Академический Документы
Профессиональный Документы
Культура Документы
Aaron Kleiner
Paul Nicholas
Kevin Sullivan
Microsoft Trustworthy Computing
1
Authors
Aaron Kleiner
Microsoft Trustworthy Computing
Paul Nicholas
Microsoft Trustworthy Computing
Kevin Sullivan
Microsoft Trustworthy Computing
Contributors
Bruce Cowper
Microsoft Trustworthy Computing
Andrew Cushman
Microsoft Trustworthy Computing
Dave Forstrom
Microsoft Trustworthy Computing
Cristin Goodwin
Microsoft Trustworthy Computing
William Howerton
Good Harbor Security Risk Management
Jacob Olcott
Good Harbor Security Risk Management
Tim Rains
Microsoft Trustworthy Computing
Travis Scoles
Schireson Associates
Neil Shah
Schireson Associates
2
Foreword
This special edition of the Microsoft Security Intelligence Report (SIR) was authored by Microsoft’s
Global and Security Strategy and Diplomacy (GSSD) team. GSSD works collaboratively with
governments, multilateral organizations, industry, and nonprofit groups to enhance security
across the cyberecosystem. Leveraging technical depth and public policy expertise, GSSD
supports public and private sector initiatives that promote trustworthy plans and policies, resilient
operations, and investments in innovation.
While Microsoft has long reported on the technical measures of cybersecurity through the SIR and
other sources of information, we have been looking to better understand the full environment that
leads to a given cybersecurity outcome. We believe that is dependent on a range of technical and
nontechnical measures including use of modern technology, mature processes, user education, law
enforcement, and public policies related to cyberspace. Each of these measures may contribute
directly or indirectly to the cybersecurity performance measures reported in the SIR.
This paper introduces a methodology for examining how nontechnical socioeconomic factors in a
country or region impact cybersecurity performance. With this methodology we can build a model
we hope can help predict the expected cybersecurity performance of a given country or region.
From that prediction, we can attempt to better understand the public policies that distinguish the
performance of different countries and regions.
We are excited by the initial results of our research that demonstrate significant differences in
security outcomes between countries that have, for example, signed or ratified the Council of
Europe. Both policymakers and technology experts face increasing demands for innovation
and impact. It is our hope that this work catalyzes additional research into the holistic factors
impacting cybersecurity around the world as well as a data-driven approach to policymaking.
Paul Nicholas
Senior Director of Global Security Strategy and Diplomacy Trustworthy Computing, Microsoft
3
Introduction
The world is in the midst of an unprecedented technological transition, characterized by growth in
the volume and diversity of people, devices, and data connected to the Internet. Across the globe,
billions of people are using information and communications technology (ICT) infrastructure to
conduct business and interact with governments and each other. The World Economic Forum
recently observed that “more than 70 percent of the world’s citizens live in societies that have just
begun their digitization journeys.”1 With so many people moving toward an increasingly digital
lifestyle, the world that emerges at the conclusion of this transition will likely be very different than
the world we know today.
Building a safer, more trusted Internet nationally and internationally requires policymakers,
business decision-makers, and ICT providers to collectively develop technical and policy solutions
Cybersecurity is
that will enable citizens, enterprises, and governments to meet their computing objectives in a
critical for the secure, private, and reliable manner.
success of the
Over the past decade, national policymakers and the international policy community have
world’s digital undertaken a variety of initiatives that have been fundamental to establishing effective non-
future.2 technical cybersecurity public policy. As a company, Microsoft has participated in many of these
initiatives because we believe these efforts improve and enhance global cybersecurity. Through our
participation, we have come to appreciate and understand the difficulty that policymakers face when
evaluating the success of their initiatives designed to reduce cyberrisks today and in the future.
Understanding whether certain policies can measurably reduce cyberrisks at a national level is
a critical exercise for policymakers seeking effective solutions to these challenges. In this vein,
Microsoft set out to create a methodology to evaluate the impact of policy solutions on national
cybersecurity efforts. Using a reasonable statistical measurement for evaluating cybersecurity
on a national level, a framework was created to examine various factors that distinguish levels of
cybersecurity performance among countries and to identify whether adoption of certain policies
or strategic actions is related to cybersecurity performance.
The results of our analysis have implications for current and future policy initiatives. We found
that countries adopting or implementing certain policies, including international treaties like
the Council of Europe Convention on Cybercrime and voluntary codes of conduct like the
London Action Plan, are more likely to overperform on a key cybersecurity metric compared to
countries that have not adopted the same policies. For policymakers seeking ways to improve
national cybersecurity, these policies represent activities that are likely to have a meaningful
and measurable impact. While we believe that these specific policy actions are critical steps for
policymakers to consider when addressing cybersecurity on a national level, the manner in which
these policies were created and adopted–through international partnership or joint public/private
efforts–likely serve as important models for how successful cybersecurity policies might be created
in the future.
Recognizing the limitations of our study, we nevertheless hope that this whitepaper adds value to
other efforts to form more reliable risk reduction metrics in cyberspace and serves as a useful tool
for national policymakers considering various approaches towards achieving greater cybersecurity.
1 http://www3.weforum.org/docs/Global_IT_Report_2012.pdf
2 Cybersecurity: Cornerstone of a Safe, Connected Society, http://aka.ms/TwC_Cyber_Paper
4
How We Measure Cybersecurity: Infected
Computer Data
Today, a multitude of reports from antivirus vendors, security experts, networking providers
and our own Microsoft Security Intelligence Report (SIR) provide technical insight into the
cybersecurity problem. Technical reports are important tools to help understand the pervasiveness
of malicious code on machines. Microsoft’s own technical measure of cybersecurity is derived
from our broad deployments of enterprise and consumer software products, as well as global
investments in online services such as search engines and e-mail systems. Our results are based
on findings from our Malicious Software Removal Tool (MSRT), an anti-malware utility that checks
Windows computers for prevalent threats and helps remove any malware or infections found.
Delivered primarily through the Windows Update process, MSRT runs on more than 600 million
devices per month. This represents a large proportion of the global installed base of personal
computers, making the results a reasonable proxy for overall cybersecurity levels.
The MSRT evaluates the current level of malicious code infections on computer systems across
the globe. To produce a consistent measure of infection that can be used to compare different
populations of computers to each other over time, Microsoft reports infection rates using a
metric called computers cleaned per mille (thousand) or “CCM,” which represents the number of
computers cleaned for every 1,000 times that the Malicious Software Removal Tool (“MSRT”) is
run. For example, if the MSRT is run 50,000 times in a particular country/region in the first quarter
of the year and removes infections from 200 computers, the CCM for that country/region in the
first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000). For the purposes of this analysis and paper,
we use CCM as a proxy for cybersecurity performance. A higher CCM number indicates a higher
incidence of malware removed in a given geographical area, which we interpret as a lower level
of cybersecurity performance.3 Lower CCM numbers denote fewer malware removals and thus
a higher level of cybersecurity performance. Figure 1 illustrates the CCM number for countries/
regions around the world in the fourth quarter of 2011.4
Figure 1
Infection rates by country/
region in 4Q11, by CCM
20+
15 to 20
10 to 15
5 to 10
>0 to 5
Insufficient data
3 Since Q1 of 2011, the CCM has been reported based on geographic location rather than the
administrator-defined location. http://blogs.technet.com/b/security/archive/2011/11/15/determining-
the-geolocation-of-systems-infected-with-malware.aspx
4 Microsoft Security Intelligence Report Volume 12: July-December 2011. http://www.microsoft.com/
security/sir/archive/default.aspx
5
CCM, like other technical cybersecurity metrics used in the industry, is an imperfect one. For
instance, CCM does not measure and report important cybersecurity outcomes, including
actual damage caused by infections. While we chose to use the CCM metric as an indicator of
cybersecurity for purposes of our study, we hope that industry, government, and academia will
continue to develop other useful metrics in order to create a more complete understanding of the
impact of cyber risk.
In general, most of the indicators we identified were negatively correlated with CCM; as the
indicator rises, CCM will decrease. It is important to emphasize that these relationships demonstrate
correlative relative, not causal, relationships. For example, with respect to education, the data show
that lower CCM rates are related to the length of time that a country’s citizens spend in school. The
chart below contains a sample of our findings:
The graph below shows a scatter plot of the actual and expected cybersecurity performance
of over 100 countries. We omitted the names of individual countries in this report because our
intention is to understand the drivers of cybersecurity performance rather than discuss the
performance of any individual country.
By identifying the underlying principles of certain policies that are correlated with overperformance
in cybersecurity, such as intergovernmental frameworks for cooperation and voluntary codes
of conduct, policymakers can develop future approaches that are more likely to be effective in
combating the evolving threats in cyberspace.
Figure 2 24
Actual vs. predicted 22
2011 Predicted Cybersecurity Performance
cybersecurity performance
20
per country or region
18
16
14
12
10
8
6
4
2
0
0 2 4 6 8 10 12 14 16 18 20 22 24
2011 Actual Cybersecurity Performance
Expected/Predicted CCM
Along the Y-axis is the predicted level of cybersecurity for each country. This accounts for the variation
among countries and gives us an expected/predicted CCM number based on the 34 variables.
Model Line
The diagonal line from the lower-left to the upper-right of the graph represents a perfect fit of
the model. If we were able to perfectly predict the levels of cybersecurity performance for each
country, each would fall on this line.
7
Strength of Our Predictive Model
The strength of this model is expressed by the term R2, which explains how much of the predicted
value can be explained by the regression formula. Generally, ranging from 0 to 1, an R2 of 0 would
indicate no predictive power, 0.1–.03 weak prediction, 0.4–0.6 moderate prediction, and 0.7–1
strong prediction. Our model has an R2 of 0.68, moderate predictive ability. While purely scientific
studies may strive for R2 values of .9 or above, we consider our model to be a good starting point
for this discussion.
Since the model is not perfect, individual countries are on, above, or below the model line.
Countries above the line are considered to be outperforming the model. That is, their actual
levels of cybersecurity performance are better (lower CCM) than our model predicts based on the
nontechnical indicators. Conversely, countries located below the line are underperforming the
model. Their actual levels of cybersecurity are worse (higher CCM) than our model had predicted.6
We then used latent class segmentation7 to classify each country into one of three clusters, based
on both their actual and predicted CCM. The end result is a model with three distinct clusters of
countries, which we call Maximizers, Aspirants, and Seekers.
24
Figure 3
Cluster analysis of 22
2011 Predicted Cybersecurity Performance
cybersecurity performance 20
18
16
14
12 Aspirants
Maximizers
10
8 Seekers
6
4
2
0
0 2 4 6 8 10 12 14 16 18 20 22 24
2011 Average Cybersecurity Performance
6 Note on our methodology: We expect that countries’ positions on the chart will change over time as both
nontechnical and technical conditions evolve. We also expect that CCM changes will be more frequent and
erratic, relative to some of the other indicator variables; this is based on past observations of CCM fluctuating
between quarters relatively more than other government indicators, such as GDP. For this reason, we have
chosen to model and report on annualized averages where possible, as this minimizes potentially misleading
data that is a direct result of quarterly fluctuation. In some cases, the predicted CCM is extremely low, and
potentially below 0, which, from a practical standpoint, cannot happen. This is a result of using a linear
regression model. The model cannot understand that the practical floor for CCM is 0. Negative CCM results
should be interpreted as a small positive number that is approaching 0, from a real-world standpoint.
7 Vermunt, Jeroen K. and Jay Magidson. Latent Class Models for Classification. In latent class segmentation,
we create variables (known as latent variables), and assign each of the countries to belong to one of those
variables. The variables act to explain the variance between expected and predicted CCM—countries with
similar variance are grouped together. The optimal clustering model is determined by maximizing the
explainable difference, and is found by testing varying number of latent variables (varying numbers of
clusters) and varying combinations of countries included in each cluster.
8
Maximizers are countries with more effective cybersecurity capabilities, and outperform the
model. This cluster has a moderate level of predicted cybersecurity, but relatively, it has the best
cybersecurity performance of all clusters. This overperformance of the model is the defining
attribute of the cluster. Within the countries that comprise the cluster, we see that they often have
Maximizers better performance in key indicator variables (as defined by CHAID analysis8, which determines
the strength of relationship between predictor variables and cluster membership), including
personal computers in use per capita, health expenditure per capita, regime stability, and
broadband penetration. Maximizers include a relatively high percentage of European countries.
Aspirants are countries who are on a par with the model and are still developing cybersecurity
capabilities. This cluster has a moderate level of predicted cybersecurity, and in reality it performs
on par with those predictions. This predictability of cybersecurity performance is the defining
attribute of the cluster. Of the three clusters, Aspirants is also the largest. Within the countries
Aspirants that comprise the cluster, we see that they often have average to above average performance
in key indicator variables, including broadband speed, secure Internet servers per capita, R&D
expenditure, and consumer telecommunications expenditure. Countries from around the world
comprise the Aspirants cluster, but it contains a slightly higher percentage of Latin American/
Caribbean nations than the others.
Seekers are countries with higher cybersecurity risk who underperform on model expectations.
While this cluster has a moderate to low level of predicted cybersecurity, in reality it has a low
level of cybersecurity, as measured by high CCM. As such, Seekers underperform with regard to
their cybersecurity potential. Of the three, the Seekers cluster is the smallest. The countries that
Seekers comprise the cluster often perform poorly in key indicator variables, including literacy, offenses
(crime) per capita, broadband speed, and broadband penetration. Compared to the key attributes
of Aspirants, we see that Seekers may be less likely to invest in technological infrastructure
development. Countries from around the world comprise the Seekers cluster, but it contains a
higher percentage of Middle Eastern/African nations than the others.
Asia/Pacific
52% 22%
29%
24%
21% 17%
15%
8 An Exploratory Technique for Investigating Large Quantities of Categorical Data. G. V. Kass Journal of
the Royal Statistical Society. Series C (Applied Statistics) , Vol. 29, No. 2 (1980), pp. 119-12.7 Published by:
Wiley for the Royal Statistical Society. Article Stable URL: http://www.jstor.org/stable/2986296
9
Impact of Cybersecurity Policies on National
Performance
Why do countries with similar predicted CCM perform so differently on actual CCM? In other words,
if our model already accounts for key differences between countries (GDP, broadband penetration,
rule of law, etc.), why does the actual CCM number vary so much? We hypothesized that this
discrepancy can be partially attributed to policies and programs implemented by the country to limit
cybersecurity risk. We believe that these factors can help to explain part of the difference between
predicted and actual performance.
Evolution of Cyberpolicy
Over the last decade, national policymakers have considered myriad cybersecurity policies of varying
focus, size, scope, intent, and budget. The growth of Internet users and new threat actors helped
spur international dialogue around cybersecurity, which resulted in the development of the Council
of Europe Convention on Cybercrime in 2001. The Convention on Cybercrime created the first-ever
international treaty aimed at cybersecurity issues, and it has since been ratified by 37 countries.
As spam, phishing, and spyware began to create substantial threats to large enterprises, the
formation of new public/private partnerships became necessary. For instance, in response to growing
international pressure to contain the malware problem, government agencies from 27 countries
convened in October 2004 to form the London Action Plan. The plan was created to “promote
international spam enforcement cooperation and address spam related problems, such as online fraud
and deception, phishing, and dissemination of viruses.”9 The plan also created a voluntary code of
conduct for private companies in order to elicit greater spam enforcement cooperation.
Policymakers must also consider the growing theft of intellectual property and rising rates of
software piracy. Though actual financial costs are impossible to gauge, the theft of intellectual
property through cybermeans is thought to be in the multibillions per year, a number that has only
grown over time. The decade witnessed soaring piracy rates that inflicted significant economic
damage on companies. In 2003 the commercial value of the pirated software market was $28.8
billion;10 by 2011 the figure had increased to $63.4 billion. High piracy rates were particularly
fueled by PC shipments to emerging economies where piracy rates are highest.11 Software piracy
also directly impacts indicators such as CCM where in the first half of 2012, the most commonly
detected malware globally was typically bundled with counterfeit software.12
9 http://londonactionplan.org/the-london-action-plan/
10 http://www.bsa.org/country/Research%20and%20Statistics/~/media/5536D2D93FA746E69CBC12ECBCE
0F319.ashx
11 http://portal.bsa.org/globalpiracy2011/downloads/study_pdf/2011_BSA_Piracy_Study-InBrief.pdf
12 http://www.microsoft.com/security/sir/story/default.aspx#!unsecure_distribution
13 James A. Lewis and Katrina Timlin, Center for Strategic and International Studies, Cybersecurity and Cyberwar:
Preliminary Assessment of National Doctrine and Organization, in Resources: Ideas for Peace and Security
(U.N. Inst. for Disarmament Research, 2011), http://www.unidir.org/files/publications/pdfs/cybersecurity-and-
cyberwarfare-preliminary-assessment-of-national-doctrine-and-organization-380.pdf
10
Identifying Policies that Correlate with Cybersecurity Performance
How are these and other policies related to a country’s cybersecurity performance? To test our
theory about the role of policy in cybersecurity, we distilled the variety of types of cybersecurity
policies into certain initiatives that can be measured by a binary rather than a substantive
evaluation. For example, we queried whether a country was a signatory of the Council of Europe
Convention on Cybercrime, but did not further evaluate the extent or effect of the policies that
a country adopted in order to implement the treaty. Additionally, we considered whether or not
a country had developed a military cyberdefense strategy, but did not evaluate the robustness
of the strategy. Furthermore, in order to expand the data set, we evaluated policies adopted in a
statistically significant number of countries and regions.
We initially identified four policy factors that satisfy these criteria and ran them against our model:
Fifty-one percent of the countries in the Maximizer (overperforming/low-CCM) cluster had either
signed or ratified the treaty. While the COE rates and relative CCM performance relationship may not
be causal, there is a clear link between CCM performance relative to expectations and COE accession.
Interestingly, we noticed a declining trend of COE accession in countries with higher CCM scores
relative to predictions.
Forty-six percent of the overperforming cluster’s countries are members of the London Action
Plan. Also similar to the COE signatory trends, membership in the London Action Plan is linked
with CCM performance relative to expectations. As with COE signatory rates, there exists an
implied relationship between membership in the London Action Plan and relative cybersecurity.
While the relationship between CCM performance and the London Action Plan may not be causal,
we can definitively say that membership in the London Action Plan would be part of a profile for a
country that has relatively good cybersecurity.
11
Military Cyberdefense Strategy
Military cyberdefense strategy differs from London Action Plan membership and COE Signatory
status in that it does not trend with relative CCM performance. As Table 2 shows, countries with
David: Quote to publically acknowledged military cyberdefense strategies comprise 51 percent of the
go here. low-CCM cluster. However, 21 percent of the high-CCM underperforming cluster also had military
cyberstrategies. We also examined the countries with civil cyberstrategies but found no clear
relationship with cluster membership; countries with only civil cyberstrategies were equally likely
to be in any one of the three clusters.
It is possible that future analysis will show a correlation between military cyberdefense strategies
and cybersecurity performance. Many military strategies are still in their formative phases, having
been created in the past few years, and it can take time for the impact of new policies and
capabilities to be fully observed. As more countries around the world adopt both military and
civil-based cyberdefense strategies, it will be worth watching to see if there is a notable difference
in their security outcomes.
Piracy Rate
Though we did not evaluate individual policy approaches toward reducing piracy, the average
piracy rate of countries in the low-CCM cluster was drastically lower than the other clusters.
The implications of this observation are complex. Countries that do a better job managing
cybersecurity may also do a better job mitigating piracy, or countries with higher piracy rates may
have a more difficult time containing malware and other cyberthreats. This is a topic for further
research, but we found the relationship between piracy rates and CCM scores compelling enough
to highlight here.
As opposed to the other profiling factors discussed above, piracy rate is an outcome rather than
a policy tool. However, this does show the potential benefit of protecting intellectual property, as
higher rates of piracy are positively correlated with higher CCM. This is unsurprising, as pirated
software poses a serious security risk to its users. A 2008 study by the Harrison Group found that
companies that used unlicensed software were 73 percent more likely than those companies that
use fully licensed software to experience loss or damage of sensitive data, and were 43 percent
more likely to suffer critical computer failures.14
We applied various statistical tools and models to freely available predictor data with the intention
of taking country-level developmental markers and predicting cybersecurity performance.15
The result was a model that predicts CCM based on a set of 34 predictor variables. This model
also yielded greater insight into the relationship between predicted and actual cybersecurity
performance. To get that, we took the model predictions to create another model that clustered
countries into one of three groupings. Profiling those groupings provided a link between
cybersecurity performance and key government policies.
This research also resulted in the identification of specific markers that can not only signal above-
average cybersecurity performance, but can also signal countries that have better cybersecurity
performance than we would expect given attributes that are not necessarily easily controlled, such
as GDP. Specifically, those countries that sign the Council of Europe Cybercrime treaty and/or the
London Action Plan are more likely to outperform a predictive model of cybersecurity performance.
14 http://go.microsoft.com/fwlink/?LinkId=143927
15 For a more detailed description of methodology, refer to Appendix.
12
Evolving Policy Initiatives for Future Impact
Having identified a correlation between certain policy tools and national cybersecurity
performance, policymakers may wish to focus their attention on adopting or evolving these types
of tools to address future challenges. Policy developments in the previous decade sought to lay
a foundation to build a more connected society and promote e-commerce. The next decade will
focus on the security and protection of that infrastructure, both domestic and international in
order to continue to grow.
Figure 5
Progression of
International Public-private partnership 2020 Harmonization
models for international level
cybersecurity policy collaboration need stronger
support from both government
and industry. 2015 Norms
However, in coming years, shifts in Internet user demographics will create new centers of gravity in
the global online population. As demonstrated in the data visualization (Figure 6), which shows a
map of the world in 2020 with countries sized by their relative population of Internet users and colored
according to the total number of Internet users relative to their population, countries such as China,
India, Nigeria, and other emerging economies will be home to the bulk of global Internet users.
13
Figure 6
Projected distribution of
global Internet users in 2020
This shift in demographics does not mean that these new centers of gravity will necessarily drive
policy initiatives, but it does mean that global-scale initiatives—as well as some regional and
national-level initiatives—will need to be responsive to these emerging demographic changes.
More than ever, policymakers will have to consider the unique and diverse perspectives that
different countries bring to cybersecurity, while maintaining currently established policy
frameworks that have proven key to promoting the growth of the global ICT industry.
In the future, as noted below, increased participation from countries with growing user populations,
as well as private industry, will be critical. The emerging centers of gravity must play a constructive
and credible role in creating and promoting global agreement on mechanisms to enable security in
cyberspace in the future. Participation from the private sector is also important in articulating effective
and practicable cybersecurity mechanisms. As governments engage in the emerging discussions for
developing norms and rules of behavior in cyberspace, they should incorporate the input of the private
sector, as industry plays a critical role in carrying out many cybersecurity policies once articulated.
14
Given the sheer size and complexity of the globally distributed ICT industry, policymakers should
consider voluntary codes of conduct that allow for participation by industry, from development
to implementation, when addressing future cybersecurity policy challenges. As our model
shows, there is a correlation between the London Action Plan and cybersecurity performance,
demonstrating the quantitative impact of voluntary codes and their value for policymakers.
The fact remains that defense authorities will engage in cyberspace, and we believe that this
engagement will occur in at least three forms. First, relying upon security-focused arguments,
defense authorities will leverage nontariff barriers to trade to prevent or limit civil market access
for ICT vendors from countries perceived as distrusted. Second, again leveraging security-focused
arguments, defense authorities will similarly restrict their government procurement choices to
favor products and services from domestic and other trusted sources. Third, there is the prospect
of actual military conflict in cyberspace, which may involve attacks upon critical trust mechanisms
of the Internet, such as security update services or network infrastructure, as has already occurred.
As policymakers face these challenges, the concept of reciprocity must drive decision-making.
Enacting restrictive trade policies can have a domino effect, sparking retaliation by other
governments and thereby undermining the globally distributed nature of the ICT industry and its
benefits. Reciprocity is an even greater consideration in the arena of conflict or warfare, as actions
by one government can quickly escalate and cause unintended consequences and retaliatory
actions by other governments. Therefore, policymakers must be vigilant when considering the
second- and third-order implications of their actions in developing defense and military strategies,
and seek to promote balanced standards based on technology-neutral practices.
Looking forward, policymakers should focus on similar alignment of legal, public policy, and
technology mechanisms to reduce cybersecurity risk, whether risk management is a primary,
secondary, or attendant benefit. At present, there are many technology tools to address
cybersecurity risk in the private sector, but there is a relative dearth of legal and public policy
initiatives to support them. While this is only one example, the challenge of cultivating an
ecosystem for trusted identity on the Internet speaks to the need for cross-domain alignment.
As our model shows, there is a correlation between reduced piracy rates and cybersecurity
performance, demonstrating the quantitative impact of such cross-domain alignment efforts and
their value for policymakers.
15
Conclusion
Though it is hard to predict exactly what the digital world will look like in the decades ahead, strong
cybersecurity will be critical to its successful existence. Policymakers around the globe are faced with the
difficult challenge of creating policies that positively impact their national cybersecurity. Knowing which
types of initiatives have the greatest positive impact on cybersecurity will allow policymakers to make
informed, results-based policy decisions.
In reviewing qualitative and quantitative impacts on national cybersecurity, this paper seeks to place
policy decisions alongside a framework of technical and demographic projections to create a view of
what the future environment for policymaking could look like. By identifying the underlying principles
of certain policies that are correlated with overperformance in cybersecurity, such as intergovernmental
frameworks for cooperation and voluntary codes of conduct, policymakers can develop future
approaches that are more likely to be effective in combating the evolving threats in cyberspace.
To meet our future security challenges in cyberspace, Microsoft urges governments to participate in
a broader dialogue on normative standards to better protect citizens on the Internet that includes
perspectives from the ICT industry. This process develops rules of behavior in cyberspace that can
reduce threats, increase confidence and trust, and help improve security of the cyberecosystem at the
international level. As discussed in this paper, CCM is a rough approximation of the attack surface for a
particular country or region. Industry and governments can work in partnership to reduce this attack
surface and make the computing infrastructure less susceptible to attack and compromise.
16
Appendix A: Methodology
In order to test the predictability of CCM given nontechnical measures, we used linear regression
modeling. A regression analysis allows us to build a model that shows the predicted impact on
David: Quote to
CCM as the various indicator variables (such as GDP, computers per capita, etc.) fluctuate. By
go here. solving for a universal starting point (known in regression analysis as the constant), we then were
able to use the model to predict CCM at the country level, with differences in predicted CCM
across countries being driven by differences in the indicator variables (such as the GDP per capita,
computers per capita, etc., we can predict CCM).
There are several existing approaches to regression modeling, each with its own set of advantages.
The type of analysis we utilized to build the model was Correlated Component Regression
(CCR). CCR modeling differs from other regression techniques in that instead of constructing a
relationship between the dependent variable (in this case CCM) and the individual predictors (in
this case, the indicator variables), CCR constructs relationships between the dependent variable
and a number of components—components being latent variables created by the model. Each
component consists of the total number of predictor variables included in the model (GDP, etc.),
but the weighting of each of those predictors varies from component to component (a similar
concept to principal component analysis). As a result, some components may be more heavily
representative of particular indicators, such as GDP, while other components are more heavily
representative of other indicators, such as Facebook or IE6 usage. We chose to use CCR modeling
because it offers an advantage over other techniques, in that it reduces potential error created
by datasets that have a large number of correlated predictors (such as computers per capita and
percentage of population with an Internet-connected computer), relative to data points. This
was beneficial to this dataset, given that we used 34 predictors to predict CCM, based on 106
countries/regions.
The first stage of analysis was a step-down analysis, designed to identify those indicators that are most
important to the model. By using step-down analysis, we were able to reduce the number of indicators
from 80 to 34. In this case, step-down analysis was run by creating a model with all indicators,
identifying the 1 percent of indicators that were least important to the model and removing those
variables. This process was repeated until we identified the model with the best fit.
When identifying the model of best fit, we used a methodology commonly known as cross
validation. We did this to measure not only how well our model could predict the data we fed into
it (the predictor variable data of the 106 locations), but also how well it could predict random data
(that is, how well it could predict CCM performance for countries/regions that we aren’t testing).
Cross validation, commonly known as K-Fold cross validation, works by using pieces of the dataset
to test results. In cross validation, we divide the data into an equal number (represented by the
variable K) of “folds” of random cases, and then apply the model to see how well K-1 folds predict
the final fold. In this analysis, K=10. In simpler terms, we would repeatedly randomly test how well
90 percent of the data predicted the final 10 percent to determine fit. We used this methodology
to optimize the model tuning parameter (number of components and predictor variables), as well
as to identify the model of best fit.
As the final step, we ran a cross-validatedfive-component model. The results were interpreted
in the same way as other regressions —each predictor coefficient determined impact on CCM.
Coefficients may not have been directionally consistent with correlations; this is because
some of the predictor variables in the model help explain otherwise unexplainable variance in
other predictor variables, as opposed to directly predicting CCM. These types of variables are
commonly known as suppressor variables, since they suppress otherwise inherent error in some
of the predictor variables included in the model, and help to improve overall model accuracy. As
a result, the accuracy of the model lies in the overall prediction in aggregate, and not the direct
relationship with any specific indicator.
17
Appendix B: Data Sources
Correlation
Indicator with CCM Description Year Source
7 Year Growth 0 5-year average GDP per capita growth (% annual) 2008 World Development Indicators
Broadband Penetration -0.6 Fixed broadband connections per 100 people 2010 International telecommunication
Union
Computers per Capita -0.6 Percentage of households who own a personal computer 2010 Euromonitor International
GDP per Capita -0.3 Gross domestic product per capita, current prices 2011 International Monetary Fund
Government Type -0.4 The extent to which a society is autocratic or democratic 2008 Polity IV
Gross Income per -0.5 Income before taxes from all sources Euromonitor International
2010
Capita
Health Expenditure -0.6 Health expenditures per Capita with external aid 2006 World Health Organization
per Person
Hi-Tech Exports -0.3 High-tech exports as a percentage of manufactured exports 2008 World Development Indicators
ICT Exports -0.2 Information and communication technology exports as a percentage 2008 World Development Indicators
of total goods exports
18
Appendix B: Data Sources
Correlation
Indicator with CCM Description Year Source
Market Size -0.6 Domestic consumption plus country exports minus country imports 2008 World Development Indicators
-0.4 Refers to labor productivity, output of goods and 2010 Euromonitor International
Productivity
services in the economy per employed person
Regime Stability -0.4 The number of years since the most recent regime change 2008 Polity IV
School Learning Age -0.4 Refers to the leaving age of compulsory education 2010 Euromonitor International
Secure Net Servers -0.5 Secure Internet servers per million people 2008 World Development Indicators
Telecom Expenditures -0.3 Consumer expenditure on telecommunications services 2010 Euromonitor International
Use of Mobile
-0.3 Cellular devices per 100 people 2008 World Development Indicators
Devices
19
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT.
This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change
without notice. You bear the risk of using it.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
20