There are two strategic and longstanding questions about cyber risk that organizations largely have been unable to answer: What is an organization's estimated risk exposure and how does its security compare with peers? Answering both requires industry-wide data on security posture, incidents, and losses that, until recently, have been too sensitive for organizations to share. Now, privacy enhancing technologies (PETs) such as cryptographic computing can enable the secure computation of aggregate cyber risk metrics from a peer group of organizations while leaving sensitive input data undisclosed. As these new aggregate data become available, analysts need ways to integrate them into cyber risk models that can produce more reliable risk assessments and allow comparison to a peer group. This paper proposes a new framework for benchmarking cyber posture against peers and estimating cyber risk within specific economic sectors using the new variables emerging from secure computations. We introduce a new top-line variable called the Defense Gap Index representing the weighted security gap between an organization and its peers that can be used to forecast an organization's own security risk based on historical industry data. We apply this approach in a specific sector using data collected from 25 large firms, in partnership with an industry ISAO, to build an industry risk model and provide tools back to participants to estimate their own risk exposure and privately compare their security posture with their peers.

翻译：网络风险领域存在两个长期难以回答的战略性问题：组织如何估算其风险暴露程度，以及其安全状况相较于同行如何？回答这两个问题需要全行业的安全态势、事件和损失数据，但这些数据此前因过于敏感而难以共享。如今，密码学计算等隐私增强技术（PETs）可在不披露敏感输入数据的前提下，实现从同行组织群体中安全计算聚合网络风险指标。随着这些新型聚合数据的出现，分析师需要方法将其整合到能够生成更可靠风险评估、并允许与同行比较的网络风险模型中。本文提出一个全新框架，利用安全计算产生的新型变量，针对特定经济部门进行网络态势基准测试与风险估算。我们引入一个名为"防御差距指数"的顶层新变量，代表组织与其同行之间的加权安全差距，该变量可基于历史行业数据预测组织自身的安全风险。我们与某行业ISAO合作，利用从25家大型企业收集的数据，将该方法应用于特定部门：构建行业风险模型，并向参与者提供工具以估算其自身风险暴露、私下比较其与同行的安全态势。