February 5, 2018 By Christophe Veltsos 3 min read

When the World Economic Forum (WEF) released its “Global Risks Report 2018,” in January, it also issued a new report titled “Cyber Resilience: Playbook for Public-Private Collaboration,” which aims to improve the way governments and policymakers around the world make decisions about cybersecurity. Since, as the report noted, the first line of defense is rarely the government, this framework is designed to promote collaboration both within our own borders and across the globe.

To create the framework, the WEF, in collaboration with the Boston Consulting Group, asked its experts to create an initial list of values that policymakers would need to weigh when choosing between various cyber policies. The 30 options were eventually distilled down to five key values that are central to any choice regarding cybersecurity policy: security, privacy, economic value, fairness and accountability. The remaining 25 options can be mapped to one of these five key values.

Understanding the Trade-Offs of Cyber Resilience

“While leaders are accustomed to debating cybersecurity policy topics in isolation, there is seldom reflection on whether the sum of the parts of cybersecurity policy crafted on a day-to-day basis amounts to a coherent whole.” — The World Economic Forum’s “Cyber Resilience: Playbook for Public-Private Collaboration”

The report laid out the risks and trade-offs associated with each policy choice and noted that, by now, all of the easy choices have already been exhausted. What’s left is a series of challenging decisions at the organizational, national and international levels, and the effects of these decisions are both far-reaching and long-lasting.

So how can security experts help decision-makers understand the risks and trade-offs of their policies when our world today is so polarized? The report addresses that aspect specifically, warning policymakers to avoid rhetorical simplicity, false choices and absolute positions. Instead, they should embrace nuanced reflection and discussion to connect various policy choices to the five key values.

However, policymakers in several countries have started requiring organizations to implement very specific cybersecurity processes and technologies. This drastic approach, reminiscent of the disastrous days of security by compliance, can often lead to a false sense of security — and an even worse resilience posture. A better approach is to design regulations that evolve with the conditions instead of the usual post-crisis panic. As the report put it, “Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation.”

The 14 Key Policy Topics

The playbook outlined 14 policy topics that lawmakers, policymakers, government officials and business leaders should consider to improve global cyber resilience. These key topics are:

  1. Research, threat sharing and the government’s role in facilitating the exchange of information;

  2. Zero-day vulnerabilities — whether governments develop or purchase them and how they should warn the private sector of their use;

  3. The liability for vulnerabilities, especially after a product is no longer supported;

  4. The attribution issue — the extent to which we can point to a particular actor as the source of an attack.

  5. How to prevent or disrupt botnets;

  6. Balancing the interests of the state with those of its own citizens;

  7. National information security roles, including which agency should be responsible for what in each country and the need for cross-border collaboration;

  8. The benefits and the drawbacks of encryption, especially as law enforcement agencies seek to implement workarounds and backdoors;

  9. Cross-border data flows and the responsibilities of each jurisdiction;

  10. Notification requirements and the level of sanctions that policymakers should mandate for breached organizations;

  11. Duty of assistance and the best ways to leverage public resources in case of cyber emergencies;

  12. Active defense and the issue of organizations taking matters into their own hands;

  13. Liability thresholds and the duty of care that organizations should be able to implement and demonstrate; and

  14. Cyber insurance and the effectiveness of incentives.

Overall Value for Multiple Stakeholders

While it may be tempting to dismiss this document as a directive aimed solely at politicians and policymakers, the playbook lays out very real risks that organizations around the world must face when dealing with their own cyber resilience capabilities. How can we talk about and decide on the best approach to keeping businesses running?

Ultimately, the WEF playbook provides a mature, approachable framework to help governments and other organizations think about the tough choices chief information security officers (CISOs) must make. These challenges are presented in clear language and supported by visuals to illustrate the interconnected nature of each choice.

In the words of the report, the framework aims to “shape a digital future that is sustainable, inclusive and trustworthy.” By promoting a standard by which governments and organizations take care to connect policies to values, the WEF is one step closer to improving cyber resilience around the globe.

More from Risk Management

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today