February 5, 2018 By Christophe Veltsos 3 min read

When the World Economic Forum (WEF) released its “Global Risks Report 2018,” in January, it also issued a new report titled “Cyber Resilience: Playbook for Public-Private Collaboration,” which aims to improve the way governments and policymakers around the world make decisions about cybersecurity. Since, as the report noted, the first line of defense is rarely the government, this framework is designed to promote collaboration both within our own borders and across the globe.

To create the framework, the WEF, in collaboration with the Boston Consulting Group, asked its experts to create an initial list of values that policymakers would need to weigh when choosing between various cyber policies. The 30 options were eventually distilled down to five key values that are central to any choice regarding cybersecurity policy: security, privacy, economic value, fairness and accountability. The remaining 25 options can be mapped to one of these five key values.

Understanding the Trade-Offs of Cyber Resilience

“While leaders are accustomed to debating cybersecurity policy topics in isolation, there is seldom reflection on whether the sum of the parts of cybersecurity policy crafted on a day-to-day basis amounts to a coherent whole.” — The World Economic Forum’s “Cyber Resilience: Playbook for Public-Private Collaboration”

The report laid out the risks and trade-offs associated with each policy choice and noted that, by now, all of the easy choices have already been exhausted. What’s left is a series of challenging decisions at the organizational, national and international levels, and the effects of these decisions are both far-reaching and long-lasting.

So how can security experts help decision-makers understand the risks and trade-offs of their policies when our world today is so polarized? The report addresses that aspect specifically, warning policymakers to avoid rhetorical simplicity, false choices and absolute positions. Instead, they should embrace nuanced reflection and discussion to connect various policy choices to the five key values.

However, policymakers in several countries have started requiring organizations to implement very specific cybersecurity processes and technologies. This drastic approach, reminiscent of the disastrous days of security by compliance, can often lead to a false sense of security — and an even worse resilience posture. A better approach is to design regulations that evolve with the conditions instead of the usual post-crisis panic. As the report put it, “Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation.”

The 14 Key Policy Topics

The playbook outlined 14 policy topics that lawmakers, policymakers, government officials and business leaders should consider to improve global cyber resilience. These key topics are:

  1. Research, threat sharing and the government’s role in facilitating the exchange of information;

  2. Zero-day vulnerabilities — whether governments develop or purchase them and how they should warn the private sector of their use;

  3. The liability for vulnerabilities, especially after a product is no longer supported;

  4. The attribution issue — the extent to which we can point to a particular actor as the source of an attack.

  5. How to prevent or disrupt botnets;

  6. Balancing the interests of the state with those of its own citizens;

  7. National information security roles, including which agency should be responsible for what in each country and the need for cross-border collaboration;

  8. The benefits and the drawbacks of encryption, especially as law enforcement agencies seek to implement workarounds and backdoors;

  9. Cross-border data flows and the responsibilities of each jurisdiction;

  10. Notification requirements and the level of sanctions that policymakers should mandate for breached organizations;

  11. Duty of assistance and the best ways to leverage public resources in case of cyber emergencies;

  12. Active defense and the issue of organizations taking matters into their own hands;

  13. Liability thresholds and the duty of care that organizations should be able to implement and demonstrate; and

  14. Cyber insurance and the effectiveness of incentives.

Overall Value for Multiple Stakeholders

While it may be tempting to dismiss this document as a directive aimed solely at politicians and policymakers, the playbook lays out very real risks that organizations around the world must face when dealing with their own cyber resilience capabilities. How can we talk about and decide on the best approach to keeping businesses running?

Ultimately, the WEF playbook provides a mature, approachable framework to help governments and other organizations think about the tough choices chief information security officers (CISOs) must make. These challenges are presented in clear language and supported by visuals to illustrate the interconnected nature of each choice.

In the words of the report, the framework aims to “shape a digital future that is sustainable, inclusive and trustworthy.” By promoting a standard by which governments and organizations take care to connect policies to values, the WEF is one step closer to improving cyber resilience around the globe.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today