Yesterday’s news brought an intriguing headline “The Norton Top 10 Riskiest Online Cities Report Reveals Who’s Most Vulnerable to Cybercrime.” I read the story, examined the report and sadly concluded that there was much less here than meets the eye.
As novelist G.K. Chesterton once wrote “It’s not that they don’t know the answer. It’s that they don’t know the question.”
The report measured the online risk of a city by looking several pieces of data, including:
- Cybercrimes data from Symantec Security Response, including number of malicious attack, number of potential malware infection, number of spam zombies, number of bot infected computer, and level of Internet access
- Expenditures on computer hardware and software
- Wireless hotspots
- Broadband connectivity
- Internet usage
- Online purchases
The report leaves much to be desired for at least three reasons.
First, the data collected may not meaningfully relate to online risk. Expenditures on computer hardware and software may mean little or nothing since one large supercomputer can cost the same as zillions of PCs and actually lower risk.
Second, missing from this list are things that would serve to mitigate risk such as:
- Number of information systems security professionals in the City
- Average number of information security professionals per 1,000 computers and per company
- Percentage of computers who connect to hotspots using a VPN
- Percentage of companies ISO27001 certified
- Numbers of CISSPs, CISMs, etc
- Percentage of businesses / homes with professionally managed firewalls
My third objection may be the most fundamental of all. Just exactly what is “online risk” supposed to mean when applied to a city as opposed to an organization or individual. My online risk goes up or down as the total number of bot infected or spam zombie computers in the world goes up or down. My online risk is pretty much the same whether there are more bot infected or spam zombie computers in Seattle or Los Angeles; it’s the total number that matter, not where they happen to be located.
My risk is my risk: It depends on my specific online habits and the specific security measures I take, not whether I’m more likely to be attacked from down the street or halfway around the country [or even the world].
If a city’s online risk is to measure the likelihood of my being attacked by virtue of being online in that city — analogous to what physical risk measures when we say that one city is safer than another — than the factors Norton used in the survey are, I contend, simply the wrong factors.
As you see, my objections are less related to security than to the nature of the survey itself.
Nice try Norton. But you need to go back to the drawing board, if there’s even a drawing board here.