How do you compare and test the efficacy of cybersecurity products and companies when the information is proprietary? In many situations, you cannot. The research division of DHS is currently trying to understand how comparisons could be possible that are based on rational actor notions. With cybersecurity companies selling their solutions “as the greatest thing since sliced cheese,” according to the head of the division, the Cyber Risk Economics program is attempting to provide tools that would allow organizations to understand the costs of various attacks and what tools could be best implemented to balance needs with budget. The most important aspects of the campaign are the projects for sharing threat data and quantifying risk. In one rather interesting example, the team awarded a firm $350k to a firm for the development of a program for experts to bet on the product they think would best protect against various simulated attacks. The program would provide descriptions of each product but not its developer. The idea behind the program is crowdsourcing expert advice on threats and defense. “The end result is we end up sharing data across institutions…I actually think this is the approach to addressing cybersecurity going forward,” the program head argued.
Source: How DHS is Trying to Separate Quality Cyber Tools from Snake Oil – Nextgov