurity
Among the policy tools considered in our model, military defensive strategies for cybersecurity is
the most unpredictable at this stage in terms of their relation to overall cybersecurity, and will con-
tinue to be in the future. As our model demonstrated, whether or not a country has a defense
strategy for cybersecurity is not a strong predictor of their cybersecurity performance. However,
the expression of military doctrines for cyberspace is a novel and ongoing development. Therefore,
we believe that their quantitative impact is less meaningful their qualitative impact. Currently, the
increased role of defense authorities in cybersecurity is viewed as a potentially destabilizing force,
with many public and private entities questioning whether and how defense authority engagement
in cyberspace should be managed.
The fact remains that defense authorities will engage in cyberspace and we believe that this en-
gagement will occur in at least three forms. First, relying upon security-focused arguments, defense
authorities will leverage non-tariff barriers to trade to prevent or limit civil market access for ICT
vendors from countries perceived as distrusted. Second, again leveraging security-focused argu-
ments, defense authorities will similarly restrict their government procurement choices to favor
products and services from domestic and other trusted sources. Third, there is the prospect of ac-
tual military conflict in cyberspace, which may involve attacks upon critical trust mechanisms of the
Internet, such as security update services or network infrastructure, as has already occurred.
As policymakers face these challenges, the concept of reciprocity must drive decision-making. En-
acting restrictive trade policies can have a domino effect, sparking retaliation by other governments
and thereby undermining the globally distributed nature of the ICT industry and its benefits. Reci-
procity is an even greater consideration in the arena of conflict or warfare, as actions by one gov-
ernment can quickly escalate and cause unintended consequences and retaliatory actions by other
governments. Therefore, policymakers must be vigilant when considering the second- and third-
order implications of their actions in developing defense and military strategies, and seek to pro-
mote balanced standards based around technology neutral practices.
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 19
Cross-Domain Alignment (e.g., antipiracy strategies)
Because of the technical nature of many cybersecurity tools, policymakers sometimes fail to consid-
er the importance of leveraging mechanisms that cross legal, policy, and technology domains to
accomplish desired outcomes. For example, effective antipiracy work requires a mix of legal, public
policy, and technology mechanisms, all of which involve public and private sector engagement.
Looking back to the start of global antipiracy efforts, governments and industry engaged to fight
piracy, to protect intellectual property and to preserve their economic interests. These efforts real-
ized benefits that extended beyond the immediate goal of limiting financial losses associated with
piracy. However, by removing illegitimate products that often included reduced security features
governments reduced their overall level of cybersecurity risk.
Looking forward, policymakers should focus on similar alignment of legal, public policy, and tech-
nology mechanisms to reduce cybersecurity risk, whether risk management is a primary, secondary,
or attendant benefit. At present, there are many technology tools to address cybersecurity risk in
the private sector, but there is a relative dearth of legal and public policy initiatives to support
them. While this is only one example, the challenge of cultivating an ecosystem for trusted identity
on the Internet speaks to the need for cross-domain alignment. As our model shows, there is a cor-
relation between the reduced piracy rates and cybersecurity performance, demonstrating the quan-
titative impact of such cross-domain alignment efforts and their value for policymakers.
20 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Conclusion
Though it is hard to predict exactly what the digital world will look like in the decades ahead, strong
cybersecurity will be critical to its successful existence. Policymakers around the globe are faced
with the difficult challenge of creating policies that positively impact their national cybersecurity.
Knowing which types of initiatives have the greatest positive impact on cybersecurity will allow poli-
cymakers to make informed, results-based policy decisions.
In reviewing qualitative and quantitative impacts on national cybersecurity, this paper seeks to
place policy decisions alongside a framework of technical and demographic projections to create a
view of what the future environment for policymaking could look like. By identifying the underlying
principles of certain policies that are correlated with over-performance in cybersecurity, such as
intergovernmental frameworks for cooperation and voluntary codes of conduct, policymakers can
develop future approaches that are more likely to be effective in combating the evolving threats in
cyberspace.
To meet our future security challenges in cyberspace, Microsoft urges governments to participate in
a broader dialogue on normative standards to better protect citizens on the Internet that includes
perspectives from the ICT industry. This process develops rules of behavior in cyberspace that can
reduce threats, increases confidence and trust, and helps improve security of the cyber ecosystem
at the international level. As discussed in this paper, CCM is a rough approximation of the attack
surface for a particular country or region. Industry and governments can work in partnership to
reduce this attack surface and make the computing infrastructure less susceptible to attack and
compromise.
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 21
Appendix A: Methodology
In order to test the predictability of CCM given non-technical measures, we used linear regression
modeling. A regression analysis allows us to build a model that shows the predicted impact on CCM
as the various indicator variables (such as GDP, Computers Per Capita, etc.) fluctuate. By solving for a
universal starting point (known in regression analysis as the constant), we then were able to use the
model to predict CCM at the country level, with differences in predicted CCM across countries being
driven by differences in the indicator variables (e.g., given the GDP Per Capita, Computers Per Capita,
etc., we can predict CCM).
There are several existing approaches to regression modeling, each with its own set of advantages.
The type of analysis we utilized to build the model was Correlated Component Regression (CCR).
CCR modeling differs from other regression techniques in that instead of constructing a relationship
between the dependent variable (in this case CCM) and the individual predictors (in this case, the
indicator variables), CCR constructs relationships between the dependent variable and a number of
components – components being latent variables created by the model. Each component consists
of the total number of predictor variables included in the model (GDP, etc.), but the weighting of
each of those predictors varies from component to component (a similar concept to principal com-
ponent analysis). As a result, some components may be more heavily representative of particular
indicators, such as GDP, while other components are more heavily representative of other indicators,
such as Facebook or IE6 usage. We chose to use CCR modeling because it offers an advantage over
other techniques, in that it reduces potential error created by datasets that have a large number of
correlated predictors (such as computers per capita and % of population with an Internet connected
computer), relative to data points – which was beneficial to this dataset, given that we used 34 pre-
dictors to predict CCM, based on 106 countries/regions.
The first stage of analysis was a step down analysis, designed to identify those indicators that are
most important to the model. By using step down analysis, we were able to reduce the number of
indicators from 80 to 34. In this case, step down analysis was run by creating a model with all indica-
tors, identifying the 1% of indicators that were least important to the model and removing those
variables from the model. This process was completed until the model with the best fit was identi-
fied.
When identifying the model of best fit, we used a methodology commonly known as cross valida-
tion. The reason we did this was to measure not only how well our model could predict the data we
fed into it (the 106 locations’ predictor variable data), but also how well it could predict random data
(e.g. how well it could predict CCM performance for countries/regions that we aren’t testing). Cross
validation, commonly known as K-Fold cross validation, works by using pieces of the dataset to test
results. In cross validation, we divide the data into an equal number (represented by the variable K)
of ‘folds’ of random cases, and then apply the model to see how well K-1 folds predict the final fold.
In this analysis, K=10. In simpler terms, we would repeatedly randomly test how well 90% of the data
predicted the final 10% to determine fit. We used this methodology to optimize the model tuning
parameter (number of components and predictor variables), as well as to identify the model of best
fit.
As the final step, we ran a cross-validated 5 component model. The results were interpreted in the
same way as other regressions – each predictor coefficient determined impact on CCM. Coefficients
may not have been directionally consistent with correlations; this is because some of the predictor
variables in the model help explain otherwise unexplainable variance in other predictor variables, as
opposed to directly predicting CCM. These types of variables are commonly known as suppressor
variables, since they suppress otherwise inherent error in some of the predictor variables included in
the model, and help to improve overall model accuracy. As a result, the accuracy of the model lies in
the overall prediction in aggregate, and not the direct relationship with any specific indicator.
22 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Appendix B: Data Sources
Indicator
Correlation
with CCM Description Year Source
5yr Growth 0 5-year average GDP per capita growth (% annual) 2008
World
Development
Indicators
Broadband
Penetration -0.6 Fixed broadband connections per 100 people 2010
International
Telecommuni-
cation Union
Broadband
Speed -0.3
The contracted capacity of international connections
between countries for transmitting Internet traffic 2008
World
Development
Indicators
Computers Per
Capita -0.6 Percent of households who own a personal computer 2010
Euromonitor
International
Corruption -0.5
Corruption perceptions index relates to perceptions of
the degree of corruption as seen by business people
and country analysts, and ranges between 10 (highly
clean) and 0 (highly corrupt). 2010
Transparency
International
Demographic
Instability 0.6
Pressures on the population such as disease and natural
disasters that makes it difficult for the government to
protect its citizens or demonstrate lack of capacity or
will. 2009
Failed States
Index
Facebook Usage -0.3 Number of Facebook users 2011
Socialbak-
ers.com
Foreign Direct
Investment Size /
Volatility 0
Foreign direct investment is net inflows of investment to
acquire a lasting management interest in an enterprise
operating in an economy other than that of the investor.
Adjusted by the moving average volatility. 2008
World
Development
Indicators
GDP Per Capita -0.3 Gross domestic product per capita, current prices 2011
International
Monetary
Fund
Government
Type -0.4
The extent to which a society is autocratic or democrat-
ic. 2008 Polity IV
Gross Income Per
Capita -0.5 Income before taxes from all sources. 2010
Euromonitor
International
Health Expendi-
ture Per Person -0.6 Health expenditure per capita with external aid 2006
World Health
Organization
Hi-tech Exports -0.3
High-tech exports as a percentage of manufactured
exports. 2008
World
Development
Indicators
ICT Exports -0.2
Information and Communication Technology exports as
a percentage of total goods exports. 2008
World
Development
Indicators
IE6 Usage -0.2 Internet Explorer 6 usage share 2011 Microsoft
Immunization to
Measles -0.2 Rate of Immunization Against Measles. 2008
World
Development
Indicators
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 23
Life Expectancy -0.4 Life Expectancy at Birth 2010
Euromonitor
International
Literacy Rate -0.5 Adult Literacy Rate 2010
Euromonitor
International
Market Size -0.6
Domestic consumption plus country exports minus
country imports. 2008
World
Development
Indicators
Offenses -0.5
Number of offences per 100,000 people. Offence refers
to any act which is punishable under law. The number
includes both criminal and administrative offences. 2010
Euromonitor
International
Ownership of
Networked PC -0.4
Percent of households with a broadband internet con-
nection via home computer. 2010
Euromonitor
International
Productivity -0.4
Refers to labor productivity, i.e. output of goods and
services in the economy per employed person 2010
Euromonitor
International
R&D Expenditure -0.5
Expenditures for research and development are current
and capital expenditures (both public and private) on
creative work undertaken systematically to increase
knowledge, including knowledge of humanity, culture,
and society, and the use of knowledge for new applica-
tions. 2008
World
Development
Indicators
Regime Stability -0.4
The number of years since the most recent regime
change. 2008 Polity IV
Regulation -0.5
Measures the extent of regulation within the business
sector. It captures general regulation with respect to
investment and competition. 2008
World Bank
Governance
Indicators
Royalty Receipts -0.4
Royalty and license fees are payments and receipts be-
tween residents and non-residents for the authorized
use of intangible, non-produced, non-financial assets
and proprietary rights. 2008
World
Development
Indicators
Rule of Law -0.5
The extent to which individuals within a society respect
property rights, the police and the judiciary system, as
well the quality of police and legal safeguards 2008
World Bank
Governance
Indicators
Savings -0.3 Gross Domestic Savings. 2008
World
Development
Indicators
School Leaving
Age -0.4 Refers to the leaving age of compulsory education. 2010
Euromonitor
International
Secure Net
Servers -0.5 Secure Internet servers per one million people. 2008
World
Development
Indicators
Startup Costs 0.2
Start-up business costs measured as share of gross na-
tional income per capita 2009
World
Development
Indicators
Telecom Ex-
penditure -0.3 Consumer Expenditure on Telecommunications Services 2010
Euromonitor
International
Uneven Econ
Development 0.6
Group-based inequality, or perceived inequality, in edu-
cation, jobs, and economic status. Also measured by
group-based poverty levels, infant mortality rates, and
education levels. 2009
Failed States
Index
Use of mobile
devices -0.3 Cellular devices per 100 people 2008
World
Development
Indicators
24 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Appendix C: Internet Growth
Maps Please refer to the following pages for the visual maps of global internet users leading up to the
year 2020.
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 25
26 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity
Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 27