IMPROVING THE INTERNATIONAL

COMPARABILITY OF STATISTICS

PRODUCED BY CSIRTsDeveloping Cybersecurity Risk Indicators panel26th Annual FIRST Conference

Aaron Martin

Feasibility study design

• Questionnaire developed to determine:– Can CSIRTs respond to these

questions?– Would the data collected help produce

quality statistical indicators?

• Widely distributed to national CSIRTs

• 25 responses• Analysis of results ongoing

Preliminary analysis

• Three sets of primary questions1. General aspects of CSIRTs2. Organisational capacity3. Incidents

• Feedback questions– Explaining non-responses– Additional information

• Basis for calculations• Difficulties encountered• How to improve the questions

General aspects

• Accounting for more than one national CSIRT per country/economy

• Classifying CSIRTs by constituency• IP addresses as an indicator of

network size• Internet users as an indicator of

network size• Understanding CSIRT data sources

Capacity questions

• CSIRT annual budget• Percentage of budget funded by government• FTEs employed by the CSIRT• FTEs employed for security incident handling• Technical skills• Incident reports handled without human

intervention (i.e. automated)• Requests for assistance dedicated action taken• Targeted mitigation (proactive notice)• Formal co-operation• Informal co-operation

Incident-related questions

• Phishing websites hosted in the CSIRT’s constituency

• DoS attacks targeting the constituency

• Defaced websites hosted in the constituency

• Servers hosting malware• Servers directing to malware• Botnet C&C servers