A Multi-stakeholder Approach to Cybersecurity Risk Management

Managing the risks inherent in the use of information technology is perhaps more difficult than governing any other dual-use technology because of information technology’s ubiquity and importance to international security, economic activity, and daily life around the world. Part of the challenge is also that key players lack a shared understanding about threats and a nuanced language to discuss their concerns. Americans and Europeans talk about cybersecurity, free enterprise, and civil liberties, while the Russian and Chinese governments express concerns about “information security” and the internet as a tool for political subversion. The term “cyber attack” remains so undefined as to describe everything from website defacement, phishing scams, and denial-of-service attacks to multi-million dollar electronic thefts and the destruction of critical infrastructure. And nations are only beginning to examine and consider the legal constraints involved--especially in the realm of international law--in the use of cyber tools for military and national security purposes.

No country, company, or private individual can fully utilize the benefits of information technology while protecting all of their own data, communications, or computer networks from every potential cyber threat, regardless of how much time and money they invest in protective systems. Each entity must set priorities, balance tradeoffs, and make choices about cyber protection, knowing that their choices will affect others and that others’ choices will affect them, too. An array of state and non-state actors must also weigh strategic and ethical considerations when deciding whether to use their cyber skills offensively to gain some military, intelligence, economic, or political advantage. A critical strategic question is whether the potential gains from refraining to reveal a software vulnerability so as to protect its future use as an offensive tool outweigh the consequences if it is discovered and exploited by someone else. These actors must further decide how much information to share about cyber threats and vulnerabilities, knowing that sharing information can reveal weaknesses at the same time that it can increase protection. 

Minimizing the most serious forms of cyber attack, espionage, and crime without hindering beneficial uses of information technology requires skillful multi-stakeholder governance. This project includes a set of research, education, and outreach activities to facilitate that process. 

The first part of this project is the specification of an effective cyber risk framework that gives actors an ability to define, assess, measure, and compare a variety of cyber events. Organizational leaders and policymakers can use this approach to differentiate among different types of cyber threats, assess which types of disruptive or exploitative attacks pose the greatest risks to the things that they care most about, and evaluate whether they have adequate measure in place for protection, incident response, and recovery. 

A second part of this project is focused on cyber information sharing among different stakeholder groups in the United States and other countries, as well as cyber information sharing between countries. It includes development of a database on international cyber information sharing agreements and an analysis of patterns in those agreements. While the number of international agreements to share various types of cyber information is growing rapidly, most of these agreements express vague aspirations rather than specific commitments about what type of information to share, with whom, under what conditions, and for what purposes. This effort involves examining how, if at all, countries currently operationalize their voluntary pledges to share cyber information, and exploring what additional information sharing among strategic partners and potential rivals might be mutually beneficial.

The third dimension of CISSM’s cybersecurity work involves executive education programs to help government officials from different agencies, industries needing or supplying cybersecurity services, academic experts, and other stakeholders have more productive conversations about reducing risks without compromising other values. The initial focus of these efforts is on using the CISSM risk assessment methodology to help the Japanese government set priorities and develop plans to enhance cybersecurity for the 2020 Olympics in Tokyo. 

Related Publications