Mukul Pareek, a colleague at a market maker bank, and I have run the Index of Cyber Security for five years. This article is a kind of compendium of what the Index has shown over those five years, but before I get to that I will discuss how we got to where we are.
The only purpose that makes security metrics worthy of pursuit is that of decision support, where the question being studied is more one of trajectory than exactly measured position. None of the indices I’ll discuss are attempts at science, although those that are in science (or philosophy) will also want measurement of some sort to backstop their theorizing. We are in this because the scale of the task compared to the scale of our tools demands force multiplication—no game play improves without a way to keep score.
