MIT Research Documents Effectiveness of Consensus Cyber Risk Oversight Principles

PRESS RELEASE

Geneva, Switzerland/Nov. 16 — As the World Economic Forum’s annual Cybersecurity Summit concluded today, research conducted by MIT Cybersecurity at MIT Sloan (MIT CAMS) found that the cyber risk oversight principles (consensus principles) developed by the Forum in conjunction with the Internet Security Alliance (ISA) and the National Association of Corporate Directors (NACD) “demonstrates that organizations that use the consensus principles can significantly improve their cyber resilience without raising costs.”

The MIT research used a grounded control theory and system dynamics built on significant research in the field, including interviews with CISOs which has been validated over the years at a Fortune 500 company analyzing a wide range of cyber risk challenges. MIT CAMS used a simulation-added approach to understand organizational behavior when adapting the consensus Cyber Risk Principles.

The research used a scientifically grounded simulation methodology to explore the behavior of CEOs who followed the traditional model and compared it to that of an aware CEO who followed the consensus principles. The research found “a significant difference when comparing the strength of defensive posture represented by the number of cybersecurity incidents and compromised assists. The CEO who follows the principles is predicted to have 85% fewer incidents.

Moreover, a CEO who followed the principles was more “cyber conscience,” has gone further to foster resilience, is pro-active in anticipating cyber threats, knows how their technology drives their business, and focuses on maintaining business performance.

ISA President Larry Clinton noted that this study was the second independent verification of the Principles; utilizing improvised organizational cybersecurity, citing the previous PWC research, which also found organizations who used these principles had better cyber risk management, closer alignment between cyber and overall mission goals, and helped to foster a culture of security.

“I’m not aware of any of the set of best practices regulations or frameworks that has been independently assessed and verified using multiple independent methodologies as have these core principles,” Clinton said.

An abstract of the study based on NACD reporting can be found here https://isalliance.org/?p=12291.