A system that allows companies to submit breach data anonymously and then benefit from the aggregate statistics for their industries could give executives and policymakers a more accurate understanding of how breaches impact businesses and give companies the timely threat intelligence they need to prepare for attacks.
The Secure Cyber Risk Aggregation and Measurement (SCRAM) system — created by an interdisciplinary team of policy, financial, and computer-science researchers at the Massachussetts Institute of Technology (MIT) — uses a special type of encryption to allow various calculations to be performed on protected data in the context of a multiparty computation (MPC) system. An initial proof-of-concept trial not only delivered aggregate breach data for a group of six companies, but it also collected information about the adoption rate of security controls and the controls blamed for the greatest loss.
The researchers plan to next conduct a larger trial of the technology with 60 to 70 companies in several industries to gather sector-specific data, says Taylor Reynolds, technology policy director of MIT's Internet Policy Research Initiative.
"We have shown that firms are willing to share this really sensitive data as long as they know it is going to be protected," he says. "And what that does is it opens up a whole new set of data and statistics for us that will allow us better to better defend our networks."
The research could solve one of the most enduring problems of cybersecurity: the lack of good data on breaches and information on what controls are working. While several industries — multiparty encryption allows companies solve security conundrum
