Cyber hygiene: the term that is evoked whenever there is a threat to our infrastructurea ransomware attack, or any data breach. It appears to be that elusive thing users never seem to have enough.

But how does one get this cyber hygiene? Better yet, do we even know what it means? Or how much of it we need?

Photo by freestocks

I searched wide for the answer and was surprised to find no answer. In fact, I ended up with far more questions.

Because although the term appears thousands of times on various webpages, usually followed by some avowed best practice suggestions on what users should or shouldn’t  do online, none explain where these suggestions came from or whether doing what was suggested actually helps.

Besides, there exists no measurements for any of this. So how does one know they lack cyber hygiene? Or where they lack it? Or if they ever achieved it?

Cyber hygiene seems like that ever elusive elixir every security expert doles out: Everyone needs to have some of it, but no one can ever have it.

I am also to blame for some of this. In early 2015, in the aftermath of the infamous Sony Picture breach, I was searching for a term that could capture what users needed to do to prevent social engineering attacks. I wasn’t satisfied with terms like “human factors” because they signified a field of study–not what an user should be doing to help protect the enterprise from being breached.

My search led to a speech by Homeland Security Secretary Janet Napolitano who, almost two years earlier, had used the term in the context of developing better user habits. I thought it was perfect. I used it in my press piece and in media interviews. The term caught on.

On the one hand it achieved my goal–drawing attention to what users had to do, but on the other, it helped cloak the problem. Soon the lack of Cyber Hygiene became the catch-all term used to blame anyone who didn’t do something–usually something that was defined after a successful breach.

Feeling responsible, I set about developing a quantitative metric for measuring cyber hygiene. My goal was to define what we meant by user cyber hygiene (and what we didn’t), identify the underlying parts of it, and create a self-report questionnaire for measuring it–so we can we tell who has it, who lacks it, what they lack, and by how much.. Among those helping me were CISOs, technologists, graduate students, and team of top notch researchers from Singapore.

Over the course of a year and a half, I conducted a series of research studies beginning with interviews of CISOs, security experts, students, and industry professionals, followed by surveys of students, CISOs, employees of a federal government agency, and general Internet users. At each stage, the survey tool, which began at around 80-100 questions, was tested, refined, reduced, and retested. It was also put through various quantitative tests, from multi-dimensional scaling (MDS) and cluster analysis to confirmatory factor analysis and various validity checks.

The final outcome of all this was a 20-question Cyber Hygiene Inventory (CHI)© that quantitatively assesses user cyber hygiene across five dimensions. The dimensions, uncovered through the analytical approach, fit the acronym SAFETY. Here the S signifies Storage and Device Hygiene, A stands for Authentication and Credential, F for Facebook and Social Media, E for Email and Messaging, T for Transmission and Y–is the reference to You or the user.

The overall scale nets a possible CHI range of 0-100, with higher numbers indicating better cyber hygiene. The CHI score provides an instant snapshot of how much cyber hygiene each user possesses. Dig deeper and you get a breakdown of their cyber hygiene within each of the five categories, helping pinpoint where the user is lacking and where improvements are necessary. Furthermore, by comparing CHI across users or groups and you get to know exactly how well an employee or group is actually doing in their cyber hygiene levels relative to others in an organization (or across an entire region or sector).

The CHI has enormous potential–from providing quantitative insights into cyber hygiene levels to helping pinpoint what is lacking, where, and by how much. For organizations with a defined cyber risk assessment program (such as those implementing the NIST Cybersecurity Framework), the CHI helps develop a more accurate user risk profile, so they can better align their resources and implement pointed interventions that improve their overall risk posture. For other organizations, the CHI provides a benchmark understanding of where they stand–a first step towards developing a user risk profile.

Now rather than blaming everyone and asking them to get cyber hygiene, or worse yet, saying cyber hygiene has been achieved because someone passed a phishing penetration test, we can know exactly how much cyber hygiene users actually possess and what they need to work on–so as to improve their own and the organization’s overall cyber resilience.

You can read more about the CHI by clicking here: LINK

© Arun Vishwanath, 2019

*A version of this post appeared here.