When the World Economic Forum (WEF) released its “Global Risks Report 2018,” in January, it also issued a new report titled “Cyber Resilience: Playbook for Public-Private Collaboration,” which aims to improve the way governments and policymakers around the world make decisions about cybersecurity. Since, as the report noted, the first line of defense is rarely the government, this framework is designed to promote collaboration both within our own borders and across the globe.

To create the framework, the WEF, in collaboration with the Boston Consulting Group, asked its experts to create an initial list of values that policymakers would need to weigh when choosing between various cyber policies. The 30 options were eventually distilled down to five key values that are central to any choice regarding cybersecurity policy: security, privacy, economic value, fairness and accountability. The remaining 25 options can be mapped to one of these five key values.

Understanding the Trade-Offs of Cyber Resilience

“While leaders are accustomed to debating cybersecurity policy topics in isolation, there is seldom reflection on whether the sum of the parts of cybersecurity policy crafted on a day-to-day basis amounts to a coherent whole.” — The World Economic Forum’s “Cyber Resilience: Playbook for Public-Private Collaboration”

The report laid out the risks and trade-offs associated with each policy choice and noted that, by now, all of the easy choices have already been exhausted. What’s left is a series of challenging decisions at the organizational, national and international levels, and the effects of these decisions are both far-reaching and long-lasting.

So how can security experts help decision-makers understand the risks and trade-offs of their policies when our world today is so polarized? The report addresses that aspect specifically, warning policymakers to avoid rhetorical simplicity, false choices and absolute positions. Instead, they should embrace nuanced reflection and discussion to connect various policy choices to the five key values.

However, policymakers in several countries have started requiring organizations to implement very specific cybersecurity processes and technologies. This drastic approach, reminiscent of the disastrous days of security by compliance, can often lead to a false sense of security — and an even worse resilience posture. A better approach is to design regulations that evolve with the conditions instead of the usual post-crisis panic. As the report put it, “Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation.”

The 14 Key Policy Topics

The playbook outlined 14 policy topics that lawmakers, policymakers, government officials and business leaders should consider to improve global cyber resilience. These key topics are:

  1. Research, threat sharing and the government’s role in facilitating the exchange of information;

  2. Zero-day vulnerabilities — whether governments develop or purchase them and how they should warn the private sector of their use;

  3. The liability for vulnerabilities, especially after a product is no longer supported;

  4. The attribution issue — the extent to which we can point to a particular actor as the source of an attack.

  5. How to prevent or disrupt botnets;

  6. Balancing the interests of the state with those of its own citizens;

  7. National information security roles, including which agency should be responsible for what in each country and the need for cross-border collaboration;

  8. The benefits and the drawbacks of encryption, especially as law enforcement agencies seek to implement workarounds and backdoors;

  9. Cross-border data flows and the responsibilities of each jurisdiction;

  10. Notification requirements and the level of sanctions that policymakers should mandate for breached organizations;

  11. Duty of assistance and the best ways to leverage public resources in case of cyber emergencies;

  12. Active defense and the issue of organizations taking matters into their own hands;

  13. Liability thresholds and the duty of care that organizations should be able to implement and demonstrate; and

  14. Cyber insurance and the effectiveness of incentives.

Overall Value for Multiple Stakeholders

While it may be tempting to dismiss this document as a directive aimed solely at politicians and policymakers, the playbook lays out very real risks that organizations around the world must face when dealing with their own cyber resilience capabilities. How can we talk about and decide on the best approach to keeping businesses running?

Ultimately, the WEF playbook provides a mature, approachable framework to help governments and other organizations think about the tough choices chief information security officers (CISOs) must make. These challenges are presented in clear language and supported by visuals to illustrate the interconnected nature of each choice.

In the words of the report, the framework aims to “shape a digital future that is sustainable, inclusive and trustworthy.” By promoting a standard by which governments and organizations take care to connect policies to values, the WEF is one step closer to improving cyber resilience around the globe.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…