1

ANALYSISOFCYBERMETRICSWORKSHOPLondon,23May2018

INTRODUCTIONTheResearchInstituteinScienceofCyberSecurity(RISCS)istheUK’sfirstacademicResearchInstitutetofocusonunderstandingtheoverallsecurityoforganisations,includingtheirconstituenttechnology,peopleandprocesses.RISCSisfocusedongivingorganisationsmoreevidence,toallowthemtomakebetterdecisions,leadingtothedevelopmentofcybersecurityasascience.Itcollectsevidenceaboutwhatdegreeofriskmitigationcanbeachievedthroughaparticularmethod–notjustthecostsofitsintroduction,butongoingcostssuchastheimpactonproductivity–sothatthetotalcostofownershipcanbebalancedagainsttheriskmitigationthathasbeenachieved.RISCSmaingoalistomovesecurityfromcommon,establishedpracticetoanevidencebaseinmuchthesamewayashappenedinsectorslikemedicine.

OnMay23,2018,RISCSheldaworkshopinLondonthatlookedattheutilityofcybersecuritymetrics.Thepurposeoftheworkshopwastodevelopadeeperunderstandingofthewaysinwhichcybersecuritymetricsareusedindecision-makingmoregenerally,andalsotoraisequestionsabouthowdataisbestpresentedtotheboardandthepolicycommunitymorespecifically.Wewantedtoexplorethepotentialformetricstohelpbutwealsowanttotakeacriticalapproachtotheunderlyingvaluesthatcanshapemetrics–andconsequently,decisions.

ForfurtherinformationaboutthisreportoraboutotherRISCSinitiatives,pleasecontactEmmaBowmanatriscs.administrator@ucl.ac.uk.

2

METHODOLOGY:Toinvestigatetheutilityofcybersecuritymetricsinthedecisionmakingprocessofindustryandthepolicycommunity,wegatheredagroupof70peoplefromacademia,industry,thepolicycommunityandthetechnicalcommunity.Weaskedthesepeopletoself-identifythemselvesas‘providers’or‘consumers’ofmetricsandtoindividuallyorcollaborativelyrecordtheirresponsestofourquestionsthatweaskedoftheirgroup.Forthecybersecuritymetricsprovidergroup,weaskedthemtopopulatethefollowingtable:

Weaskedthosepeoplewhoidentifiedastheconsumersofcybersecuritymetrics(decisionmakersaboutinvestment,policyetc)torespondtothequestionsonaseparatetable:

AcompletetranscriptoftherecordedresponsesisincludedatAppendixA.Onthefollowingpages,wepresentouranalysisofthefindings.

3

SUMMARYOFFINDINGSProvidingtailoredcybermetricsisanopportunitytoengagewithleadersandshapetheirperceptionsofinformationrisk.Theoutputsofthisworkshopsuggestthatsuccessdependsonprovidersdeliveringmaterialthat:

• genuinelyreducesuncertainty;• addressesspecificquestions;and,• usesthelanguageofbusiness.

Thetablebelowbringsoutthetrendsfromourworkshopintermsofwhatisandisnotrequiredbydecision-makers.Belowaresomeofthemostinterestingconclusionsthatwehavedrawnfromthedata.

➡ Wesawthatsomerequirementsmaybemetwithreticencefrommetricsproviders,perhapsbecausetheyareincendiaryorembarrassing(e.g.rankings,disclosures,overlyambitiousinformationsharingregimes).Providerstendnottowanttodeliverunwelcomenews,forexampleproofthatpastinvestmentshavedeliveredlittlebenefit.Themostsignificanttensionappearstobebetweentheneedtoinformfinancialdecisionsandthereluctancebysomeproviderstodelivermetricswhichover-promiseonthatfront.Theextenttowhichthissomethingtodowithtrustandliability,oralackofmutualunderstandingbetweenconsumerandproviderwouldrequirefurtherstudy.

➡ Theresponsesalsorevealedasenseofmistrustinmetricsdeliveredbysomecommercialproviders.Whilethesemetricswouldbeincreasinglyusefulasmoreservicesareoutsourced,therewasafeelingamongsomeparticipantsthatcommercialserviceprovidershadn’tnecessarilythevestedinteresttoprovideaccurateortimelymetrics,especiallyifServiceLevelAgreementswerebeingbreached.

➡ Someconsumerrequirements–whilevalid–aredifficulttoachieve,perhapsbecauseoffinancialconstraints,frailtyofcommercialproductsorlackofqualitydata.Forexample,wesawafewcommentswhichsuggestedthatcommonvulnerabilityscanningtoolslackedaccuracy.Otherexamplesofmetricswhichcouldbedifficulttoproduceincluded:protectivemonitoringandalertingcapabilities,assessingthetruecostofanincident,gainingconfidenceincyberinsurancepolicies,understandingtheoverallcostsfromcybercrime,metricizingtheblockerstosuccessfulGDPRcompliance,anddelivering“micro-narratives”todecision-makers.

➡ Thereweresomenotableinstanceswhereprovidersofmetricscouldoffernewideas.Forexample,howmuchsystemsdowntimehadbeenencounteredduetorogueeventsoractivitieswhichwerebeyondthecontrolofnetworkmanagers.Someproviderssawvalueinengaginginadialoguewithleaderstorefineprioritiesandbuildconsensus,forexamplewhereexcessivecosthadbeenincurredduetonotinvestingearlierinsecurity.Therewasalsothesuggestiontoobtainaccurateimpactandvulnerabilityscoringthroughtable-topexercising.Someproviderswereinclinedtodeliverquiterevelatorymetrics–conditionalonfeelingsafetodoso–includingthereal“value”ofextendedsupportcontractsandevidenceofsensitivecompromisesandvulnerabilities.

4

WHATCONSUMERSWANT WHATCONSUMERSDON’TWANT

THECOMPETITION:• HowamIperformingagainstmycompetitors?• Whathappenedtomyoppositenumbersinother

companiesafterabreach?• Whatwastheimpact/costoftheirmistakes?• Benchmarking:howamIdoingcomparedtomypeer

group?Whatistheprobabilityofabreachcomparedtomycompetitors?

• Made-upnumbers.• Feelingbombardedby

meaninglessornitty-gritty,technicaldata.

• Snapshotswithnotemporalcontext.

• RAG(Red,Amber,Green).• Unqualifiedopinion.• Biasorexcessivesubjectivity,

especiallywrappedupinsomethingsuccinctorscientific-looking.

• Fear-mongering.• Blame.• Salespitchforsnake-oilormagic

bullets.• Unstableorunrepeatablestats.• Styleoversubstance.• Jargon.• Olddata.• Inappropriateorineffective

visualisationtechniques.• Spin.

IT’SALLABOUTTHEMONEY• Relevance:whatismyreturnoninvestment?• Howdomycyberrisksaffectmyabilitytoraise

capital?• HowmuchriskamIunabletotransfer(e.g.through

cyberinsurance)?• AmIcarryingcriminalliabilitythatIcan’ttransfer?• Gettingtorootcause:solvemanyproblemswithone

fix.• Costofrecoveryvscostofcontrol(proactivevs

reactivepostureoncybersecurity,andcomparativecosts).

• What’stherisk/costassociatedwithdoingnothing?

CYBERSECURITYATAGLANCE• SomecommentspointedtowardsabasicSecurity

Operationscapability• Dashboarding,e.g.networkboundaryactivities

THREATS&VULNERABILITIES• Pastbreachesareagoodindicatoroffuture

vulnerabilities.Andmetricsofrealincidentsaremoreinformativethanpotentialones.

• Isthreatintelligenceused?Howusefulisit?Whereelseisitused?Whereisthreatintelrealandvaluable?

5

• Whataremypriorities,ratherthanjustloomingthreats?Don’tscareme,informme.

• Aretherequickwinsavailable?HowcanImakesomeprogressfast?Helpmeliftopportunitiesoutofthenoise–whatcanIdorightnow?

• Trackingcapabilityoflow-capabilitythreatactors.• Impact,ratherthanquantity,ofincidentsis

important.

THEUSER• Areusersabsorbingtraining?E.g.arethey

forwardingsuspiciousemailsontothesecurityteam?

• Securityvsproductivity:spottingwheresecuritypolicyisfatiguingpeopleandimpedingproductivity.

• Cultureandindicationsofuserwellbeingandbehaviour(andtheriskthatpresents).

THIRDPARTIES• Whereissensitivedatagoing?Whomisitbeing

sharedwith?• Howdoyoutrustthestatsprovidedtoyoubythird

partyserviceproviders?

6

APPENDIXA:TranscriptionofCyberMetricsworkshopresponses

PartOne:Responsesfromconsumersofcybersecuritymetrics

“Keepitcoming!”(Alreadyreceivethisandfindituseful)

• CommonVulnerabilities&Exposures(CVE)vulnerabilitydatabase• Resultsofcyberdefencematurityassessments• Detailsofpastincidents• Timingseriesanalysisofpastbreaches• RiskassessmentofITchangeprojects• Patchingstatus• CyberEssentials• Consistenttimeseriesmetrics• Organisations’strategy:relevanttohowthisbusinessmakesitsmoney• Incidents,butbydept/functiontofindriskareas:simpletotalnumberisnotthatuseful• RiskassessmentsofITchangeprojects:base,withcontrols,costsandoptions• Returnoninvestment• Barrierstouptakeofbehaviour• Realincidentbreaches,ratherthanpotentialones• Punishmentsreceivedbyotherboards’directors• Overviewofattackattempts,especiallyovertime• Livedashboard,e.g.AVlevels/status• Metricsintermsweunderstand,e.g.businesslanguage• Understandingperceptionsofrisk• Doorganisationsunderstandwhatiscriticalforthem,i.e.whattoprotect?• Malwarenotifications• Qualitativeanalysisofwhat’suseful• Whatismyuninsuredrisk?• Datathatenablesmetodosomething,whatchangescantheorganisationdotorespond?• Whatincidentshaveaffectedorganisationsandwhatisthetrend?• Short,sharpandtothepoint• Howdoesmylevelofuninsuredriskaffectmyabilitytoraisecapital?• Metricsalignedtosolutions• Levelofrealvaluableknowledgesharingwithinasector• Doorganisationsreceiveanyusedthreatintelligence(understand)?

7

• Datathathasasupportingnarrative• Surgecapacity,usedspace,e.g.whenit’s>80%,itshouldgiveyouanalert• Usagepatterns,responsesinshort,mediumandlongterm• AV/malwarecoverage• No.ofinstallsuptodate• Detectionsalerts:typesandpropagation• Actions:cleanedandquarantined• Networkcapacity:e.g.usedbandwidth/time>x%,ittriggersanalert• Positionmetricsasatooltoenhancethebusiness,nottopresenthurdles• Phishingtests• Governanceofcybersecurity,seeCyberAssessmentFramework(CAF)• Howdoesanexpenditureaffectmyuninsuredrisk?• Bostonconsultancymatrix:Iwanttoknowmoreaboutmy“star”and“cashcow”areasthan

my“dog”ormy“questionmarks”• Areaswherewearenotcompliant• Howdowehavetheconfidencetodiscusscyberonceayear,ratherthanonceamonth?• HowismycybersecuritypostureaffectingmydefencewithrespecttocriminalliabilitythatI

cannotconvert?• Small&Medium-sizedEnterprises(SME)withCyberEssentials(Basic&PLUS),IASMEor

otherlevelofsecuritymanagement

Wishlist(Don’tcurrentlyreceivethisbutwouldliketo)

• ConfigurationstatusofthecorporateIT:noofdevices,softwarerunning,knownvulnerabilitiesmappedfromCVEdatabase,plusseverity

• Sensordata:typesofattack,accessvectors,effects,impact• Effectivenessoftrainingandawarenesspackages,e.g.howmanypeopleclickedthelink

duringaspear-phishingcampaign?• Suitablequantitativemetricsforhumanfactors(notsureifthisispossible)• Physicalsecurity:notseenmuchinthisarea• Riskassessmentandassociatedinvestmentplan• Securebehavioursvstarget/norm,e.g.phishisreported• Supportinganalysis/datathatgivemoredetailswhenneeded• Awareness,engagement:minusdone+howwelldone,e.g.lingertime• Metricsaren’tjustaboutnumbers• Dayslostperyearduetosecurity‘features’• Quantitativeandqualitativedata(holisticview)• Userawarenesslevel

8

• Robustnessofchangemanagementprocessinorganisation• TimetofixbytheISP/SystemIntegrator• ITprojectswithsecuritydesignedasaproportionofmereexistenceofsecuredesign

practice• Likelihoodofthebreaches(supportedbyrobustmodel,e.g.[couldn’treadit])• Insecurebehaviours:clickingdodgylinks,useofUSBs,useofdropbox,webmail• Doingtrainingtooquickly,ignoringawarenessmaterial• Realincidentdata• Impactofbreaches• Metricsthatshowimpactofincidentsnotjustnumberofincidents• Behavioursthatcouldbeinsecure,whoclickslotsoflinks,whobrowsesalot?• Anythingthatdemonstratesimpactonfinancialaccountingmetrics• Thirdparties• Goodbenchmarks• Threatactoractivity• Relevantbusinessactivity• Puttinginformationinthecorporatecontext,thinkaboutourannualreport• Sector-by-sectormetricswithuniformmethodology• Qualitative,outcomes-baseddata• Networkmapsofhowdifferenttypesofattackaremaybecausedbythesamerootcauses• Aquicksummaryforhighlevelexecutivepack• Identifiedcybersecurityrequirementstobeimplementedbyusers• Quantitativeconsequencesfromcasestudiesofsimilarcompanies• Whenweareinmergersandacquisitions:overviewofsystemintegrationriskaspartofbid

costvsbringingdataontoourexistingsystem• Numberofsilentconnectionstomyphone/device,theirthreatlevelandactionablestepsto

reducerisks• Resilienceofmydevicestodifferenttypesofattack• McGraw/BSIMMdata• Numberofpasswordsre-used/repeatedacrosswebsitesandservices• Metricsmusthavecontext,otherwisethey’rejuststats• Mandatorycriteriatobenchmarkcybersecuritystatusofanorganisation• SecurityactionsIhavedoneright• Notificationofpersonalimpact,notorganisationalortechnicalimpact• Quickwinsandlonger-termsolutions• Realtimedashboard• Returnoninvestment/cost-benefit• Pleaseputsystemrisksinbusinesscontext,productivity,costetc• Productivity,cost-benefitofcontrols,e.g.timetrainingvsvalue• Developsecurecodingcapability• Howourcompetitorsaredoing:notseeingmuch• Whatagoodprocesslookslikeratherthananoutcome• IfwehaveoutsourcedourIT,whatinformationshouldwecontractourprovidertoreport?

Howcanwetrustthem?• Understandingofeffectivenessofasecuritycontrol• Quantifiableriskofdoingnothingdifferently

9

• Robuststatsaboutbehaviourratherthanthinking/intention/awareness• Riskmanagersreport• Option/negotiation:information/threatalertsuggest/requiresactions/response,butwhat

arethealternatives?Thein-betweenoptionsandconsequences?• Meaningfulconnection:whatdothesenumbers/percentagesmeanintermsofrequiredor

recommendedactions?• IndicationofpossibleemployeeabusethatmightactuallyindicateanHRissue,e.g.stressor

poormanagement• Analysiscouchedintermsofbusinesscontinuity• Securityculture(seeCPNItools)• Truecostofrecoveryvscostofcontrol• Wantmore!80%say….[referencetoMadeline’spresentation]• CostofmeasureimplementedthisFY• Formulatoturnthreatintelligenceintoriskprofile• Capabilitylevelofattackeryoucandefendagainst(STIX/TAXII)• Howmuchproductivitylosttostupidsecuritypolicies?• Subjectiveassessmentofriskofattack,threatvsmeasures• Benchmarkingagainstasimilargroupoforganisations• Capabilitytoachieverecoverytimeandpoint[sic]objectives• Lessstats,moreinfo• Changesofnetworktrafficfollowingnewsecuritypolicyimplementation• Incidentstracedtorootcause• Howmanyotherpeopleforwardphishingemailsforanalysis?• Probabilityofabreachinmyindustryformyapplication• Howservicesareinterrogatingmydata,e.g.howismyemailbeingread?• Onwardtransmissionofmypersonaldata• Largecompaniesaretakinganactiveleadershiproleinsupportingtheirindustrysector• Howdoyoucapture/representtheintentoftheactioninametricform?• Performanceoftrainedusersthreemonthsaftertraining?!• Doyouhaveanincidentmanagementplanandhaveyouexercisedit?

“Stop!”(Currentlyreceivingthisbutdon’tfindituseful)

• Makingupnumbers• Numericalstatsoverload• Singlereports,i.e.notinrelationtopastorfuturemetrics• Numberofhitsonmyfirewall• Numberofemployeesclickingonfakephishingemails

10

• Privacystatementsandpasswordstrength• RAG(RedAmberGreen)ratings:doesn’tmeanthesamethingtoeveryone• “Expertopinion”• Howmanyorgshaveasecuritypolicy?• Numberofincidentsordetectioneventswithnobaserateofoccurrence• Cherrypickingdata,i.e.biasedanalysis• Bullyingwiththreatsof“badthings”• Machinespatched• Networkmonitoringstats• Blamingusersbytellinguswhatthey’vedonewrong• Userstrained• Magicbulletsolutions• Trafficlights• Anythingthatyoucannotprovetomewillbestableenoughtoinvestinmeasuringovertime• 3Dpiechartsorbubblecharts• Uncontextualizednumbers• Non-contextualstats• Metricsfullofjargonwithoutexplanations• Drowningmeindata• “indexes”thathidecomplex,subjectivemethodologies• SIEM• AVstats• Patchedpercentages:I’monlyinterestedineffects• Nitty-grittydetailofsystempatching• Tick-boxprocessconfirmation• Outdateddata• Anythingqualitative• Historicevents,e.g.pastebin• Detailsofindividuallower-significanceincidents/issues• Progressagainstcompliancerequirement• Irrelevantdatawheretheresultsarenotsignificant• Phishingteststats:hugelyvariableifcomparedonetothenext,butusefultocompare

betweendeptstofindriskareas• Poorpresentationofthegraphics,e.g.poorchoicesofcolour,inappropriatecharttypes• Incidentnumberswithoutcontext,e.g.6,000incidentsacrosssectorXin2015

11

“Thanksfortheoffer,but….”(Don’treceiveitandwouldn’twanttoifitwereoffered)

• Metricsforafee• Riskmetricswithoutsolutions• Metricsthatpromptmorequestionsthananswers:don’tgivemeproblemswithout

solutions,I’mbusyenoughalready!• Datathathasbeensanitisedbymiddlemanagement• Unsolicitedsalespitch:informationgathering,socialengineering

12

PartTwo:Responsesfromprovidersofcybersecuritymetrics

“Ican/doprovidethis”(Currentlydeliveringandplantocontinue)

• Totalcybersecurityspendasapercentageofrevenue/profit• Existenceandrehearsalofincidentresponseplan• BGProutingtables• DNStracedataaboverecursiveresolver• Likelihoodoffuturebreach• Numberofphishingattacksinmyorganisation• Timetoresumeservicedeliverypost-incident• Impactofincidentonservicedelivery/BaUprocesses• Timetoincident/compromisedetection• Maxnumberofroguechangedaysonmynetwork• Evidenceofnetworkcompromise• #comment:categorisepreventionmetrics,detectionmetrics,responsemetrics,and

recoverymetrics• Totalnumberofknownvulnerabilitiesonthenetwork• Numberofdetectednetworkintrusions• Numberofbreachesasaresultofuntargetedandunsophisticatedattacks• Riskregisterentries,i.e.likelihoodofabreachofcustomerpersonaldata• Motivationofthreat• SoftwareinventoryviaSoftwareID(SWID)tags• Casestudies/scenarios• Allmetricsareproxiesandsubjecttocalibrationerrors• Numberofemployeesattending/completingtraining,infosec,phishingetc(doesn’tshow

howeffectiveit’sbeen)• Evidenceofcompromise• Numberofstaffwithoutadequatesecuritytraining• Metrics/dataforthesakeofit=comforting• “value”ofextendedsupport• Worstcasescenario,e.g.dayswebsitewouldbedown,systemsthatwouldneedtobere-

built• Uptakeof/barrierstopasswordbehaviour(maybe)• Costofpastbreaches• Totalcosttoinsure

13

• Quantifiedinformationonpersonaldata,i.e.whatisourexposure,emailandcarddetailsforonemillioncustomers

• Moneyspentrespondingtopreventableincidents,i.e.ifthere’dbeenmoreinvestmentinthefirstplace

• Supportstatusofmyestate• Performanceofsecurebehaviours:reportingincidents,engagingwith

awareness/engagementduration• Cyberbreachessurvey• Numberofpasswordresetrequests• Boardengagementwithcybersecurity(FTSE350survey)• Differentmetricsonthesamesystemfordifferentperspectives• Endusercompliancewithphishingdetection/avoidancerules• Numberofcyberincidentspreventedoraverted• Insiderthreat• AdamJoinson’sobesitymap• Accountinglogs(AAA)• Malwaredetectedandquarantined• Cyberdefencematurityassessments(policy,e.g.NISTCybersecurityframework,CDCat,IA

MaturityModel)• Syslogs:firewalllogs,visualisationthroughgraphs• Patchstatus• Desktopbuild• Phishesblocked• PhishingemaillifejourneyinaSankeydiagram• Capturebysecurityproductvendor• Readteaming:table-topexerciseswithstakeholdersandsystemownerstoagreeimpactand

vulnerabilityscoresforidentifiedattackvectors• Aretheseconvenientbutnotuseful?• Levelofengagementofemployeesingoodpracticesonsecuritybehaviour,bothpassiveand

active• Statisticsonsecurityincidentfromsoftware,hardwareandhumananalysis(serverand

clientsides)• Statisticsonhumansecuritybehaviourestimatedfromsoftware,hardware,surveys,

observations,analysisofdataandreportedincidentsetc

14

“I’dliketobut…”(Wouldbehappytodeliverbuttherearefeasibilityissues)

• Analyselogsbeforeaproblemoccurs• Completevulnerabilitymanagement• Behaviours/securityculture• Assurancelevels• Numberofunknownvulnerabilitiesinthenetwork• Costofanincident• AmIcompliantwiththetermsofmycyberinsurance?• Asinglemetricthatcanbecomparedacrossallorganisations• Costoffuturebreaches• Accuratecostofcybercrimetoacompany• GDPRconstraints• Micro-narratives• Mismatched/ill-fittingdataprotectionrules• Instrumentsnotavailable(tooexpensive)• Feedbacklooponmetrics–stillrelevant?• Howsecurearewe(withasinglepercentagevalue)?• Qualitativedata:resourceautomate• Informationthatinherentlyrepresentsthetask(conceptualratherthanthedata(computer

science))• Knowingwheninformationisstillrelevantandnotoutofdatetobeofanyuse–create

informeddecision

“IcoulddobutI’drathernot”(It’sfeasibletodeliverbutmakesmeuncomfortable)

• Accuracyofvulnerabilityassessmenttools• Estimatedcostsofsecurityincidentsandcrimeincyberspace,intermsofmonetaryvalue• RAG(RedAmberGreen)ratings• Boardengagementbysector

15

• Rankingsofcompaniesbycybersecuritycapacity• Fixtimesbysupplier/contractor:incendiaryormisleadingbecauseofServiceLevel

Agreements• CyberEssentialsuptake• Confidentialityconstraintstodisclosingdata• Numbersofscansoneachportonawebserver• Timetofixwebsitevulnerabilitiesinapublicleaguetableoforganisations• Degree/reportofvulnerabilitiesfixed/recommendationsaddressedpost-penetrationtest• Resultsoftestingemployeesecurity/awareness• Daysexposedtodisclosedvulnerabilities• Costofproviding/managingtechnicalcontrols• Numberoftimes(threat)intelhasbeensharedviaCISPetc• Employees’digitalfootprint/corporateinformationexposedviainternet/socialmedia• Numberor%ofemployeespassingformaleducation/training/certificationetc• Benchmarksagainstpeersinsameindustry/sector• Improvement-relatedstatisticsonsecurityincidentsandbehavioursintermsofnumbers• Thesecanbeusedtogameotherindicators• Numberofhigherprivilegeaccesses• Toohardtodisentanglefromvalueproposition• Netflow/IPFixatorganisation/internetboundary• DNSTracedatabelowrecursiveresolver• Madeupdataormisleadingdata• Penetrationtestresults• Provenance• Ensurecoverage/samplesize• Isametricwhichofthese?Evidence,data,measurements,mathematicalsenseofdistance

betweentwoitems(Ithinkwemeanevidence)?• Haverawdatabutdifficulttoaggregateorvisualise• Numberofourbackdoors

16

“Weneedtotalk”(Thiscannotbedelivered.Evenifitcouldbe,Iwouldn’twantto)

• Anestimateofthenumberofcyberbreachesprevented• Anythingthatshowsmeinabadlight• AgreedmetricsfromUKGovernment(NCSC)forscoringimpactandvulnerability• Anythingthatclaimstodemonstrateimpactonfinancialaccountingmetrics(ProfitandLoss,

balancesheetsetc)• Awidersharing/collaborativenetworkofexpertspreparedtoshareinformationandwork

together• Contextualisedquantitativedata• Numberofcompetitors’backdoors