Armed With Analytics to Fight Cyberrisk
- by Matthew Brodsky
Neill Feather WG08 is an admitted pack rat, so when he was in need of a solution involving massive data sets with millions of points about cybersecurity and online consumer behavior and he scanned his office for solutions, his eyes came across textbooks that he had from his time as a student in Wharton’s MBA for Executives Program. Those books’ bindings had the names of his former professor, Richard Paul Waterman.
“I was looking for someone who would be able to solve the problem from a math and statistics perspective and, more importantly, put it in the context of the technical problem and the business problem that we’re trying to solve,” says Feather, who is president of cybersecurity solutions provider SiteLock, about his quest to uncover website qualities that can help predict vulnerability.
Feather had kept in touch with Waterman since graduation, and when he contacted the Wharton practice professor, Waterman brought in Statistics Department faculty member Robert Stine.
Namely, the goals of the research were to be able to:
• Categorize software components on a website by their weaknesses.
• Predict the likelihood of website compromise based on the makeup of a site.
• Know which predictive measures could best block future attacks based on a site’s components.
Waterman and Stine proved capable of all of the above, producing analysis of SiteLock’s data that was relevant to the 5 million businesses whose websites are protected by SiteLock technology and passed the “sniff test” of SiteLock engineers and Feather’s other internal stakeholders. Feather appreciated the opportunity, too, to get opinions from people outside of the cybersecurity industry who could attack the problem with an unjaded, objective and academic approach.
The professors’ end result is a white paper that SiteLock is marketing, as well as a model that can assign a risk score to a website, based on data for a few hundred attributes, such as content management systems or number of web pages. The model produces an overall depiction of what is driving the risk, Feather says, and doesn’t focus on any one component. The result is an understanding of cyberrisk that may disturb owners of large websites.
One key finding that didn’t surprise Feather and team: The more complex a website, the more “attack surface” it provides for malignant actors and code. In other words, rich, large and interactive websites are more vulnerable.
Another key finding that was a surprise: Popularity also “penalizes” a website. “What we were surprised about was how far down that effect does go.” The risk is incremental for websites with ranks even in the hundreds of thousands or millions.
This popularity effect attracts hackers to a given piece of website software. WordPress, for instance, is not inherently less secure. Hackers target it because many websites are based in WordPress. Digital villains are following opportunity, just as hackers for time immemorial targeted PCs over Macintosh computers because of market share.
Stay tuned for more findings. Feather and company are in the process of revising the model to add another hundred or two website attributes, as well as data on the industries of parent companies. After all, it’s safe to assume that a website like Ashley Madison has a higher risk than, say, a retail tire shop’s site.
Feather plans to offer the anonymized data to professors Waterman and Stine so that they can use it in their classes.