World-first cyber event classification system launches in UK
Classification scale will convey impact of systemic cyber events
The Cyber Monitoring Centre will categorise major cyber events with immediate effect. The implications for the understanding of cyber risks and harms could be significant.
In a world-first initiative, the Cyber Monitoring Centre (CMC), an independent and non-profit body, will deliver a framework to assess the severity of cyber events as they occur, categorising incidents on an easy-to-understand scale from one (least severe) to five (most severe)
The CMC’s Technical Committee which is chaired by former CEO of the National Cyber Security Centre, Ciaran Martin, and comprised of leading cyber experts, uses a wide range of data and analysis to assess and categorise incidents against the framework.
The committee will categorise incidents that have a potential financial impact of more than £100 million, that affect multiple organisations and where there is data or information available to enable assessment.
One of the CMC’s stated aims is transparency, and full details about the event categorisation methodology can be seen here.
Commenting on this milestone in the UK’s approach to cyber risk management, Martin says:
“Measuring the severity of incidents has proved very challenging. This could be a huge leap forward. I have no doubt the CMC will improve the way we tackle, learn from, and recover from cyber incidents. If we crack this, and I’m confident that we will, ultimately it could be a huge boost to cyber security efforts not just here but internationally too.”
Costing cyber crime
The oft quoted figure for the cost of cybercrime in the UK is £27 billion per annum, but that number was calculated back in 2011 which feels like a very different era in many respects.
Once the Technical Committee has categorised an event, the CMC will publish the event category from one to five through multiple channels. Each categorisation will be supported by an event report, which will provide an explanation of the analysis, including additional insights from the analysis work. All this information will be made available free of charge.
Speaking at the launch of the cyber classification system, Martin set out the paradox of cybersecurity which is that for a data rich and technically sophisticated industry, it isn’t very good at measuring harm. This is not just bad for those at the sharp end of insuring against this harm. It’s bad for public policy and for public understanding of a complicated problem.
Public perceptions of cyber harms are also skewed my media reporting of wide scale data breaches which are often over reported in proportion to the actual harm they cause. An example given by Martin was the Electoral Commission data breach a couple of years ago. This was uncovered at the same time as a much smaller scale breach at the Police Service of Northern Ireland. The latter was smaller, received far less media attention but was significantly more harmful.
The classification system is an attempt to finally get to grips with the challenge of properly calculating the financial cost of cyber harms. The aim is not just to provide information for insurers, but to inform policy makers and deepen business and public understanding of cyber risks and harms with a consistent and objective measurement.
CEO of the CMC, Will Mayes, said: “The risk of major cyber events is greater now than at any time in the past as UK organisations have become increasingly reliant on technology. The CMC has the potential to help businesses and individuals better understand the implications of cyber events, mitigate their impact on people’s lives, and improve cyber resilience and response plans.”
“I would also like to acknowledge the support from a wide range of world-leading experts who have contributed so much time and expertise to help establish the CMC and continue to provide data and insights during events. Their ongoing support will be vital, and we look forward to adding further expertise to our growing cohort of partners in the months and years ahead.”