The landmark report, entitled Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model, is the culmination of nearly one decade of ISAlliance advocacy for market incentive based security reforms, and echos their previous cautions against pursuing costly regulatory constraints.

As stated in an ISA press release earlier this week, the analysis provided describes:

"frameworks for creating a new, practical model for information sharing; addressing the international nature of cybersecurity issues; developing a market for adopting good security standards and practices; building a highly educated digital workforce; and managing the global IT supply chain, among other things."

As the title of the document implies, the report is meant both as a response to the Obama Administration's Cyberspace Policy Review and also as a followup to the ISA's 2008 Cybersecurity Social Contract, which outlined several crucial areas of alignment as the logical jumping-off point for private industry and government initiatives.

From today's report:

"A major focus of agreement between these two texts is the appreciation of the economics of cyber security and the need to properly deploy incentives to generate enhanced security within the private sector to serve the broader national interest."

Central to the ISA's thesis is the under-appreciated notion that cybersecurity is an isolated technical issue that lies somewhere outside the scope of the broader economic picture.

The sobering evidence offered in the report thoroughly contradicts this pretense, noting that worldwide losses due to information security events is in the neighborhood of one trillion dollars annually.

Simultaneously, nearly half of the companies surveyed in another study reported plans to reduce security related expenditures in 2010, the report noted.

"Rewriting the economic equations currently governing cyber security issues is essential to creating the sustainable and evolving system of security that we will need to protect our nation against the emerging threats we are facing in the 21st century."

How best to accomplish this herculean task is at the crux of the ISA's recommendations.

The report likens the advent and importance of the Internet to that of the telephone and the national electrical grid in the early 1900's.

The efficacy of government policies at the time provided the necessary impetus for the private sector to invest resources to develop the national infrastructure beyond the scope of their own narrow corporate interests.

The ISA argues this approach by government and private industry was the catalyst for the rapid development and availability of these technologies that are so central to the nation's economic engine, and should be mirrored by cyber policy today.

Also provided in the ISA report are stark warnings against the temptation to overly regulate an entity that knows no national borders, has no central administrative control, and obeys no government.

Complicated regulatory legislation discourages capital investment in new technologies, as investors fear subsequent government interventions may render their investments worthless.

Regulation also creates an expensive compliance component that typically does little in the way of solving security problems, as exemplified by the passage of Sarbanes-Oxley (SOX) after the Enron scandal, and the subsequent Bernie Madoff Ponzi-scheme revelations.

"The process of developing effective regulations is inherently time consuming there is virtually unanimous agreement that any regulations specific enough to assure improved cyber security would become outdated soon after their enactment. Even more troubling than the low prospect a regulatory mandate model has for success is the fact that such a model would generate seriously negative economic and security consequences."

The report proceeds to underscore the Global nature of the Internet and related threats to information security, emphasizing the economic disadvantage American companies would suffer if subject to a system of monolithic statutes, contrived through vague legislation,  and applied across a broad spectrum of business sectors.

THE FINANCIAL NATURE OF CYBER SECURITY

One of the most difficult issues to relay effectively to the Boardroom is that of security, particularly because a great deal of the security battle is won preemptively, before the fight even begins.

And no one can say with any certainty whether or not that battle will ever be fought; nor can they guarantee a victory, regardless of the depth and breadth of their preparations.

While this uncertainty puts security professionals in a cold sweat as they contemplate the thought of unmitigated exposure, it also puts the bottom-line budget wranglers in the position of deciding how much security is enough security, seeing IT only as a cost center to be managed.

"Typically, the economics of cyber security are not readily transparent and they are poorly appreciated. When defensive investment is compromised by factors beyond an organization’s control, the motivation for continued investment is reduced substantially. Effective and sustainable improvements in our collective cyber security posture will stem from a comprehensive understanding of how to effectively motivate all players across our economic landscape to actively engage in proven best-practices in both their business and individual cyber activities."

The report also notes the disconnect consumers suffer when presented with high interest rates and fees on their credit and debit cards, and news of major data breach incidents in the payment card industry.

Many do not realize those "hassle-free" dispute resolutions that absolve them of responsibility for fraudulent charges made on their accounts are actually hidden in the cost of the items they purchase, and can be as much as or even exceed the sales tax levied in many states.

"Consumers [have a] false sense of security due to the belief that personal losses will be fully covered by corporate entities (such as the banks), when, in fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees."

The report from the ISA also makes it clear that the path to better information security is at best uphill, and echos the sentiment common in national defense strategies:  The bad guys only have to get it right once, while the good guys have to get it right every single time.

For the hackers and cyber spies it is literally a numbers game, with the bulk of their illicit scores coming from simple exploits applied among a large array of networks, just looking for that one weak spot - as opposed to more sophisticated attacks focused on any one particular target.

Either way though, the advantage definitely belongs to the criminals.

"Ultimately, with respect to cyber security economics, the dispiriting realization is that all of the current economic incentives favor cyber attackers:

• Cyber attacks are comparatively cheap and easy to execute.
• The profits that can be generated from cyber attacks are enormous.
• Because of the typically long distance physical proximity, there is very little risk of being caught or suffering retaliation.
• The cyber defensive perimeter is nearly limitless.
• Losses are difficult to assess.
• Defense is costly and often does not generate perceived adequate return on investment."

A SUSTAINABLE MODEL OF CYBER SECURITY

The very essence of the ISA report supersedes that of merely a cautionary device meant to highlight red flags and vulnerabilities.

The bulk of the seventy-four page report is dedicated to forward thinking strategies that align the multitude of singular efforts that currently characterize the infosec realm, while maintaining the free market independence and innovation that already provides protection from the majority of threats.

As noted in the report, numerous authorities agree that more than 80% of data loss incidents could have been prevented by following existing protocols and best practices.

The ISA maintains that the key to increased adherence to infosec best practices is the creation of an environment where security innovation will be rewarded by existing market forces.

This is readily evidenced by the success with which viruses and rogue malware are regularly neutralized by the private sector.

An argument could be made that the success of the likes of McAfee (MFE) and Symantec (SYMC) at protecting consumers' computers is not attributed to some cottage industry that arose out of regulatory compliance mandates.

The private sector works well in this virtual medium, where solutions can be applied to problems in a measure of minutes not months, and so the private sector should be employed to its fullest.

"While all of the frameworks described are already in some degree of implementation, they are, naturally, at varying stages, and each could benefit from further collective work. The issue areas are:

• Creating a new, practical model for information sharing
• Using incentives to develop a market for good security standards and practices
• Creating an enterprise education program to properly structure industry
• Addressing the technical and legal disconnect created by digital systems
• Managing the global IT supply chain
• Addressing the international nature of cyber security issues"

The overall tone of the report was very optimistic, but it made no effort to whitewash the very serious issues facing every industry from healthcare to energy, education to aeronautics.

Security problems pervade every aspect of the economy and our national security.

"An effective method of stimulating security would be to create a competitive market for the development and adoption of sound security practices, standards, and technologies. By creating a competitive market, the power of the market can be harnessed to motivate improved cyber security and, since many of the organizations targeted are international, improvements on a worldwide basis are quite possible."

With a lagging economy, healthcare on the national docket, the need for new energy policies and other looming national security issues like war in two theaters and the emergence of new global threats, it remains to be seen whether cybersecurity can push itself further into the national spotlight on its own merits without a catastrophic security event to propel it.

This report is undoubtedly an important step in the right direction.

The full text of the ISA report provided in PDF:

social-contract-20-final-implementing-the-obama-cyber-security-strategy1

Internet Security Alliance President Larry Clinton joined several other prominent information security advocates to provide testimony before the Senate Judiciary Subcommittee on Terrorism and Homeland Security Tuesday.

Entitled Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace, the hearings are one of several held this year by various Senate and House committees who over see everything from commerce to defense, as the nation struggles to gain insight into mountingcyber security threats, and how best to craft policies to combat them.

Clinton's testimony focused on the fact that information security in not merely an IT problem, but is in fact central to both economic stability and national security.

"First, the President is correct in his appreciation of the need to view cyber security as not just a technical and security issue, but as an economic one as well. In the 21st century - the digital century - economics and security are opposite sides of the same coin. You cannot affect one without impacting the other,"  Clinton stated.

The rapid pace of technology and security upgrades is overwhelming corporate budgets, and many are forced to make decisions about their information security based on the bottom line, not best practices.

Where federal regulation does exist, such as in the payment card industry and healthcare field, issues abound regarding the high cost of regulatory compliance, and whether regulatory compliance is actually a path to security.

Clinton and the ISAlliance favor a proactive market solution.

"Federally-imposed mandates on the broad private sector will not work and will be seriously counterproductive to both our economic security and our national security," Clinton testified.

"The Administration’s Cyber Space Policy Review takes the right approach in advocating for the development of additional economic incentives, including procurement incentives, liability incentives, and even tax incentives, to promotecyber security."

Clinton argues that regulation is really only enforceable on a national level, while most of the problems that pervade the Internet are global in nature.

The implementation of additional federal regulations will only increase security costs, put American businesses at an economic disadvantage with their foreign competitors, and actually do little to improve information security.

The ISAlliance is within weeks of releasing their much anticipated follow up to The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress released in 2008, which offered insight into the nature of the Internet and how this singularly unique entity requires a unique approach to its security.

"December 3, we will be releasing a new publication entitled, Implementing the Obama Cyber Security Strategy via the Social Contract Model," announced Clinton.

"This new document will detail specific steps to move from broad policy principles, where we find broad agreement, to implementation, and it will cover issues such as:"

• Securing the global IT supply chain
• Developing a new information sharing model generating actionable information for the broad range of the private sector
• Aligning and managing the legal incongruities created by modern technologies and outdated legal structures
• Creating both a market and incentives to promote proven effective cyber security standards/practices and technologies
• Creating an enterprise education program to enable modern corporations to properly appreciate and manage financial cyber risk
• Addressing the critical cyber security issues facing higher education
• Developing automated security standards for unified communications platforms such as VOIP

Clinton and the ISAlliance maintain that there should be enough motivation in simple self-preservation for corporations to take additional measures to protect sensitive and proprietary data, but there are just not enough economic incentives to get them to act.

There is always a catch-22 aspect to security, in that the better the security, the harder it is to articulate the need for additional measures.

Everyone sees the need after there is a catastrophic security event.

"We need to have corporations, who own and operate the vast majority of the Internet, to perceive that it is in their own self interest to continually improve not only their own security, but also the security of everyone else with which they interact," Clinton added.

But the absence of any perceived imminent threats, while in the midst of a recession, results in companies continuing to push security and infrastructure spending down the road, and the primary reason is budgetary.

"As PricewaterhouseCoopers’ 2009 Global Information Security Study documents," Clinton stated in testimony, "economic considerations are actually one of the most important considerations in determining corporate information security spending decisions, and these considerations rate higher than regulatory compliance, company reputation or internal policy compliance, and nearly as high as the number one issue, business continuity/disaster recovery."

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues, and is a nonprofit organization.

The ISAlliance represents corporate security interests before legislators and regulators.

In so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

Watch all the testimony in a webcast HERE

*   *   *

*   *   *

*   *   *

An innovative new investor analytic tool made its public debut today, and it offers an exciting look at what may well be the future of online trading for both market experts and arm-chair analysts alike.

Trefis, named for its focus on trends, forecasts, and insights, is revolutionary in its forward-looking approach to stock analysis which, incorporates a more intuitive look at the relationship between a company’s product divisions and its stock price.

One the most striking features users are bound to notice immediately about Trefis is just how easy the information and analysis is to access, and how much power their is in the user interface.

Investors can explore multiple forecast scenarios in a matter of moments with kust a drag of the mouse, and see the effect on the share price instantly.

Trefis founders include Manish Jhunjhunwala, an MIT engineering as-well-as business school graduate,who is also a former McKinsey consultant; Adam Donovan a math and physics double-major from MIT who, after graduating, put his PhD on hold to go build Trefis; and Cem Ozkaynak who spent a few years working as a banker in the investment banking division at UBS after he graduated from Cornell’s engineering school.

Principal investors include Timothy Weller, former CFO of Akamai, currently at Enernoc as the CFO; Bob Johnson who is on the MIT corporation; and Semyon Dukach, a serial entrepreneur and former President of the MIT Blackjack team.

Take the Trefis Challenge

I was fortunate enough to be invited to test drive the new Trefis site by CEO Manish Jhunjhunwala while still in Beta, and was allowed to invite a few friends along to preview the platform as well, and here is what I told them to try:

Take a stock like Apple and ask yourself, “What do i think of when I think of Apple?”  Most of us will pop off answers like the Ipod, Mac, and Iphone.

Now open your typical stock page for Apple, and tell me what you see.  Do you see Ipod, Mac, and Iphone anywhere? Can you even remotely discern them the information on the page?

The answer is no.

What you do see are important benchmarks and a summary of performance to date, but there is nothing there to tell you what is going to happen to the stock price if iPhone batteries keep melting down, or ipod docks cause too many fires.

Now open the Apple page on Trefis:

Instantly you can see the stock price broken down into its primary components.

You might be surprised, as I was, to see that the iPhones make up a little more than half of Apple’s stock price according to the Trefis model, while Mac’s contribution to the share price was substantially less than one might have anticipated.

In a matter of moments, critical assumptions an investor may be using to guide the management of his or her portfolio are challenged, reinforced, or completely dispelled. And that is just at first glance.

Trefis Analytics

Intrigued by the impressive performance of the IPhone division now and want to know more? With a click, the investor can access critical data on market share, pricing, profit margins, and competitor comparisons.

Trefis also offers their own forecast on the stock price:

Trefis analysts spend weeks evaluating each stock that we cover and utilize commonly used valuation methodologies to determine a Trefis price for each company. We present you with not only our synthesized view but also every single step within the valuation process used to determine the Trefis price.

Become Your Own Expert

Think you have the inside scoop that will build a better model?  Simply drag any of the charts with your mouse to meet your expectations, watch the share price and other factors adjust right before your eyes, and your model is saved automatically and placed in your portfolio.

Another click reveals multiple forecasts from other users.

The social networking features Trefis offers allows users to interact in forum threads specific to each company, to post market news and anylsis, and users can track the performance of others, voting their models and comments up or down in the familiar social network mob-rule format.

Trefis has built an online service that will disrupt this status quo by placing powerful but easy-to-use valuation and financial modeling tools in the hands of individual investors, allowing them for the first time to connect their real-world knowledge and experience of particular company’s products with that company’s stock price.

For example, a storage engineer at IBM might have unique insight into market shares and profit margins for the disk drive industry, including key competitors. Today, this person has no way to connect that information to a decision about whether EMC, Network Appliance, or other storage company stocks are a good buy.

More features are on on the way, including the ability to monetize your pricing models.

Price forecasts may be visible to other members, or for users who feel they have a performance record  worth bragging about, they can assign a fee for access to the underlying assumptions in their model.

This means there is finally the chance for the lone investor holed up in their home office (or better, on the couch in their sweatpants) to become a rock star portfolio manager of sorts, and get paid for it.

Trefis is likely to become a lot of people’s home page.

Trefis for Venture Capital and IPO

Trefis is poised to become a new venue for emerging companies to raise needed capital, with an on-site alternative to the traditional IPO process:

The company’s vision is that as experts and investors get together, and exchange information, as-well-as transact in this marketplace, over time the platform would provide a perfect forum for companies who wish to raise capital. Companies can then simply offer their stocks for auction on this platform, in a manner similar to that popularized by Bill Hambrecht at WR Hambrecht and Co., that helped companies like Google and NetSuite go public.

Accessing Trefis

Creating an account with Trefis is free, and it takes all of about 30 seconds to be in and using the features.  Trefis even produces some interesting member polls, then presents the data side by side with the cold hard facts - again challenging the assumptions investors make without having access to the data.

Now, they have the data.

Trefis has built an online service that will disrupt this status quo by placing powerful but easy-to-use valuation and financial modeling tools in the hands of individual investors, allowing them for the first time to connect their real-world knowledge and experience of particular company’s products with that company’s stock price.

The intuitive, almost organic approach to stock price forecasting combined with the social networking features that bring together traders of all stripes, companies and industry experts makes Trefis a potential powerhouse, and its appeal will most certainly not be overlooked.