Cybersecurity Metrics. Hurricane Winds and Floodplains

You may have noticed that I like to draw analogies between cybersecurity and other fields. I happen to think that there is a lot to learn from such comparisons.

Hurricane Florence, which brought feet of rainfall and catastrophic flooding to North and South Carolina during September 2018, made landfall as a Category 1 hurricane having weakened from a Category 4. Some of those in the path of the hurricane who relaxed, presuming that the weaker winds would not be so serious, were destroyed by the ocean surge and the flooding from unprecedented rainfall.

In the AP News article of September 19, 2018 by Seth Borenstein and Allen G. Breed with the title “Hurricane rating system fails to account for deadly rain,” available at , it is suggested that the traditional measure of hurricanes, namely the Saffir-Simpson Hurricane Wind Scale, is inadequate and that storm surges and rainfall should be included in the metrics. As recent experience has shown, the impact of the latter can overshadow the effect of wind. The costs of the storm include tangible property and business losses as well as the immeasurable pain and suffering of victims.

The article quotes Susan Cutter, the director of the Hazards and Vulnerability Research Institute at the University of South Carolina, who said that “the hurricane center and National Weather Service have not done a good job at communicating the risks associated with tropical systems beyond winds,” and that “[o]ne reason … is that it’s much harder to explain all the other fact[ors].Wind is easy.”

According to the article, the National Oceanic and Atmospheric Administration, represented by Bill Lapenta, director of NOAA’s National Centers for Environmental Prediction, which includes the hurricane center, claims that it already warns of major flooding events four or five days in advance. However, those warnings don’t appear to have sufficient impact.

Another issue is that models of flood plains are hopelessly wrong … by approximately three times according to research by the University of Bristol, described in a ScienceDaily article “Flood risk from American rivers is greatly underestimated.” dated February 28, 2018, and available at

If you ask me, I would include value losses and uncertainty in hurricane metrics, as I described for security metrics in my article in the November 2008 ISACA Journal, “Accounting for value and uncertainty in security metrics.” After all, the damage from flooding and storm surges can be, and often is, orders of magnitude greater than wind damage. Consider the cost of fixing a roof torn off by the wind versus that of restoring a home after it has been flooded with 5 or more feet of polluted and/or salt water.

A comparison with security metrics is both instructive and disconcerting. Direct losses incurred by an organization from a data breach are one aspect, but the misery of recuperating from identity theft and fraudulent activities in your name may be many times greater than the pure financial losses. Also, the traditional assessments of vulnerability to cyberattacks may be so much less than the real weaknesses in ever-more-complex interconnected and interoperable systems. As with Susan Cutter’s assessment of hurricane metrics, easy-to-measure security metrics are the ones that are in common use, such as number of attacks and the number of systems patched per month.

Furthermore, not only do vulnerability assessments greatly underestimate true weakness levels, but the number of actual attacks is much greater than those reported, possibly by orders of magnitude.

So, we have the double whammy of inadequate security metrics and underestimated vulnerabilities. Let us learn from the failure of hurricane metrics to describe fully the impact of such storms and the far greater exposure to floods and surges than originally estimated. And let us apply these lessons to cybersecurity risk management.

Post a Comment

Your email is never published nor shared. Required fields are marked *