Linking Cybersecurity

Policy and Performance

Aaron Kleiner
Paul Nicholas
Kevin Sullivan
Microsoft Trustworthy Computing

1
 Authors
Aaron Kleiner
Microsoft Trustworthy Computing

Paul Nicholas
Microsoft Trustworthy Computing

Kevin Sullivan
Microsoft Trustworthy Computing

Contributors
Bruce Cowper
Microsoft Trustworthy Computing

Andrew Cushman
Microsoft Trustworthy Computing

Dave Forstrom
Microsoft Trustworthy Computing

Cristin Goodwin
Microsoft Trustworthy Computing

William Howerton
Good Harbor Security Risk Management

Jacob Olcott
Good Harbor Security Risk Management

Tim Rains
Microsoft Trustworthy Computing

Travis Scoles
Schireson Associates

Neil Shah
Schireson Associates

The Microsoft Malware Protection Center

2
Foreword
This special edition of the Microsoft Security Intelligence Report (SIR) was authored by Microsoft’s
Global and Security Strategy and Diplomacy (GSSD) team. GSSD works collaboratively with
governments, multilateral organizations, industry, and nonprofit groups to enhance security
across the cyberecosystem. Leveraging technical depth and public policy expertise, GSSD
supports public and private sector initiatives that promote trustworthy plans and policies, resilient
operations, and investments in innovation.

While Microsoft has long reported on the technical measures of cybersecurity through the SIR and
other sources of information, we have been looking to better understand the full environment that
leads to a given cybersecurity outcome. We believe that is dependent on a range of technical and
nontechnical measures including use of modern technology, mature processes, user education, law
enforcement, and public policies related to cyberspace. Each of these measures may contribute
directly or indirectly to the cybersecurity performance measures reported in the SIR.

This paper introduces a methodology for examining how nontechnical socioeconomic factors in a
country or region impact cybersecurity performance. With this methodology we can build a model
we hope can help predict the expected cybersecurity performance of a given country or region.
From that prediction, we can attempt to better understand the public policies that distinguish the
performance of different countries and regions.

We are excited by the initial results of our research that demonstrate significant differences in
security outcomes between countries that have, for example, signed or ratified the Council of
Europe. Both policymakers and technology experts face increasing demands for innovation
and impact. It is our hope that this work catalyzes additional research into the holistic factors
impacting cybersecurity around the world as well as a data-driven approach to policymaking.

Paul Nicholas
Senior Director of Global Security Strategy and Diplomacy Trustworthy Computing, Microsoft

Tim Rains, Director

Trustworthy Computing, Microsoft

3
 Introduction
The world is in the midst of an unprecedented technological transition, characterized by growth in
the volume and diversity of people, devices, and data connected to the Internet. Across the globe,
billions of people are using information and communications technology (ICT) infrastructure to
conduct business and interact with governments and each other. The World Economic Forum
recently observed that “more than 70 percent of the world’s citizens live in societies that have just
begun their digitization journeys.”1 With so many people moving toward an increasingly digital
lifestyle, the world that emerges at the conclusion of this transition will likely be very different than
the world we know today.

Building a safer, more trusted Internet nationally and internationally requires policymakers,
business decision-makers, and ICT providers to collectively develop technical and policy solutions
Cybersecurity is
that will enable citizens, enterprises, and governments to meet their computing objectives in a
critical for the secure, private, and reliable manner.
success of the
Over the past decade, national policymakers and the international policy community have
world’s digital undertaken a variety of initiatives that have been fundamental to establishing effective non-
future.2 technical cybersecurity public policy. As a company, Microsoft has participated in many of these
initiatives because we believe these efforts improve and enhance global cybersecurity. Through our
participation, we have come to appreciate and understand the difficulty that policymakers face when
evaluating the success of their initiatives designed to reduce cyberrisks today and in the future.

Understanding whether certain policies can measurably reduce cyberrisks at a national level is
a critical exercise for policymakers seeking effective solutions to these challenges. In this vein,
Microsoft set out to create a methodology to evaluate the impact of policy solutions on national
cybersecurity efforts. Using a reasonable statistical measurement for evaluating cybersecurity
on a national level, a framework was created to examine various factors that distinguish levels of
cybersecurity performance among countries and to identify whether adoption of certain policies
or strategic actions is related to cybersecurity performance.

The results of our analysis have implications for current and future policy initiatives. We found
that countries adopting or implementing certain policies, including international treaties like
the Council of Europe Convention on Cybercrime and voluntary codes of conduct like the
London Action Plan, are more likely to overperform on a key cybersecurity metric compared to
countries that have not adopted the same policies. For policymakers seeking ways to improve
national cybersecurity, these policies represent activities that are likely to have a meaningful
and measurable impact. While we believe that these specific policy actions are critical steps for
policymakers to consider when addressing cybersecurity on a national level, the manner in which
these policies were created and adopted­­­–through international partnership or joint public/private
efforts–likely serve as important models for how successful cybersecurity policies might be created
in the future.

Recognizing the limitations of our study, we nevertheless hope that this whitepaper adds value to
other efforts to form more reliable risk reduction metrics in cyberspace and serves as a useful tool
for national policymakers considering various approaches towards achieving greater cybersecurity.

1 http://www3.weforum.org/docs/Global_IT_Report_2012.pdf
2 Cybersecurity: Cornerstone of a Safe, Connected Society, http://aka.ms/TwC_Cyber_Paper
4
 How We Measure Cybersecurity: Infected
Computer Data
Today, a multitude of reports from antivirus vendors, security experts, networking providers
and our own Microsoft Security Intelligence Report (SIR) provide technical insight into the
cybersecurity problem. Technical reports are important tools to help understand the pervasiveness
of malicious code on machines. Microsoft’s own technical measure of cybersecurity is derived
from our broad deployments of enterprise and consumer software products, as well as global
investments in online services such as search engines and e-mail systems. Our results are based
on findings from our Malicious Software Removal Tool (MSRT), an anti-malware utility that checks
Windows computers for prevalent threats and helps remove any malware or infections found.
Delivered primarily through the Windows Update process, MSRT runs on more than 600 million
devices per month. This represents a large proportion of the global installed base of personal
computers, making the results a reasonable proxy for overall cybersecurity levels.

The MSRT evaluates the current level of malicious code infections on computer systems across
the globe. To produce a consistent measure of infection that can be used to compare different
populations of computers to each other over time, Microsoft reports infection rates using a
metric called computers cleaned per mille (thousand) or “CCM,” which represents the number of
computers cleaned for every 1,000 times that the Malicious Software Removal Tool (“MSRT”) is
run. For example, if the MSRT is run 50,000 times in a particular country/region in the first quarter
of the year and removes infections from 200 computers, the CCM for that country/region in the
first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000). For the purposes of this analysis and paper,
we use CCM as a proxy for cybersecurity performance. A higher CCM number indicates a higher
incidence of malware removed in a given geographical area, which we interpret as a lower level
of cybersecurity performance.3 Lower CCM numbers denote fewer malware removals and thus
a higher level of cybersecurity performance. Figure 1 illustrates the CCM number for countries/
regions around the world in the fourth quarter of 2011.4

Figure 1
Infection rates by country/
region in 4Q11, by CCM

Computers cleaned per

1,000 scanned, 4Q11

20+
15 to 20
10 to 15
5 to 10
>0 to 5
Insufficient data

3 Since Q1 of 2011, the CCM has been reported based on geographic location rather than the
administrator-defined location. http://blogs.technet.com/b/security/archive/2011/11/15/determining-
the-geolocation-of-systems-infected-with-malware.aspx
4 Microsoft Security Intelligence Report Volume 12: July-December 2011. http://www.microsoft.com/
security/sir/archive/default.aspx
5
 CCM, like other technical cybersecurity metrics used in the industry, is an imperfect one. For
instance, CCM does not measure and report important cybersecurity outcomes, including
actual damage caused by infections. While we chose to use the CCM metric as an indicator of
cybersecurity for purposes of our study, we hope that industry, government, and academia will
continue to develop other useful metrics in order to create a more complete understanding of the
impact of cyber risk.

Identifying Relationships Between Cybersecurity

and National-Level Factors
Microsoft began this research with an interest in understanding whether countries with similar
CCM metrics shared other “nontechnical” traits. More than 80 national indicators or factors
were identified, including gross domestic product (GDP), governance model, and broadband
penetration rate. We then applied statistical modeling techniques to identify patterns between the
indicators and a country or region’s cybersecurity risk profile as indicated by CCM. It was found
that 34 of the 80 original indicators had a potential correlation with CCM.

In general, most of the indicators we identified were negatively correlated with CCM; as the
indicator rises, CCM will decrease. It is important to emphasize that these relationships demonstrate
correlative relative, not causal, relationships. For example, with respect to education, the data show
that lower CCM rates are related to the length of time that a country’s citizens spend in school. The
chart below contains a sample of our findings:

Table 1 Indicator Variable Correlation with CCM

Sample indicator variables
for analysis5
Consumers per Capita -0.0

Gross Income per Capita -0.5

Rule of Law -0.5

Demographic Instability -0.6

Secure Net Servers -0.5

Broadband Penetration -0.6

R&D Expenditure -0.5

Facebook Usage -0.3

Use of Mobile Devices -0.3

Literacy Rate -0.5

5 See Appendix for full list of sources and descriptions.

6
 Predicting Cybersecurity Performance
With an understanding of how certain national-level indicators correlate with CCM measurements,
we set out to build a model that predicts levels of cybersecurity performance based on these
national indicators. Building a predictive model enables policymakers to explore a series of
potential explanations for the disparity between actual and predicted CCM.

The graph below shows a scatter plot of the actual and expected cybersecurity performance
of over 100 countries. We omitted the names of individual countries in this report because our
intention is to understand the drivers of cybersecurity performance rather than discuss the
performance of any individual country.

By identifying the underlying principles of certain policies that are correlated with overperformance
in cybersecurity, such as intergovernmental frameworks for cooperation and voluntary codes
of conduct, policymakers can develop future approaches that are more likely to be effective in
combating the evolving threats in cyberspace.

Figure 2 24
Actual vs. predicted 22
2011 Predicted Cybersecurity Performance

cybersecurity performance
20
per country or region
18
16
14
12
10
8

6
4
2
0
0 2 4 6 8 10 12 14 16 18 20 22 24
2011 Actual Cybersecurity Performance

2011 Average CCM

Along the X-axis, is the average quarterly CCM numbers reported in the SIR for 2011.

Expected/Predicted CCM
Along the Y-axis is the predicted level of cybersecurity for each country. This accounts for the variation
among countries and gives us an expected/predicted CCM number based on the 34 variables.

Model Line
The diagonal line from the lower-left to the upper-right of the graph represents a perfect fit of
the model. If we were able to perfectly predict the levels of cybersecurity performance for each
country, each would fall on this line.

7
 Strength of Our Predictive Model
The strength of this model is expressed by the term R2, which explains how much of the predicted
value can be explained by the regression formula. Generally, ranging from 0 to 1, an R2 of 0 would
indicate no predictive power, 0.1–.03 weak prediction, 0.4–0.6 moderate prediction, and 0.7–1
strong prediction. Our model has an R2 of 0.68, moderate predictive ability. While purely scientific
studies may strive for R2 values of .9 or above, we consider our model to be a good starting point
for this discussion.

Since the model is not perfect, individual countries are on, above, or below the model line.
Countries above the line are considered to be outperforming the model. That is, their actual
levels of cybersecurity performance are better (lower CCM) than our model predicts based on the
nontechnical indicators. Conversely, countries located below the line are underperforming the
model. Their actual levels of cybersecurity are worse (higher CCM) than our model had predicted.6

We then used latent class segmentation7 to classify each country into one of three clusters, based
on both their actual and predicted CCM. The end result is a model with three distinct clusters of
countries, which we call Maximizers, Aspirants, and Seekers.

24
Figure 3
Cluster analysis of 22
2011 Predicted Cybersecurity Performance

cybersecurity performance 20
18
16
14
12 Aspirants
Maximizers
10
8 Seekers

6
4
2
0
0 2 4 6 8 10 12 14 16 18 20 22 24
2011 Average Cybersecurity Performance

6 Note on our methodology: We expect that countries’ positions on the chart will change over time as both
nontechnical and technical conditions evolve. We also expect that CCM changes will be more frequent and
erratic, relative to some of the other indicator variables; this is based on past observations of CCM fluctuating
between quarters relatively more than other government indicators, such as GDP. For this reason, we have
chosen to model and report on annualized averages where possible, as this minimizes potentially misleading
data that is a direct result of quarterly fluctuation. In some cases, the predicted CCM is extremely low, and
potentially below 0, which, from a practical standpoint, cannot happen. This is a result of using a linear
regression model. The model cannot understand that the practical floor for CCM is 0. Negative CCM results
should be interpreted as a small positive number that is approaching 0, from a real-world standpoint.

7 Vermunt, Jeroen K. and Jay Magidson. Latent Class Models for Classification. In latent class segmentation,
we create variables (known as latent variables), and assign each of the countries to belong to one of those
variables. The variables act to explain the variance between expected and predicted CCM—countries with
similar variance are grouped together. The optimal clustering model is determined by maximizing the
explainable difference, and is found by testing varying number of latent variables (varying numbers of
clusters) and varying combinations of countries included in each cluster.
8
 Maximizers are countries with more effective cybersecurity capabilities, and outperform the
model. This cluster has a moderate level of predicted cybersecurity, but relatively, it has the best
cybersecurity performance of all clusters. This overperformance of the model is the defining
attribute of the cluster. Within the countries that comprise the cluster, we see that they often have
Maximizers better performance in key indicator variables (as defined by CHAID analysis8, which determines
the strength of relationship between predictor variables and cluster membership), including
personal computers in use per capita, health expenditure per capita, regime stability, and
broadband penetration. Maximizers include a relatively high percentage of European countries.

Aspirants are countries who are on a par with the model and are still developing cybersecurity
capabilities. This cluster has a moderate level of predicted cybersecurity, and in reality it performs
on par with those predictions. This predictability of cybersecurity performance is the defining
attribute of the cluster. Of the three clusters, Aspirants is also the largest. Within the countries
Aspirants that comprise the cluster, we see that they often have average to above average performance
in key indicator variables, including broadband speed, secure Internet servers per capita, R&D
expenditure, and consumer telecommunications expenditure. Countries from around the world
comprise the Aspirants cluster, but it contains a slightly higher percentage of Latin American/
Caribbean nations than the others.

Seekers are countries with higher cybersecurity risk who underperform on model expectations.
While this cluster has a moderate to low level of predicted cybersecurity, in reality it has a low
level of cybersecurity, as measured by high CCM. As such, Seekers underperform with regard to
their cybersecurity potential. Of the three, the Seekers cluster is the smallest. The countries that
Seekers comprise the cluster often perform poorly in key indicator variables, including literacy, offenses
(crime) per capita, broadband speed, and broadband penetration. Compared to the key attributes
of Aspirants, we see that Seekers may be less likely to invest in technological infrastructure
development. Countries from around the world comprise the Seekers cluster, but it contains a
higher percentage of Middle Eastern/African nations than the others.

Figure 4 6% Latin America and the Caribbean

Geographic distribution of 17% 6% North America
cluster members
34% Western Europe
10%
Central and Eastern Europe
43%
5% Middle East and Africa

Asia/Pacific
52% 22%

29%
24%

21% 17%
15%

Seekers Aspirants Maximizers

8 An Exploratory Technique for Investigating Large Quantities of Categorical Data. G. V. Kass Journal of
the Royal Statistical Society. Series C (Applied Statistics) , Vol. 29, No. 2 (1980), pp. 119-12.7 Published by:
Wiley for the Royal Statistical Society. Article Stable URL: http://www.jstor.org/stable/2986296
9
 Impact of Cybersecurity Policies on National
Performance
Why do countries with similar predicted CCM perform so differently on actual CCM? In other words,
if our model already accounts for key differences between countries (GDP, broadband penetration,
rule of law, etc.), why does the actual CCM number vary so much? We hypothesized that this
discrepancy can be partially attributed to policies and programs implemented by the country to limit
cybersecurity risk. We believe that these factors can help to explain part of the difference between
predicted and actual performance.

Evolution of Cyberpolicy
Over the last decade, national policymakers have considered myriad cybersecurity policies of varying
focus, size, scope, intent, and budget. The growth of Internet users and new threat actors helped
spur international dialogue around cybersecurity, which resulted in the development of the Council
of Europe Convention on Cybercrime in 2001. The Convention on Cybercrime created the first-ever
international treaty aimed at cybersecurity issues, and it has since been ratified by 37 countries.

As spam, phishing, and spyware began to create substantial threats to large enterprises, the
formation of new public/private partnerships became necessary. For instance, in response to growing
international pressure to contain the malware problem, government agencies from 27 countries
convened in October 2004 to form the London Action Plan. The plan was created to “promote
international spam enforcement cooperation and address spam related problems, such as online fraud
and deception, phishing, and dissemination of viruses.”9 The plan also created a voluntary code of
conduct for private companies in order to elicit greater spam enforcement cooperation.

Policymakers must also consider the growing theft of intellectual property and rising rates of
software piracy. Though actual financial costs are impossible to gauge, the theft of intellectual
property through cybermeans is thought to be in the multibillions per year, a number that has only
grown over time. The decade witnessed soaring piracy rates that inflicted significant economic
damage on companies. In 2003 the commercial value of the pirated software market was $28.8
billion;10 by 2011 the figure had increased to $63.4 billion. High piracy rates were particularly
fueled by PC shipments to emerging economies where piracy rates are highest.11 Software piracy
also directly impacts indicators such as CCM where in the first half of 2012, the most commonly
detected malware globally was typically bundled with counterfeit software.12

National cybersecurity strategies evolved throughout the decade, incorporating elements of

resiliency and reciprocity, and also the role of militaries. For example, in 2006 the U.S. Department
of Homeland Security and the private sector jointly developed sector-specific plans focused on risk
management and resiliency of critical functions. Cyberattacks on Estonia in 2007 led the European
Union to create a new public/private partnership designed to enhance preparedness, security,
and resilience. Sophisticated attacks against the U.S. government resulted in the creation of the
Comprehensive National Cybersecurity Initiative (CNCI) in 2008, an effort representing a significant
increase in policy, operational, and financial commitments that spanned the whole of government.
As attacks continued, militaries increasingly looked to develop specific military doctrines, policy
statements, or military strategies related to cyberspace. By 2011, 33 countries had done so.13

9 http://londonactionplan.org/the-london-action-plan/
10 http://www.bsa.org/country/Research%20and%20Statistics/~/media/5536D2D93FA746E69CBC12ECBCE
0F319.ashx
11 http://portal.bsa.org/globalpiracy2011/downloads/study_pdf/2011_BSA_Piracy_Study-InBrief.pdf
12 http://www.microsoft.com/security/sir/story/default.aspx#!unsecure_distribution
13 James A. Lewis and Katrina Timlin, Center for Strategic and International Studies, Cybersecurity and Cyberwar:
Preliminary Assessment of National Doctrine and Organization, in Resources: Ideas for Peace and Security
(U.N. Inst. for Disarmament Research, 2011), http://www.unidir.org/files/publications/pdfs/cybersecurity-and-
cyberwarfare-preliminary-assessment-of-national-doctrine-and-organization-380.pdf
10
 Identifying Policies that Correlate with Cybersecurity Performance
How are these and other policies related to a country’s cybersecurity performance? To test our
theory about the role of policy in cybersecurity, we distilled the variety of types of cybersecurity
policies into certain initiatives that can be measured by a binary rather than a substantive
evaluation. For example, we queried whether a country was a signatory of the Council of Europe
Convention on Cybercrime, but did not further evaluate the extent or effect of the policies that
a country adopted in order to implement the treaty. Additionally, we considered whether or not
a country had developed a military cyberdefense strategy, but did not evaluate the robustness
of the strategy. Furthermore, in order to expand the data set, we evaluated policies adopted in a
statistically significant number of countries and regions.

We initially identified four policy factors that satisfy these criteria and ran them against our model:

Maximizers Aspirants Seekers

Table 2 Piracy 42% 62% 68%

Impact of policy upon
London Action Plan Membership 46% 20% 10%
cybersecurity performance
COE Convention on Cybercrime 51% 17% 7%
Defense Strategy for Cybersecurity 51% 15% 21%

Council of Europe Cybercrime Treaty

We found the Council of Europe Convention on Cybercrime (COE) to be one of the strongest
accelerators of cybersecurity for the countries in our survey. The COE is an international treaty
that aims to create a common policy environment for cybercrime, to provide the legal powers
necessary to effectively investigate and prosecute cybercrime offenses, and to establish methods
of international cooperation that can help match the speed of cybercrimes.

Fifty-one percent of the countries in the Maximizer (overperforming/low-CCM) cluster had either
signed or ratified the treaty. While the COE rates and relative CCM performance relationship may not
be causal, there is a clear link between CCM performance relative to expectations and COE accession.
Interestingly, we noticed a declining trend of COE accession in countries with higher CCM scores
relative to predictions.

London Action Plan

Membership in the London Action Plan is also an indicator of overperformance in cybersecurity,
significantly distinguishing the low-CCM cluster from the other two clusters. The London Action
Plan aims to promote international cooperation in addressing spam, online fraud, and malware.
Rather than create new legally binding obligations for members, the Plan outlines activities for
both public and private sector participants to fight spam, fostering better cooperation between
organizations in order to defend against cyberthreats.

Forty-six percent of the overperforming cluster’s countries are members of the London Action
Plan. Also similar to the COE signatory trends, membership in the London Action Plan is linked
with CCM performance relative to expectations. As with COE signatory rates, there exists an
implied relationship between membership in the London Action Plan and relative cybersecurity.
While the relationship between CCM performance and the London Action Plan may not be causal,
we can definitively say that membership in the London Action Plan would be part of a profile for a
country that has relatively good cybersecurity.

11
 Military Cyberdefense Strategy
Military cyberdefense strategy differs from London Action Plan membership and COE Signatory
status in that it does not trend with relative CCM performance. As Table 2 shows, countries with
David: Quote to publically acknowledged military cyberdefense strategies comprise 51 percent of the
go here. low-CCM cluster. However, 21 percent of the high-CCM underperforming cluster also had military
cyberstrategies. We also examined the countries with civil cyberstrategies but found no clear
relationship with cluster membership; countries with only civil cyberstrategies were equally likely
to be in any one of the three clusters.

It is possible that future analysis will show a correlation between military cyberdefense strategies
and cybersecurity performance. Many military strategies are still in their formative phases, having
been created in the past few years, and it can take time for the impact of new policies and
capabilities to be fully observed. As more countries around the world adopt both military and
civil-based cyberdefense strategies, it will be worth watching to see if there is a notable difference
in their security outcomes.

Piracy Rate
Though we did not evaluate individual policy approaches toward reducing piracy, the average
piracy rate of countries in the low-CCM cluster was drastically lower than the other clusters.
The implications of this observation are complex. Countries that do a better job managing
cybersecurity may also do a better job mitigating piracy, or countries with higher piracy rates may
have a more difficult time containing malware and other cyberthreats. This is a topic for further
research, but we found the relationship between piracy rates and CCM scores compelling enough
to highlight here.

As opposed to the other profiling factors discussed above, piracy rate is an outcome rather than
a policy tool. However, this does show the potential benefit of protecting intellectual property, as
higher rates of piracy are positively correlated with higher CCM. This is unsurprising, as pirated
software poses a serious security risk to its users. A 2008 study by the Harrison Group found that
companies that used unlicensed software were 73 percent more likely than those companies that
use fully licensed software to experience loss or damage of sensitive data, and were 43 percent
more likely to suffer critical computer failures.14

Summary of Quantitative Analysis

The goal of our quantitative research was to gain a clearer understanding of what factors distinguish
cybersecurity performance among countries, and whether any relationship exists between certain
national cybersecurity policies and a country’s cybersecurity performance.

We applied various statistical tools and models to freely available predictor data with the intention
of taking country-level developmental markers and predicting cybersecurity performance.15
The result was a model that predicts CCM based on a set of 34 predictor variables. This model
also yielded greater insight into the relationship between predicted and actual cybersecurity
performance. To get that, we took the model predictions to create another model that clustered
countries into one of three groupings. Profiling those groupings provided a link between
cybersecurity performance and key government policies.

This research also resulted in the identification of specific markers that can not only signal above-
average cybersecurity performance, but can also signal countries that have better cybersecurity
performance than we would expect given attributes that are not necessarily easily controlled, such
as GDP. Specifically, those countries that sign the Council of Europe Cybercrime treaty and/or the
London Action Plan are more likely to outperform a predictive model of cybersecurity performance.

14 http://go.microsoft.com/fwlink/?LinkId=143927
15 For a more detailed description of methodology, refer to Appendix.
12
 Evolving Policy Initiatives for Future Impact
Having identified a correlation between certain policy tools and national cybersecurity
performance, policymakers may wish to focus their attention on adopting or evolving these types
of tools to address future challenges. Policy developments in the previous decade sought to lay
a foundation to build a more connected society and promote e-commerce. The next decade will
focus on the security and protection of that infrastructure, both domestic and international in
order to continue to grow.

Figure 5
Progression of
International Public-private partnership 2020 Harmonization
models for international level
cybersecurity policy collaboration need stronger
support from both government
and industry. 2015 Norms

2010 Internet Governance

National Public-private partnership 2005 Resiliency

models maturing at the
national level for more than 10
years around the world
2000 Risk

As policymakers consider future initiatives designed to impact national cybersecurity, it will be

important to draw lessons from the policy discussions of the previous decade. Policymakers should
pay particular attention to the lessons from policies that this study identifies to have a positive
correlation on national cybersecurity, such as the Council of Europe Convention on Cybercrime and
the London Action Plan. As a participant in some of these initiatives, our company has observed
firsthand the reasons for their effectiveness, and offers the following impressions:

Evolving Context for Cybersecurity Policy: New Demographics of Global

Internet Users
In considering cybersecurity policy initiatives, it is important for policymakers to consider the global
demographics of Internet users. During the creation of many of the initiatives noted above, such as the
Council of Europe Convention on Cybercrime and the London Action Plan, Internet users were largely
concentrated in North America and Western Europe. Because of this and other factors, countries in
those regions took leading roles in developing and leading global cybersecurity policy initiatives.

However, in coming years, shifts in Internet user demographics will create new centers of gravity in
the global online population. As demonstrated in the data visualization (Figure 6), which shows a
map of the world in 2020 with countries sized by their relative population of Internet users and colored
according to the total number of Internet users relative to their population, countries such as China,
India, Nigeria, and other emerging economies will be home to the bulk of global Internet users.

13
 Figure 6
Projected distribution of
global Internet users in 2020

This shift in demographics does not mean that these new centers of gravity will necessarily drive
policy initiatives, but it does mean that global-scale initiatives—as well as some regional and
national-level initiatives—will need to be responsive to these emerging demographic changes.
More than ever, policymakers will have to consider the unique and diverse perspectives that
different countries bring to cybersecurity, while maintaining currently established policy
frameworks that have proven key to promoting the growth of the global ICT industry.

International Treaties (e.g., Council of Europe Convention on Cybercrime)

Though international treaties are difficult to develop and enact, the Council of Europe Convention
on Cybercrime (COE) has had a strong and positive impact on global initiatives to combat
cybercrime. In essence, the COE has succeeded because it has helped spur governments to enact
cybercrime legislation domestically and work to combat international cybercrime. and focuses
on problems of cross-jurisdictional importance that serve the interests of many states rather than
few. Though there is clearly contention among nations regarding the need for new international
treaties related to cybersecurity, these principles—of establishing enabling mechanisms for
intergovernmental action and advancing the interests of a large number of nations—should guide
any future treaty with significant relationship to cyberspace.

In the future, as noted below, increased participation from countries with growing user populations,
as well as private industry, will be critical. The emerging centers of gravity must play a constructive
and credible role in creating and promoting global agreement on mechanisms to enable security in
cyberspace in the future. Participation from the private sector is also important in articulating effective
and practicable cybersecurity mechanisms. As governments engage in the emerging discussions for
developing norms and rules of behavior in cyberspace, they should incorporate the input of the private
sector, as industry plays a critical role in carrying out many cybersecurity policies once articulated.

Voluntary Codes of Conduct (e.g., London Action Plan)

As the global ICT industry continues to grow, so will the importance of voluntary and affirmative
programs to tackle cybersecurity challenges. As an example of such efforts, the London Action
Plan is instructive for two reasons. First, it demonstrates that when governments collaborate to
articulate common principles and commit to cooperative action to promote cybersecurity, it
creates an environment that encourages industry to support such principles and actions. Second,
the voluntary and affirmative approach allows for multistakeholder engagement and input. The
resulting bottom-up approach creates an effective framework for resolving some of the most
vexing cybersecurity challenges, such as spam and botnets, which are likely to continue to pose
a threat in the future. More recently, voluntary codes of conduct for ISPs to help address botnet
threats have been developed in both Australia and the United States.

14
Given the sheer size and complexity of the globally distributed ICT industry, policymakers should
consider voluntary codes of conduct that allow for participation by industry, from development
to implementation, when addressing future cybersecurity policy challenges. As our model
shows, there is a correlation between the London Action Plan and cybersecurity performance,
demonstrating the quantitative impact of voluntary codes and their value for policymakers.

Military Defensive Strategies for Cybersecurity

Among the policy tools considered in our model, at this stage, military defensive strategies for
cybersecurity are the most unpredictable in relation to overall cybersecurity, and this will continue.
As our model demonstrated, whether or not a country has a defense strategy for cybersecurity
is not a strong predictor of its cybersecurity performance. However, the expression of military
doctrines for cyberspace is a novel and ongoing development. Therefore, we believe that their
quantitative impact is less meaningful than their qualitative impact. Currently, the increased role of
defense authorities in cybersecurity is viewed as a potentially destabilizing force, with many public
and private entities questioning whether and how defense authority engagement in cyberspace
should be managed.

The fact remains that defense authorities will engage in cyberspace, and we believe that this
engagement will occur in at least three forms. First, relying upon security-focused arguments,
defense authorities will leverage nontariff barriers to trade to prevent or limit civil market access
for ICT vendors from countries perceived as distrusted. Second, again leveraging security-focused
arguments, defense authorities will similarly restrict their government procurement choices to
favor products and services from domestic and other trusted sources. Third, there is the prospect
of actual military conflict in cyberspace, which may involve attacks upon critical trust mechanisms
of the Internet, such as security update services or network infrastructure, as has already occurred.

As policymakers face these challenges, the concept of reciprocity must drive decision-making.
Enacting restrictive trade policies can have a domino effect, sparking retaliation by other
governments and thereby undermining the globally distributed nature of the ICT industry and its
benefits. Reciprocity is an even greater consideration in the arena of conflict or warfare, as actions
by one government can quickly escalate and cause unintended consequences and retaliatory
actions by other governments. Therefore, policymakers must be vigilant when considering the
second- and third-order implications of their actions in developing defense and military strategies,
and seek to promote balanced standards based on technology-neutral practices.

Cross-Domain Alignment (e.g., antipiracy strategies)

Because of the technical nature of many cybersecurity tools, policymakers sometimes fail to
consider the importance of leveraging mechanisms that cross legal, policy, and technology
domains to accomplish desired outcomes. For example, effective antipiracy work requires a mix
of legal, public policy, and technology mechanisms, all of which involve public and private sector
engagement. Looking back to the start of global antipiracy efforts, governments and industry
engaged to fight piracy, to protect intellectual property, and to preserve their economic interests.
These efforts realized benefits that extended beyond the immediate goal of limiting financial
losses associated with piracy. However, by removing illegitimate products that often included
reduced security features, governments also reduced their overall level of cybersecurity risk.

Looking forward, policymakers should focus on similar alignment of legal, public policy, and
technology mechanisms to reduce cybersecurity risk, whether risk management is a primary,
secondary, or attendant benefit. At present, there are many technology tools to address
cybersecurity risk in the private sector, but there is a relative dearth of legal and public policy
initiatives to support them. While this is only one example, the challenge of cultivating an
ecosystem for trusted identity on the Internet speaks to the need for cross-domain alignment.
As our model shows, there is a correlation between reduced piracy rates and cybersecurity
performance, demonstrating the quantitative impact of such cross-domain alignment efforts and
their value for policymakers.

15
 Conclusion
Though it is hard to predict exactly what the digital world will look like in the decades ahead, strong
cybersecurity will be critical to its successful existence. Policymakers around the globe are faced with the
difficult challenge of creating policies that positively impact their national cybersecurity. Knowing which
types of initiatives have the greatest positive impact on cybersecurity will allow policymakers to make
informed, results-based policy decisions.

In reviewing qualitative and quantitative impacts on national cybersecurity, this paper seeks to place
policy decisions alongside a framework of technical and demographic projections to create a view of
what the future environment for policymaking could look like. By identifying the underlying principles
of certain policies that are correlated with overperformance in cybersecurity, such as intergovernmental
frameworks for cooperation and voluntary codes of conduct, policymakers can develop future
approaches that are more likely to be effective in combating the evolving threats in cyberspace.

To meet our future security challenges in cyberspace, Microsoft urges governments to participate in
a broader dialogue on normative standards to better protect citizens on the Internet that includes
perspectives from the ICT industry. This process develops rules of behavior in cyberspace that can
reduce threats, increase confidence and trust, and help improve security of the cyberecosystem at the
international level. As discussed in this paper, CCM is a rough approximation of the attack surface for a
particular country or region. Industry and governments can work in partnership to reduce this attack
surface and make the computing infrastructure less susceptible to attack and compromise.

16
 Appendix A: Methodology
In order to test the predictability of CCM given nontechnical measures, we used linear regression
modeling. A regression analysis allows us to build a model that shows the predicted impact on
David: Quote to
CCM as the various indicator variables (such as GDP, computers per capita, etc.) fluctuate. By
go here. solving for a universal starting point (known in regression analysis as the constant), we then were
able to use the model to predict CCM at the country level, with differences in predicted CCM
across countries being driven by differences in the indicator variables (such as the GDP per capita,
computers per capita, etc., we can predict CCM).

There are several existing approaches to regression modeling, each with its own set of advantages.
The type of analysis we utilized to build the model was Correlated Component Regression
(CCR). CCR modeling differs from other regression techniques in that instead of constructing a
relationship between the dependent variable (in this case CCM) and the individual predictors (in
this case, the indicator variables), CCR constructs relationships between the dependent variable
and a number of components—components being latent variables created by the model. Each
component consists of the total number of predictor variables included in the model (GDP, etc.),
but the weighting of each of those predictors varies from component to component (a similar
concept to principal component analysis). As a result, some components may be more heavily
representative of particular indicators, such as GDP, while other components are more heavily
representative of other indicators, such as Facebook or IE6 usage. We chose to use CCR modeling
because it offers an advantage over other techniques, in that it reduces potential error created
by datasets that have a large number of correlated predictors (such as computers per capita and
percentage of population with an Internet-connected computer), relative to data points. This
was beneficial to this dataset, given that we used 34 predictors to predict CCM, based on 106
countries/regions.

The first stage of analysis was a step-down analysis, designed to identify those indicators that are most
important to the model. By using step-down analysis, we were able to reduce the number of indicators
from 80 to 34. In this case, step-down analysis was run by creating a model with all indicators,
identifying the 1 percent of indicators that were least important to the model and removing those
variables. This process was repeated until we identified the model with the best fit.

When identifying the model of best fit, we used a methodology commonly known as cross
validation. We did this to measure not only how well our model could predict the data we fed into
it (the predictor variable data of the 106 locations), but also how well it could predict random data
(that is, how well it could predict CCM performance for countries/regions that we aren’t testing).
Cross validation, commonly known as K-Fold cross validation, works by using pieces of the dataset
to test results. In cross validation, we divide the data into an equal number (represented by the
variable K) of “folds” of random cases, and then apply the model to see how well K-1 folds predict
the final fold. In this analysis, K=10. In simpler terms, we would repeatedly randomly test how well
90 percent of the data predicted the final 10 percent to determine fit. We used this methodology
to optimize the model tuning parameter (number of components and predictor variables), as well
as to identify the model of best fit.

As the final step, we ran a cross-validatedfive-component model. The results were interpreted
in the same way as other regressions —each predictor coefficient determined impact on CCM.
Coefficients may not have been directionally consistent with correlations; this is because
some of the predictor variables in the model help explain otherwise unexplainable variance in
other predictor variables, as opposed to directly predicting CCM. These types of variables are
commonly known as suppressor variables, since they suppress otherwise inherent error in some
of the predictor variables included in the model, and help to improve overall model accuracy. As
a result, the accuracy of the model lies in the overall prediction in aggregate, and not the direct
relationship with any specific indicator.

17
 Appendix B: Data Sources
Correlation
Indicator with CCM Description Year Source

7 Year Growth 0 5-year average GDP per capita growth (% annual) 2008 World Development Indicators

Broadband Penetration -0.6 Fixed broadband connections per 100 people 2010 International telecommunication
Union

The contracted capacity of international connections between

Broadband Speed -0.3 2008 World Development Indicators
countries for transmitting Internet traffic

Computers per Capita -0.6 Percentage of households who own a personal computer 2010 Euromonitor International

Corruption perceptions index relates to the degree of corruption

Corruption -0.5 perceived by business people and country analysts, and range between 2010 Transparency International
10 (highly clean) and 0 (highly corrupt)

Pressures on the population, such as disease and natural disasters,

Demographic Instability 0.6 that make it difficult for the government to protect its citizens, or 2009 Failed States Index
demonstrate lack of capacity or will

Facebook Usage -0.3 Number of Facebook users 2011 socialbankers.com

Foreign direct investments is net inflows of investment to acquire a

Foreign Direct 2008
0 lasting management interest in an enterprise operating in an economy World Development Indicators
Investment Size
other than that of the investor. Adjusted by the moving average

GDP per Capita -0.3 Gross domestic product per capita, current prices 2011 International Monetary Fund

Government Type -0.4 The extent to which a society is autocratic or democratic 2008 Polity IV

Gross Income per -0.5 Income before taxes from all sources Euromonitor International
2010
Capita

Health Expenditure -0.6 Health expenditures per Capita with external aid 2006 World Health Organization
per Person

Hi-Tech Exports -0.3 High-tech exports as a percentage of manufactured exports 2008 World Development Indicators

ICT Exports -0.2 Information and communication technology exports as a percentage 2008 World Development Indicators
of total goods exports

IE6 Usage -0.2 Internet Explorer 6 usage share 2011 Microsoft

Immunization to Rate of immunization against measles

-0.2 2008 Euromonitor International
Measles

Life Expectancy -0.4 Life expectancy at birth 2010 Euromonitor International

18
Appendix B: Data Sources
Correlation
Indicator with CCM Description Year Source

Literacy Rate -0.5 Adult literacy rate 2010 Euromonitor International

Market Size -0.6 Domestic consumption plus country exports minus country imports 2008 World Development Indicators

Number of offenses per 100,000 people. Offenses refers to any

Offenses -0.5 act which is punishable under law. The number includes both 2010 Euromonitor International
criminal and administrative offenses

Ownership of Percentage of households with broadband Internet connection

Networked PC -0.4 via home computer 2010 Euromonitor International

-0.4 Refers to labor productivity, output of goods and 2010 Euromonitor International
Productivity
services in the economy per employed person

Expenditures for research and development are current and capital

expenditures (both public and private) on creative work undertaken
R&D Expenditure -0.5 2008 World Development Indicators
systematically to increase knowledge of humanity, culture, and society,
and the use of knowledge for new applications

Regime Stability -0.4 The number of years since the most recent regime change 2008 Polity IV

Measures the extent of regulation within the business sector. It captures

Regulation -0.5 2008 World Bank Governance
general regulation with respect to investment and competition

Royalty and license fees are payments and receipts between

Royalty Receipts -0.4 residents and nonresidents for the authorized use of intangible, 2008 World Development Indicators
nonproduced, nonfinancial assets and property rights

The extent to which individuals within a society respect property

Rule of Law -0.5 rights, the police, and the judiciary system, as well the quality of 2008 World Bank Governance
police and legal safeguards

Savings -0.3 Gross domestic savings 2008 World Development Indicators

School Learning Age -0.4 Refers to the leaving age of compulsory education 2010 Euromonitor International

Secure Net Servers -0.5 Secure Internet servers per million people 2008 World Development Indicators

Start-up business measured as share of gross national income

Start Up Costs -0.2 per capita 2009 World Development Indicators

Telecom Expenditures -0.3 Consumer expenditure on telecommunications services 2010 Euromonitor International

Group-based inequality, or perceived inequality, in education,

Uneven Economic
-0.6 jobs, and economic status. Also measured by group-based 2009 Failed States Index
Development
poverty levels, infant mortality rates, and education levels

Use of Mobile
-0.3 Cellular devices per 100 people 2008 World Development Indicators
Devices

19
 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT.

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change
without notice. You bear the risk of using it.

Copyright © 2014 Microsoft Corporation. All rights reserved.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

20