Municipalities are vulnerable to cyberattacks with devastating consequences, but they lack key information to evaluate their own risk and compare their security posture to peers. Using data from 83 municipalities collected via a cryptographically secure computation platform about their security posture, incidents, security control failures, and losses, we build data-driven cyber risk models and cyber security benchmarks for municipalities. We produce benchmarks of the security posture in a sector, the frequency of cyber incidents, forecasted annual losses for organizations based on their defensive posture, and a weighting of cyber controls based on their individual failure rates and associated losses. Combined, these four items can help guide cyber policymaking by quantifying the cyber risk in a sector, identifying gaps that need to be addressed, prioritizing policy interventions, and tracking progress of those interventions over time. In the case of the municipalities, these newly derived risk measures highlight the need for continuous measured improvement of cybersecurity readiness, show clear areas of weakness and strength, and provide governments with some early targets for policy focus such as security education, incident response, and focusing efforts first on municipalities at the lowest security levels that have the highest risk reduction per security dollar invested.

翻译：市政当局易受网络攻击且后果严重，但缺乏评估自身风险及与同行比较安全态势的关键信息。我们利用通过密码安全计算平台收集的83个市政当局数据，涵盖其安全态势、安全事件、安全控制失效及损失情况，构建了数据驱动的网络风险模型及网络安全基准。我们为该行业建立了安全态势基准、网络事件发生频率、基于防御态势预测的组织年度损失，以及基于各安全控制失效概率及其关联损失的控制权重评估。综合这四项成果，可通过量化行业网络风险、识别需弥补的缺口、优先制定政策干预措施并追踪其长期进展，为网络政策制定提供指导。针对市政当局案例，这些新推导的风险度量凸显了持续测量改进网络安全就绪度的必要性，清晰展现了薄弱环节与优势领域，并为政府提供了初步政策聚焦目标，例如安全教育、事件响应，以及优先将资源投入安全等级最低且每美元安全投资风险降低效果最显著的市政当局。