Learn How Socio-economic Factors Affect Regional Malware Rates

Linking Cybersecurity

Policy and Performance

Aaron Kleiner

Paul Nicholas

Kevin Sullivan

Microsoft Trustworthy Computing

2 Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity

Linking Cybersecurity Policy and

Performance

Authors

Aaron Kleiner

Microsoft Trustworthy

Computing

Paul Nicholas


Computing

Kevin Sullivan


Computing

Contributors

Bruce Cowper


Computing

Andrew Cushman


Computing

Dave Forstrom


Computing

Cristin Goodwin


Computing

William Howerton

Good Harbor Security Risk

Management

Jacob Olcott

Good Harbor Security Risk

Management

Tim Rains


Computing

Travis Scoles

Schireson Associates

Neil Shah

Schireson Associates

The Microsoft Malware

Protection Center

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR

STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

This document is provided “as-is.” Information and views expressed in this document, including URL and other

Internet website references, may change without notice. You bear the risk of using it.

Copyright © 2013 Microsoft Corporation. All rights reserved.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Corporation | Measuring the Impact of Policy on Global Cybersecurity 3

Foreword

This special edition of the Microsoft Security Intelligence Report (SIR) was authored by Microsoft’s

Global and Security Strategy and Diplomacy (GSSD) team. GSSD works collaboratively with gov-

ernments, multilateral organizations, industry, and non-profit groups to enhance security across the

cyber ecosystem. Leveraging technical depth and public policy expertise, GSSD supports public and

private sector initiatives that promote trustworthy plans and policies, resilient operations, and in-

vestments in innovation.

While Microsoft has long reported on the technical measures of cybersecurity through the SIR and

other sources of information, we have been looking to better understand the full environment that

leads to a given cybersecurity outcome. We believe that is dependent on a range of technical and

non-technical measures including use of modern technology, mature processes, user education, law

enforcement and public policies related to cyberspace. Each of these measures may contribute di-

rectly or indirectly to the cyber security performance measures reported in the SIR.

This paper introduces a methodology for examining how the non-technical socio-economic factors

in a country or region impact cybersecurity performance. With this methodology we can build a

model we hope can help predict the expected cybersecurity performance of a given country or re-

gion based on our observation of non-technical socio-economic data. From that prediction, we can

attempt to better understand the public policies that distinguish the performance of different coun-

tries and regions.

We are excited by the initial results of our research that demonstrate significant differences in secu-

rity outcomes between countries that have, for example, signed or ratified the Council of Europe.

Both policy makers and technology experts face increasing demands for innovation and impact. It is

our hope that this work catalyzes additional research into the holistic factors impacting cybersecuri-

ty around the world as well as a data-driven approach to policy making.

Paul Nicholas

Senior Director of Global Security Strategy and Diplomacy

Trustworthy Computing, Microsoft

Tim Rains

Director

Trustworthy Computing, Microsoft


Introduction

The world is in the midst of an unprecedented technological transition, characterized by growth in

the volume and diversity of people, devices, and data connected to the Internet. Across the globe,

billions of people are using information and communications technology (ICT) infrastructure to

conduct business, interact with governments and each other. The World Economic Forum recently

observed that “more than 70 percent of the world’s citizens live in societies that have just begun

their digitization journeys. 1” With so many people moving towards an increasingly digital lifestyle,

the world that emerges at the conclusion of this transition will likely be very different than the world

we know today.

Cybersecurity is critical for the success of the world’s digital future.2 Building a safer, more trusted

Internet nationally and internationally requires policymakers, business decision makers, and ICT

providers to collectively develop technical and policy solutions that will enable citizens, enterprises,

and governments to meet their computing objectives in a secure, private, and reliable manner.

Over the past decade, national policymakers and the international policy community have under-

taken a variety of initiatives that have been fundamental to establishing effective non-technical

cybersecurity public policy. As a company, Microsoft has participated in many of these initiatives

because we believe these efforts improve and enhance global cybersecurity. Through our participa-

tion, we have come to appreciate and understand the difficulty that policymakers face when evalu-

ating the success of their initiatives designed to reduce cyber risks today and in the future.

Understanding whether certain policies can measurably reduce cyber risks at a national level is a

critical exercise for policymakers seeking effective solutions to these challenges. In this vane, Mi-

crosoft set out to create a methodology to evaluate the impact of policy solutions on national cy-

bersecurity efforts. Using a reasonable statistical measurement for evaluating cybersecurity on a

national level, a framework was created to examine various factors that distinguish levels of cyber-

security performance among countries and to identify whether adoption of certain policies or stra-

tegic actions are related to cybersecurity performance.

The results of our analysis have implications for current and future policy initiatives. We found that

countries adopting or implementing certain policies, including international treaties like the Council

of Europe Convention on Cybercrime and voluntary codes of conduct like the London Action Plan,

are more likely to over-perform on a key cybersecurity metric compared to countries that have not

adopted the same policies. For policymakers seeking ways to improve national cybersecurity, these

policies represent activities that are likely to have a meaningful and measurable impact. While we

believe that these specific policy actions are critical steps for policymakers to consider when ad-

dressing cybersecurity on a national level, the manner in which these policies were created and

adopted – through international partnership or joint public/private efforts – likely serve as im-

portant models for how successful cybersecurity policies might be created in the future.

Recognizing the limitations of our study, we nevertheless hope that this whitepaper adds value to

other efforts to form more reliable risk reduction metrics in cyberspace and serves as a useful tool

for national policymakers considering various approaches towards achieving greater cybersecurity.

1http://www3.weforum.org/docs/Global_IT_Report_2012.pdf

2Cybersecurity: Cornerstone of a Safe, Connected Society, http://aka.ms/TwC_Cyber_Paper

http://www3.weforum.org/docs/Global_IT_Report_2012.pdf

http://aka.ms/TwC_Cyber_Paper


How We Measure Cybersecurity:

Infected Computer Data

Today, a multitude of reports from antivirus vendors, security experts, networking providers and our

own Microsoft Security Intelligence Report (SIR) provide technical insight into the cybersecurity

problem. Technical reports are an important tool to helping understand the pervasiveness of mali-

cious code on machines. Microsoft’s own technical measure of cybersecurity is derived from our

broad deployments of enterprise and consumer software products as well as global investments in

online services such as search engines and e-mail systems. Our results are based on findings from

our Malicious Software Removal Tool (MSRT), an anti-malware utility that checks Windows comput-

ers for prevalent threats and helps remove any malware or infections found. Delivered primarily

through the Windows Update process, MSRT runs on more than 600 million devices per month.

This represents a large proportion of the global personal computer install base, making the results a

reasonable proxy for overall cybersecurity levels.

The MSRT evaluates the current level of malicious code infections on computer systems across the

globe. To produce a consistent measure of infection that can be used to compare different popula-

tions of computers to each other over time, Microsoft reports infection rates using a metric called

computers cleaned per mille (thousand) or “CCM,” which represents the number of computers

cleaned for every 1,000 times that the Malicious Software Removal Tool (“MSRT”) is run. For exam-

ple, if the MSRT is run 50,000 times in a particular country/region in the first quarter of the year and

removes infections from 200 computers, the CCM for that country/region in the first quarter of the

year is 4.0 (200 ÷ 50,000 × 1,000). For the purposes of this analysis and paper we use CCM as a

proxy for cybersecurity performance. A higher CCM number indicates a higher incidence of malware

removed in a given geographical area, which we interpret as a lower level of cybersecurity perfor-

mance.3 Lower CCM numbers denote fewer malware removals and thus a higher level of cybersecu-

rity performance. Figure 1 illustrates the CCM number for countries/regions around the world in the

fourth quarter of 20114.

3 Since Q1 of 2011, the CCM has been reported based on geographic location rather than the adminis-

trator defined location. http://blogs.technet.com/b/security/archive/2011/11/15/determining-the-

geolocation-of-systems-infected-with-malware.aspx

4 Microsoft Security Intelligence Report Volume 12: July - December 2011.

http://www.microsoft.com/security/sir/archive/default.aspx

http://blogs.technet.com/b/security/archive/2011/11/15/determining-the-geolocation-of-systems-infected-with-malware.aspx

http://blogs.technet.com/b/security/archive/2011/11/15/determining-the-geolocation-of-systems-infected-with-malware.aspx

http://www.microsoft.com/security/sir/archive/default.aspx


Figure 1 - Infection rates by country/region in 4Q11, by CCM

CCM, like other technical cybersecurity metrics used in the industry, is an imperfect one. For in-

stance, CCM does not measure and report important cybersecurity outcomes, including actual

damage caused by infections. While we chose to use the CCM metric as an indicator of cybersecuri-

ty for purposes of our study, we hope that industry, government, and academia continue develop-

ing other useful metrics in order to create a more complete understanding of the impact of cyber

risk.


Identifying Relationships

Between Cybersecurity and

National-Level Factors

Microsoft began this research with an interest in understanding whether countries with similar CCM

metrics shared other “non-technical” traits. More than 80 national indicators or factors were identi-

fied, including Gross Domestic Product (GDP), governance model, and broadband penetration rate.

We then applied statistical modeling techniques to identify patterns between the indicators and a

country or region’s cybersecurity risk profile as indicated by CCM. It was found that 34 of the 80

original indicators had a potential correlation with CCM.

In general, most of the indicators we identified were negatively correlated with CCM; as the indica-

tor rises, CCM will decrease. It is important to emphasize that these relationships demonstrate cor-

relative, not causal, relationships. For example, with respect to education, the data show that lower

CCM rates are related to the length of time that a country’s citizens spend in school. The chart be-

low contains a sample of our findings:

Table 1 - Sample Indicator Variables for Analysis5

Indicator Variable Correlation with CCM

Computers Per Capita -0.6

Gross Income Per Capita -0.5

Rule of Law -0.5

Demographic Instability 0.6

Secure Net Servers -0.5

Broadband Penetration -0.6

R&D Expenditure -0.5

Facebook Usage -0.3

Use of mobile devices -0.3

Literacy Rate -0.5

5 See Appendix for full list of sources and descriptions


Predicting Cybersecurity

Performance

With an understanding of how certain national-level indicators correlate with CCM measurements,

we set out to build a model that predicts levels of cybersecurity performance based on these na-

tional indicators. Building a predictive model enables policymakers to explore a series of potential

explanations for the disparity between actual and predicted CCM.

The graph below shows a scatter plot of the actual and expected cybersecurity performance of over

100 countries. We omitted the names of individual countries in this report because our intention is

to understand the drivers of cybersecurity performance rather than discuss the performance of any

individual country.

By identifying the underlying principles of certain policies that are correlated with over-

performance in cybersecurity, such as intergovernmental frameworks for cooperation and voluntary

codes of conduct, policymakers can develop future approaches that are more likely to be effective

in combating the evolving threats in cyberspace.

Figure 2 – Actual vs. Predicted Cybersecurity Performance per Country or Region


The elements of the graph include:

2011 Average CCM - Along the X-axis, is the average quarterly CCM numbers reported in the SIR

for 2011.

Expected/Predicted CCM - Along the Y-axis, we report the predicted level of cybersecurity for

each country. This accounts for the variation among countries and gives us an expected/predicted

CCM number based on the 34 variables identified above.

Model Line - The diagonal line from the lower-left to the upper-right of the graph represents a

perfect fit of the model. If we were able to perfectly predict the levels of cybersecurity performance

for each country, each would fall on this line.

Since the model is not perfect, individual countries are on, above, or below the model line. Coun-

tries above the line are considered to be out-performing the model. That is, their actual levels of

cybersecurity performance are better (lower CCM) than our model predicts based on the non-

technical indicators. Conversely, countries located below the line are under-performing the model.

Their actual levels of cybersecurity are worse (higher CCM) than our model had predicted.6

We then used latent class segmentation7 to classify each country into one of three clusters, based

on both their actual and predicted CCM. The end result is a model with three distinct clusters of

countries, which we call Maximizers, Aspirants, and Seekers.

6 Note on our methodology: We expect that countries’ positions on the chart will change over time as

both non-technical and technical conditions evolve. We also expect that CCM changes will be more fre-

quent and erratic, relative to some of the other indicator variables; this is based on past observations of

CCM fluctuating between quarters relatively more than other government indicators, such as GDP. For

this reason, we have chosen to model and report on annualized averages where possible, as this mini-

mizes potentially misleading data that is a direct result of quarterly fluctuation. In some cases, the pre-

dicted CCM is extremely low, and potentially below 0, which cannot happen from a practical standpoint.

This is a result of using a linear regression model – the model cannot understand that the practical floor

for CCM is 0. Negative CCM results should be interpreted as a small positive number that is approaching

zero, from a real-world standpoint.

7 Vermunt, Jeroen K. and Jay Magidson. Latent Class Models for Classification.

In latent class segmentation, we create variables (known as latent variables), and assign each of the coun-

tries to belong to one of those variables. The variables act to explain the variance between expected and

predicted CCM – countries with similar variance are grouped together. The optimal clustering model is

determined by maximizing the explainable difference, and is found by testing varying number of latent

variables (varying numbers of clusters) and varying combinations of countries included in each cluster.

Strength of Our Predictive Model

The strength of this model is expressed by the term R2 which explains how much of the

predicted value can be explained by the regression formula. Generally, ranging from 0

to 1 an R2 of 0 would indicate no predictive power, 0.1-.03 weak prediction, 0.4-0.6

moderate prediction and 0.7-1 strong prediction. Our model has an R2 of 0.68, mod-

erate predictive ability. While purely scientific studies may strive for R2 values of .9 or

above, we consider our model to be a good starting point for this discussion.


Figure 3 – Cluster Analysis of Cybersecurity Performance

Maximizers: Maximizers are countries with more effective cybersecurity capabilities and out-

perform the model. This cluster has a moderate level of predicted cybersecurity, but relatively, it

has the best cybersecurity performance of all clusters. This over-performance of the model is the

defining attribute of the cluster. Within the countries that comprise the cluster, we see that they

often have better performance in key indicator variables (as defined by CHAID analysis8, which de-

termines the strength of relationship between predictor variables and cluster membership), includ-

ing personal computers in use per capita, health expenditure per capita, regime stability, and

broadband penetration. Maximizers include a relatively high percentage of European countries.

8 An Exploratory Technique for Investigating Large Quantities of Categorical Data

G. V. Kass

Journal of the Royal Statistical Society. Series C (Applied Statistics) , Vol. 29, No. 2 (1980), pp. 119-127

Published by: Wiley for the Royal Statistical Society

Article Stable URL: http://www.jstor.org/stable/2986296

http://www.jstor.org/action/showPublisher?publisherCode=black

http://www.jstor.org/action/showPublisher?publisherCode=rss


Aspirants: Aspirants are countries who are on a par with the model and are still developing

cybersecurity capabilities. This cluster has a moderate level of predicted cybersecurity, and in real-

ity it performs on par with those predictions. This predictability of cybersecurity performance is the

defining attribute of the cluster. Of all three clusters, Aspirants is also the largest. Within the coun-

tries that comprise the cluster, we see that they often have average to above average performance

in key indicator variables, including broadband speed, secure Internet servers per capita, R&D ex-

penditure, and consumer telecommunications expenditure. Countries from around the world com-

prise the Aspirants cluster, but it contains a slightly higher percentage of Latin American/Caribbean

nations than others.

Seekers: Seekers are countries with higher cybersecurity risk who underperform on model

expectations. While this cluster has a moderate to low level of predicted cybersecurity, in reality it

has a low level of cybersecurity, as measured by high CCM. As such, Seekers underperform with

regards to their cybersecurity potential. Of the three, the Seekers cluster is the smallest. The coun-

tries that comprise the cluster often poorly perform in key indicator variables, including literacy,

offences (crime) per capita, broadband speed, and broadband penetration. Compared to the key

attributes of Aspirants, we see that Seekers may be less likely to invest in technological infrastruc-

ture development. Countries from around the world comprise the Seekers cluster, but it contains a

higher percentage of Middle Eastern/African nations than the others.

Figure 4 – Geographic Distribution of Cluster Members


Impact of Cybersecurity Policies

on National Performance

Why do countries with similar predicted CCM perform so differently on actual CCM? In other words,

if our model already accounts for key differences between countries (GDP, broadband penetration,

rule of law, etc.), why does the actual CCM number vary so much? We hypothesized that this dis-

crepancy can be partially attributed to policies and programs implemented by the country to limit

cybersecurity risk. We believe that these factors can help to explain part of the difference between

predicted and actual performance.

Evolution of Cyber Policy

Over the last decade, national policymakers have considered myriad cybersecurity policies of vary-

ing focus, size, scope, intent, and budget. The growth of Internet users and new threat actors

helped spur international dialogue around cybersecurity, which resulted in the development of the

Council of Europe Convention on Cybercrime in 2001. The Convention on Cybercrime created the

first-ever international treaty aimed at cybersecurity issues, and it has since been ratified by 37

countries.

As spam, phishing, and spyware began to merge to create substantial threats to large enterprises,

the formation of new public/private partnerships became necessary. For instance, in response to

growing international pressure to contain the malware problem, government agencies from 27

countries convened in October 2004 to form the London Action Plan. The Plan was created to

“promote international spam enforcement cooperation and address spam related problems, such as

online fraud and deception, phishing, and dissemination of viruses.”9 The Plan also created a volun-

tary code of conduct for private companies in order to elicit greater spam enforcement coopera-

tion.

Policymakers must also consider the growing theft of intellectual property and rising rates of soft-

ware piracy. Though actual financial costs are impossible to gauge, the theft of intellectual property

through cyber means is thought to be in the multi-billions per year, a number that has only grown

over time. The decade witnessed soaring piracy rates that inflicted significant economic damage on

companies. In 2003 the commercial value of the pirated software market was $28.8 billion;10

by

2011 the figure had increased to $63.4 billion. High piracy rates were particularly fueled by PC

shipments to emerging economies where piracy rates are highest.11

Software piracy also directly

impacts indicators such as CCM where in the first half of 2012, the most commonly detected mal-

ware globally was typically bundled with counterfeit software.12

National cybersecurity strategies evolved throughout the decade, incorporating elements of resili-

ency and reciprocity, and also the role of militaries. For example, in 2006 the U.S. Department of

Homeland Security and the private sector jointly developed sector specific plans focused on risk

management and resiliency of critical functions. Cyber attacks on Estonia in 2007 led the European

Union to create a new public/private partnership designed to enhance preparedness, security, and

9 http://londonactionplan.org/the-london-action-plan/

10

http://www.bsa.org/country/Research%20and%20Statistics/~/media/5536D2D93FA746E69CBC12ECBCE0

F319.ashx

11 http://portal.bsa.org/globalpiracy2011/downloads/study_pdf/2011_BSA_Piracy_Study-InBrief.pdf

12 http://www.microsoft.com/security/sir/story/default.aspx#!unsecure_distribution

http://londonactionplan.org/the-london-action-plan/

http://www.bsa.org/country/Research%20and%20Statistics/~/media/5536D2D93FA746E69CBC12ECBCE0F319.ashx

http://www.bsa.org/country/Research%20and%20Statistics/~/media/5536D2D93FA746E69CBC12ECBCE0F319.ashx

http://portal.bsa.org/globalpiracy2011/downloads/study_pdf/2011_BSA_Piracy_Study-InBrief.pdf

http://www.microsoft.com/security/sir/story/default.aspx#!unsecure_distribution


resilience. Sophisticated attacks against the U.S. government resulted in the creation of the Com-

prehensive National Cybersecurity Initiative (CNCI) in 2008, an effort representing a significant in-

crease in policy, operational, and financial commitments that spanned the whole of government. As

attacks continued, militaries increasingly looked to develop specific military doctrines, policy state-

ments or military strategies related cyberspace. By 2011, 33 countries that had done so.13

Identifying Policies that Correlate with Cybersecurity Performance

How are these and other policies related to a country’s cybersecurity performance? To test our the-

ory about the role of policy in cybersecurity, we distilled the variety of types of cybersecurity poli-

cies into certain initiatives that can be measured by a binary rather than a substantive evaluation.

For example, we queried whether a country was a signatory of the Council of Europe Convention on

Cybercrime, but did not further evaluate the extent or effect of the policies that a country adopted

in order to implement the treaty. Additionally, we considered whether or not a country had devel-

oped a military cyber defense strategy, but did not evaluate the robustness of the strategy. Fur-

thermore, in order to expand the data set, we evaluated policies adopted in a statistically significant

number of countries and regions.

We initially identified four policy factors that satisfy these criteria and ran them against our model:

Maximizers Aspirants Seekers

Piracy 42% 62% 68%

London Action Plan Membership 46% 20% 10%

COE Convention on Cybercrime 51% 17% 7%

Defense Strategy for Cybersecurity 51% 15% 21%

Table 2- Impact of Policy upon Cybersecurity Performance

Council of Europe Cybercrime Treaty

We found the Council of Europe Convention on Cybercrime (COE) to be one of the strongest accel-

erators of cybersecurity for the countries in our survey. The COE is an international treaty that aims

to create a common policy environment for cybercrime, to provide the legal powers necessary to

effectively investigate and prosecute cybercrime offenses, and to establish methods of international

cooperation that can help match the speed of cybercrimes.

Fifty-one percent of the countries in the Maximizer (over-performing/low-CCM) cluster had either

signed or ratified the treaty. While the COE rates and relative CCM performance relationship may

not be causal, there is a clear link between CCM performance, relative to expectations, and COE

accession. Interestingly, we noticed a declining trend of COE accession in countries with higher

CCM scores relative to predictions.

London Action Plan

Membership in the London Action Plan is also an indicator of over-performance in cybersecurity,

significantly distinguishing the low-CCM cluster from the other two clusters. The London Action

13 James A. Lewis and Katrina Timlin, Center for Strategic and International Studies, Cybersecurity and

Cyberwar: Preliminary Assessment of National doctrine and Organization, in Resources: Ideas for Peace

and Security (U.N. Inst. for Disarmament Research, 2011), http://www.unidir.org/pdf/ouvrages/pdf-1-92-

9045-011-J-en.pdf.

http://www.unidir.org/pdf/ouvrages/pdf-1-92-9045-011-J-en.pdf

http://www.unidir.org/pdf/ouvrages/pdf-1-92-9045-011-J-en.pdf


Plan aims to promote international cooperation in addressing spam, online fraud, and malware. 9

Rather than create new legally binding obligations for members, the Plan outlines activities for both

public and private sector participants to fight spam, fostering better cooperation between organiza-

tions in order to defend against cyber threats.

Forty-six percent of the over-performing cluster’s countries are members of the London Action

Plan. Also similar to the COE signatory trends, membership in the London Action Plan is linked with

CCM performance, relative to expectations. As with COE signatory rates, there exists an implied

relationship between membership in the London Action Plan and relative cybersecurity. While the

relationship between CCM performance and the London Action Plan may not be causal, we can

definitively say that membership in the London Action Plan would be part of a profile for a country

that has relatively good cybersecurity.

Military Cyber Defense Strategy

Military cyber defense strategy differs from London Action Plan membership and COE Signatory

status in that it does not trend with relative CCM performance. As Table 2 shows, countries with

publically acknowledged military cyber defense strategies comprise fifty-one percent of the low-

CCM cluster. However, twenty-one percent of the high-CCM underperforming cluster also had mili-

tary cyber strategies. We also examined the countries with civil cyber strategies but found no clear

relationship with cluster membership; countries with only civil cyber strategies were equally likely to

be in any one of the three clusters.

It is possible that future analysis will show a correlation between military cyber defense strategies

and cybersecurity performance. Many military strategies are still in their formative phases having

been created in the past few years, and it can take time for the impact of new policies and capabili-

ties to be fully observed. As more countries around the world adopt both military and civil based

cyber defense strategies it will be worth watching to see if there is a notable difference in their se-

curity outcomes.

Piracy Rate

Though we did not evaluate individual policy approaches towards reducing piracy, the average pi-

racy rate of countries in the low-CCM cluster was drastically lower than the other clusters. The im-

plications of this observation are complex. Countries that do a better job managing cybersecurity

may also do a better job mitigating piracy, or countries with higher piracy rates may have a more

difficult time containing malware and other cyber threats. This is a topic for further research, but we

found the relationship between piracy rates and CCM scores compelling enough to highlight here.

As opposed to the other profiling factors discussed above, piracy rate is an outcome rather than a

policy tool. However, this does show the potential benefit of protecting intellectual property as

higher rates of piracy are positively correlated with higher CCM. This is unsurprising, as pirated

software poses a serious security risk to its users. A 2008 study by the Harrison Group found that

companies that used unlicensed software were seventy-three percent more likely than those com-

panies that use fully licensed software to experience loss or damage of sensitive data, and were 43

percent more likely to suffer critical computer failures.14

14 http://go.microsoft.com/fwlink/?LinkId=143927

http://go.microsoft.com/fwlink/?LinkId=143927


Summary of Quantitative

Analysis

The goal of our quantitative research was to gain a clearer understanding of what factors distin-

guish cybersecurity performance among countries, and whether any relationship exists between

certain national cybersecurity policies and a country’s cybersecurity performance.

We applied various statistical tools and models to freely available predictor data with the intention

of taking country-level developmental markers and predicting cybersecurity performance.15

The

result was a model that predicts CCM based on a set of 34 predictor variables. This model also pro-

vided greater insight into the relationship between predicted and actual cybersecurity performance.

We did this by taking the model predictions to create another model that clustered countries into

one of three groupings. By profiling those groupings, we assessed a link between cybersecurity

performance and key government policies.

This research also resulted in the identification of specific markers that can not only signal above

average cybersecurity performance, but can also signal countries that have better cybersecurity

performance than we would expect, given attributes that are not necessarily easily controlled, such

as GDP. Specifically, those countries that sign the Council of Europe Cybercrime treaty and/or the

London Action Plan are more likely to outperform a predictive model of cybersecurity performance.

15 For a more detailed description of methodology, refer to Appendix


Evolving Policy Initiatives for

Future Impact

Having identified a correlation between certain policy tools and national cybersecurity performance,

policymakers may wish to focus their attention on adopting or evolving these types of tools to ad-

dress future challenges. Policy developments in the previous decade sought to lay a foundation to

build a more connected society and promote e-commerce. The next decade will focus on the secu-

rity and protection of that infrastructure, both domestic and international in order to continue to

grow.

Figure 5 - Progression of Cybersecurity Policy

As policymakers consider future initiatives designed to impact national cybersecurity, it will be im-

portant to draw lessons from the policy discussions of the previous decade. Policymakers should

pay particular attention to the lessons from policies that this study identifies to have a positive cor-

relation on national cybersecurity, such as the Council of Europe Convention on Cybercrime and the

London Action Plan. As a participant in some of these initiatives, our company has observed

firsthand the reasons for their effectiveness, and offers the following impressions:

Evolving Context for Cybersecurity Policy: New Demographics of Global In-

ternet Users

In considering cybersecurity policy initiatives, it is important for policymakers to consider the global

demographics of Internet users. During the creation of many of the initiatives noted above, such as

the Council of Europe Convention on Cybercrime and the London Action Plan, Internet users were

largely concentrated in North America and Western Europe. Because of this and other factors,

countries in those regions took leading roles in developing and leading global cybersecurity policy

initiatives.

However, in coming years, shifts in Internet user demographics will create new centers of gravity in

the global online population. As demonstrated in the data visualization (figure 6), which shows a

map of the world in 2020 with countries sized by their relative population of Internet users and col-

ored according to the total number of Internet users relative to their population, countries such as

China, India, Nigeria, and other emerging economies will be home to the bulk of global Internet

users.


Figure 6 - Projected Distribution of Global Internet Users in 202016

This shift in demographics does not mean that these new centers of gravity will necessarily drive

policy initiatives, but it does mean that global-scale initiatives – as well as some regional and na-

tional-level initiatives – will need to be responsive to these emerging demographic changes. More

than ever, policymakers will have to consider the unique and diverse perspectives that different

countries bring to cybersecurity while maintaining currently established policy frameworks that

have proven key to promoting the growth of the global ICT industry.

International Treaties (e.g., Council of Europe Convention on Cybercrime)

Though international treaties are difficult to develop and enact, the Council of Europe Convention

on Cybercrime (COE) has had a strong and positive impact on global initiatives to combat cyber-

crime. In essence, the COE has succeeded because it has helped to spur governments to enact cy-

bercrime legislation domestically and work to combat international cybercrime. and focuses on

problems of cross-jurisdictional importance that serve the interests of many states rather than few.

Though there is clearly contention among nations regarding the need for new international treaties

related to cybersecurity, these principles — of establishing enabling mechanisms for intergovern-

mental action and advancing the interests of a large number of nations — should guide any future

treaty with significant relationship to cyberspace.

In the future, as noted below, increased participation from countries with growing user populations,

as well as private industry, will be critical. The emerging centers of gravity must play a constructive

and credible role in creating and promoting global agreement on mechanisms to enable security in

cyberspace in the future. Participation from the private sector is also important in articulating effec-

tive and practicable cybersecurity mechanisms. As governments engage in the emerging discus-

sions for developing norms and rules of behavior in cyberspace, they should incorporate the input

of the private sector, as industry plays a critical role in carrying out many cybersecurity policies once

articulated.

16 Please see Appendix C for this map-style data visualization, which includes an explanation of the rela-

tive sizing and coloring of countries. Additionally, Appendix C includes similar data visualizations for a

subset of countries during the years 2000, 2005, 2010, and 2015, to demonstrate the growth of Internet

user populations.


Voluntary Codes of Conduct (e.g., London Action Plan)

As the global ICT industry continues to grow, so will the importance of voluntary and affirmative

programs to tackle cybersecurity challenges. As an example of such efforts, the London Action Plan

is instructive for two reasons. First, it demonstrates that when governments collaborate to articu-

late common principles and commit to cooperative action to promote cybersecurity, it creates an

environment that encourages industry to support such principles and actions. Second, the volun-

tary and affirmative approach allows for multi-stakeholder engagement and input. The resulting

bottom-up approach creates an effective framework for resolving some of the most vexing cyber-

security challenges, such as spam and botnets, which are likely to continue to pose a threat in the

future. More recently, voluntary codes of conduct for ISPs to help address botnet threats have been

developed in both Australia and the United States.

Given the sheer size and complexity of the globally distributed ICT industry, policymakers should

consider voluntary codes of conduct that allow for participation by industry from development to

implementation when addressing future cybersecurity policy challenges. As our model shows, there

is a correlation between the London Action Plan and cybersecurity performance, demonstrating the

quantitative impact of voluntary codes and their value for policymakers.

Military Defensive Strategies for Cybersecurity

Among the policy tools considered in our model, military defensive strategies for cybersecurity is

the most unpredictable at this stage in terms of their relation to overall cybersecurity, and will con-

tinue to be in the future. As our model demonstrated, whether or not a country has a defense

strategy for cybersecurity is not a strong predictor of their cybersecurity performance. However,

the expression of military doctrines for cyberspace is a novel and ongoing development. Therefore,

we believe that their quantitative impact is less meaningful their qualitative impact. Currently, the

increased role of defense authorities in cybersecurity is viewed as a potentially destabilizing force,

with many public and private entities questioning whether and how defense authority engagement

in cyberspace should be managed.

The fact remains that defense authorities will engage in cyberspace and we believe that this en-

gagement will occur in at least three forms. First, relying upon security-focused arguments, defense

authorities will leverage non-tariff barriers to trade to prevent or limit civil market access for ICT

vendors from countries perceived as distrusted. Second, again leveraging security-focused argu-

ments, defense authorities will similarly restrict their government procurement choices to favor

products and services from domestic and other trusted sources. Third, there is the prospect of ac-

tual military conflict in cyberspace, which may involve attacks upon critical trust mechanisms of the

Internet, such as security update services or network infrastructure, as has already occurred.

As policymakers face these challenges, the concept of reciprocity must drive decision-making. En-

acting restrictive trade policies can have a domino effect, sparking retaliation by other governments

and thereby undermining the globally distributed nature of the ICT industry and its benefits. Reci-

procity is an even greater consideration in the arena of conflict or warfare, as actions by one gov-

ernment can quickly escalate and cause unintended consequences and retaliatory actions by other

governments. Therefore, policymakers must be vigilant when considering the second- and third-

order implications of their actions in developing defense and military strategies, and seek to pro-

mote balanced standards based around technology neutral practices.


Cross-Domain Alignment (e.g., antipiracy strategies)

Because of the technical nature of many cybersecurity tools, policymakers sometimes fail to consid-

er the importance of leveraging mechanisms that cross legal, policy, and technology domains to

accomplish desired outcomes. For example, effective antipiracy work requires a mix of legal, public

policy, and technology mechanisms, all of which involve public and private sector engagement.

Looking back to the start of global antipiracy efforts, governments and industry engaged to fight

piracy, to protect intellectual property and to preserve their economic interests. These efforts real-

ized benefits that extended beyond the immediate goal of limiting financial losses associated with

piracy. However, by removing illegitimate products that often included reduced security features

governments reduced their overall level of cybersecurity risk.

Looking forward, policymakers should focus on similar alignment of legal, public policy, and tech-

nology mechanisms to reduce cybersecurity risk, whether risk management is a primary, secondary,

or attendant benefit. At present, there are many technology tools to address cybersecurity risk in

the private sector, but there is a relative dearth of legal and public policy initiatives to support

them. While this is only one example, the challenge of cultivating an ecosystem for trusted identity

on the Internet speaks to the need for cross-domain alignment. As our model shows, there is a cor-

relation between the reduced piracy rates and cybersecurity performance, demonstrating the quan-

titative impact of such cross-domain alignment efforts and their value for policymakers.


Conclusion

Though it is hard to predict exactly what the digital world will look like in the decades ahead, strong

cybersecurity will be critical to its successful existence. Policymakers around the globe are faced

with the difficult challenge of creating policies that positively impact their national cybersecurity.

Knowing which types of initiatives have the greatest positive impact on cybersecurity will allow poli-

cymakers to make informed, results-based policy decisions.

In reviewing qualitative and quantitative impacts on national cybersecurity, this paper seeks to

place policy decisions alongside a framework of technical and demographic projections to create a

view of what the future environment for policymaking could look like. By identifying the underlying

principles of certain policies that are correlated with over-performance in cybersecurity, such as

intergovernmental frameworks for cooperation and voluntary codes of conduct, policymakers can

develop future approaches that are more likely to be effective in combating the evolving threats in

cyberspace.

To meet our future security challenges in cyberspace, Microsoft urges governments to participate in

a broader dialogue on normative standards to better protect citizens on the Internet that includes

perspectives from the ICT industry. This process develops rules of behavior in cyberspace that can

reduce threats, increases confidence and trust, and helps improve security of the cyber ecosystem

at the international level. As discussed in this paper, CCM is a rough approximation of the attack

surface for a particular country or region. Industry and governments can work in partnership to

reduce this attack surface and make the computing infrastructure less susceptible to attack and

compromise.


Appendix A: Methodology

In order to test the predictability of CCM given non-technical measures, we used linear regression

modeling. A regression analysis allows us to build a model that shows the predicted impact on CCM

as the various indicator variables (such as GDP, Computers Per Capita, etc.) fluctuate. By solving for a

universal starting point (known in regression analysis as the constant), we then were able to use the

model to predict CCM at the country level, with differences in predicted CCM across countries being

driven by differences in the indicator variables (e.g., given the GDP Per Capita, Computers Per Capita,

etc., we can predict CCM).

There are several existing approaches to regression modeling, each with its own set of advantages.

The type of analysis we utilized to build the model was Correlated Component Regression (CCR).

CCR modeling differs from other regression techniques in that instead of constructing a relationship

between the dependent variable (in this case CCM) and the individual predictors (in this case, the

indicator variables), CCR constructs relationships between the dependent variable and a number of

components – components being latent variables created by the model. Each component consists

of the total number of predictor variables included in the model (GDP, etc.), but the weighting of

each of those predictors varies from component to component (a similar concept to principal com-

ponent analysis). As a result, some components may be more heavily representative of particular

indicators, such as GDP, while other components are more heavily representative of other indicators,

such as Facebook or IE6 usage. We chose to use CCR modeling because it offers an advantage over

other techniques, in that it reduces potential error created by datasets that have a large number of

correlated predictors (such as computers per capita and % of population with an Internet connected

computer), relative to data points – which was beneficial to this dataset, given that we used 34 pre-

dictors to predict CCM, based on 106 countries/regions.

The first stage of analysis was a step down analysis, designed to identify those indicators that are

most important to the model. By using step down analysis, we were able to reduce the number of

indicators from 80 to 34. In this case, step down analysis was run by creating a model with all indica-

tors, identifying the 1% of indicators that were least important to the model and removing those

variables from the model. This process was completed until the model with the best fit was identi-

fied.

When identifying the model of best fit, we used a methodology commonly known as cross valida-

tion. The reason we did this was to measure not only how well our model could predict the data we

fed into it (the 106 locations’ predictor variable data), but also how well it could predict random data

(e.g. how well it could predict CCM performance for countries/regions that we aren’t testing). Cross

validation, commonly known as K-Fold cross validation, works by using pieces of the dataset to test

results. In cross validation, we divide the data into an equal number (represented by the variable K)

of ‘folds’ of random cases, and then apply the model to see how well K-1 folds predict the final fold.

In this analysis, K=10. In simpler terms, we would repeatedly randomly test how well 90% of the data

predicted the final 10% to determine fit. We used this methodology to optimize the model tuning

parameter (number of components and predictor variables), as well as to identify the model of best

fit.

As the final step, we ran a cross-validated 5 component model. The results were interpreted in the

same way as other regressions – each predictor coefficient determined impact on CCM. Coefficients

may not have been directionally consistent with correlations; this is because some of the predictor

variables in the model help explain otherwise unexplainable variance in other predictor variables, as

opposed to directly predicting CCM. These types of variables are commonly known as suppressor

variables, since they suppress otherwise inherent error in some of the predictor variables included in

the model, and help to improve overall model accuracy. As a result, the accuracy of the model lies in

the overall prediction in aggregate, and not the direct relationship with any specific indicator.


Appendix B: Data Sources

Indicator

Correlation

with CCM Description Year Source

5yr Growth 0 5-year average GDP per capita growth (% annual) 2008

World

Development

Indicators

Broadband

Penetration -0.6 Fixed broadband connections per 100 people 2010

International

Telecommuni-

cation Union

Broadband

Speed -0.3

The contracted capacity of international connections

between countries for transmitting Internet traffic 2008

World

Development

Indicators

Computers Per

Capita -0.6 Percent of households who own a personal computer 2010

Euromonitor

International

Corruption -0.5

Corruption perceptions index relates to perceptions of

the degree of corruption as seen by business people

and country analysts, and ranges between 10 (highly

clean) and 0 (highly corrupt). 2010

Transparency

International

Demographic

Instability 0.6

Pressures on the population such as disease and natural

disasters that makes it difficult for the government to

protect its citizens or demonstrate lack of capacity or

will. 2009

Failed States

Index

Facebook Usage -0.3 Number of Facebook users 2011

Socialbak-

ers.com

Foreign Direct

Investment Size /

Volatility 0

Foreign direct investment is net inflows of investment to

acquire a lasting management interest in an enterprise

operating in an economy other than that of the investor.

Adjusted by the moving average volatility. 2008

World

Development

Indicators

GDP Per Capita -0.3 Gross domestic product per capita, current prices 2011

International

Monetary

Fund

Government

Type -0.4

The extent to which a society is autocratic or democrat-

ic. 2008 Polity IV

Gross Income Per

Capita -0.5 Income before taxes from all sources. 2010

Euromonitor

International

Health Expendi-

ture Per Person -0.6 Health expenditure per capita with external aid 2006

World Health

Organization

Hi-tech Exports -0.3

High-tech exports as a percentage of manufactured

exports. 2008

World

Development

Indicators

ICT Exports -0.2

Information and Communication Technology exports as

a percentage of total goods exports. 2008

World

Development

Indicators

IE6 Usage -0.2 Internet Explorer 6 usage share 2011 Microsoft

Immunization to

Measles -0.2 Rate of Immunization Against Measles. 2008

World

Development

Indicators


Life Expectancy -0.4 Life Expectancy at Birth 2010

Euromonitor

International

Literacy Rate -0.5 Adult Literacy Rate 2010

Euromonitor

International

Market Size -0.6

Domestic consumption plus country exports minus

country imports. 2008

World

Development

Indicators

Offenses -0.5

Number of offences per 100,000 people. Offence refers

to any act which is punishable under law. The number

includes both criminal and administrative offences. 2010

Euromonitor

International

Ownership of

Networked PC -0.4

Percent of households with a broadband internet con-

nection via home computer. 2010

Euromonitor

International

Productivity -0.4

Refers to labor productivity, i.e. output of goods and

services in the economy per employed person 2010

Euromonitor

International

R&D Expenditure -0.5

Expenditures for research and development are current

and capital expenditures (both public and private) on

creative work undertaken systematically to increase

knowledge, including knowledge of humanity, culture,

and society, and the use of knowledge for new applica-

tions. 2008

World

Development

Indicators

Regime Stability -0.4

The number of years since the most recent regime

change. 2008 Polity IV

Regulation -0.5

Measures the extent of regulation within the business

sector. It captures general regulation with respect to

investment and competition. 2008

World Bank

Governance

Indicators

Royalty Receipts -0.4

Royalty and license fees are payments and receipts be-

tween residents and non-residents for the authorized

use of intangible, non-produced, non-financial assets

and proprietary rights. 2008

World

Development

Indicators

Rule of Law -0.5

The extent to which individuals within a society respect

property rights, the police and the judiciary system, as

well the quality of police and legal safeguards 2008

World Bank

Governance

Indicators

Savings -0.3 Gross Domestic Savings. 2008

World

Development

Indicators

School Leaving

Age -0.4 Refers to the leaving age of compulsory education. 2010

Euromonitor

International

Secure Net

Servers -0.5 Secure Internet servers per one million people. 2008

World

Development

Indicators

Startup Costs 0.2

Start-up business costs measured as share of gross na-

tional income per capita 2009

World

Development

Indicators

Telecom Ex-

penditure -0.3 Consumer Expenditure on Telecommunications Services 2010

Euromonitor

International

Uneven Econ

Development 0.6

Group-based inequality, or perceived inequality, in edu-

cation, jobs, and economic status. Also measured by

group-based poverty levels, infant mortality rates, and

education levels. 2009

Failed States

Index

Use of mobile

devices -0.3 Cellular devices per 100 people 2008

World

Development

Indicators


Appendix C: Internet Growth

Maps Please refer to the following pages for the visual maps of global internet users leading up to the

year 2020.




Documents

Learn How Socio-economic Factors Affect Regional Malware Rates