“Who is prevailing on the internet, the assailants or the protectors?”

I encounter this inquiry frequently, and I can only provide a qualitative and somewhat vague response. However, Jason Healey and Tarang Jain’s most recent piece in Lawfare has compiled data.

The article offers the first framework for metrics regarding our collective efforts—not solely how a single network is performing. Healey communicated with me via email:

The research is grounded in three essential insights: (1) defenders require a framework (based on threat, vulnerability, and consequence) to organize the surge of potentially pertinent security metrics; (2) trends are what truly count, not details; and (3) to begin with, we should refrain from getting ensnared in data collection and simply utilize what’s already being reported by remarkable teams at Verizon, Cyentia, Mandiant, IBM, FBI, and many others.

The unexpected finding: there’s still a long journey ahead, but our performance is better than we perceive. Significant advancements are evident in threat operations, threat ecosystems and organizations, along with software vulnerabilities. Regrettably, we have yet to observe an increase in consequences. Since cost imposition is resulting in a survival-of-the-fittest competition, we may be left with fewer but more formidable predators.

And this is merely the beginning. From the report:

Our initiative is unfolding in three phases—the initial framework introduced here constitutes only phase one. In phase two, our objective is to develop a more comprehensive catalog of indicators across threat, vulnerability, and consequence; motivate cybersecurity firms (and others possessing data) to report defensibility-relevant statistics in time-series, aligned with the catalog; and enhance analysis and reporting.

This is truly commendable and significant work.