There are many questions that could be addressed by statistical analysis: • What attacks work in 2021? • How much is the “physics” of attacks really changing and how quickly? • Do attackers need to win once, or must they achieve repeated wins? • What product features are frequently attacked? Are there configuration settings which are hard to set or check? Are the defaults on those set securely? • What products are attacked most frequently? Are those numbers related to market prevalence, and if not, what might we learn? • What common controls don’t seem to matter (in preventing breaches or rapidly recovering from them?) • What uncommon controls seem to help (for example, call attention to attacks more rapidly or provide unexpected benefits in remediation)? These questions are speculative, and can be enabled by deeper research questions.
Tensions persist, including security, transparency, and blame Cybersecurity professionals often communicate with each other, and not the general public. Communication skills are absolutely vital in conveying the gravity and long-term meaning of incidents while also protecting victims and the privacy of those involved.
44
Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
