On Thursday, MIT's Computer Science and Artificial Intelligence Lab (CSAIL) launched the Secure Cyber Risk Aggregation and Measurement (SCRAM) cryptographic platform (.PDF), which aggregates data to show the weakest spots in security -- and those leading to the worst financial losses.
According to the researchers, at a time when many organizations are restructuring and cutting costs due to the disruption caused by COVID-19, a technological solution that is able to quantify an organization's security posture and recommend what areas to prioritize is valuable.
SCRAM, developed by Taylor Reynolds, technology policy director at MIT's Internet Policy Research Initiative (IPRI), economist Professor Andrew Lo and cryptographer Vinod Vaikuntanathan, does not require users to reveal sensitive corporate data, but instead, builds its recommendations based on existing security incidents without accessing the finer points of each event.
The team says that the platform has three goals: to quantify how secure an organization is, how their security compares to rival companies, and to evaluate whether or not cybersecurity is being given the right budget -- and if not, what priorities should be changed.
During tests, internal data was received by seven enterprise companies averaging 50,000 employees with annual revenue of $24 billion. SCRAM then aggregated data from 50 security incidents at the participating companies using Center for Internet Security Sub-Controls, allowing researchers to analyze the attack vectors and what steps could have potentially prevented each one.
By using multi-party computation (MPC), the team was able to perform calculations in tandem with the CIS controls, without reading or unlocking the confidential information they were sent. Once analyzed, the participating companies received individual cryptographic keys to unlock each report privately.
"The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with a third party," Reynolds says.
The MIT CSAIL team found that the most expensive financial losses, exceeding $1 million, were caused by failures to prevent malware infections; unauthorized communication over ports, and failure to log and manage security incident records.
In the future, the researchers hope that more companies will participate; in particular, from the electricity, financial, and biotech industries. If 70 to 80 companies representing these areas join up, MIT believes it will be able to "put an actual dollar figure on the risk of particular defenses failing."