Nextgov on how a DHS group wants homeland security to share cyber incident database with the private sector to increase the value of such a system (emphasis added):
A cyber repository, according to the white paper, would share information between sectors “about the financial and operational impacts of cyber events, the effectiveness of existing cyber risk controls in addressing them and the new kinds of products and services that cybersecurity solutions providers should develop.”
DHS’ National Protection and Programs Directorate established the “Cyber Incident Data and Analysis Working Group” to determine the value of such a repository and how to incentivize participation in the repository, among other logistical details. The group includes chief information security officers, academic experts and cyber professionals. Their opinions are outlined in the white paper.
Other potential benefits of a cyber repository include helping companies assess how their cyber precautions measure up to their peers, which could “help propel internal discussions about an organization’s cyber risk.”
Several working group participants “asserted that if a company discovers that it falls in the bottom 50 percent as compared to its peers when it comes to cyber risk preparedness, that knowledge could motivate the company to increase its cybersecurity budget and related mitigation efforts,” according to the paper. But some claimed “that they have only limited knowledge about what their peers are doing regarding the implementation of cyber risk controls, their scope, and how those controls fit within overall cybersecurity strategies.”
A repository could also help groups in different industries share information about potential future threats, according to DHS.
They key is how motivation plays into the psychology for a system like this proposal. If a company perceives itself as being viewed by its counterparts as not doing enough, that peer pressure will likely push them to strengthen their capabilities, in turn increasing the overall posture of the industry and government.
This is absolutely a good thing. But, will it work?