Municipalities are vulnerable to cyberattacks with devastating consequences, but they lack key information to evaluate their own risk and compare their security posture to peers. Using data from 83 municipalities collected via a cryptographically secure computation platform about their security posture, incidents, security control failures, and losses, we build data-driven cyber risk models and cyber security benchmarks for municipalities. We produce benchmarks of the security posture in a sector, the frequency of cyber incidents, forecasted annual losses for organizations based on their defensive posture, and a weighting of cyber controls based on their individual failure rates and associated losses. Combined, these four items can help guide cyber policymaking by quantifying the cyber risk in a sector, identifying gaps that need to be addressed, prioritizing policy interventions, and tracking progress of those interventions over time. In the case of the municipalities, these newly derived risk measures highlight the need for continuous measured improvement of cybersecurity readiness, show clear areas of weakness and strength, and provide governments with some early targets for policy focus such as security education, incident response, and focusing efforts first on municipalities at the lowest security levels that have the highest risk reduction per security dollar invested.

翻译：市政机构面临具有毁灭性后果的网络攻击威胁，但缺乏评估自身风险及与同行比较安全态势的关键信息。通过采用密码学安全计算平台收集83个市政机构的安全态势、事件、安全控制失效及损失数据，我们构建了面向市政机构的数据驱动型网络风险模型与网络安全基准。我们建立了行业安全态势基准、网络事件发生频率基准、基于防御态势预测的年度损失基准，以及基于个别失效率和相关损失的安全控制权重基准。这四类基准相结合，可通过量化行业网络风险、识别需解决的缺陷、确定政策干预优先级并追踪干预措施随时间推进的成效，帮助指导网络政策制定。以市政机构为例，这些新推导的风险度量指标凸显了持续量化改进网络安全准备状态的必要性，清晰展现了优势与薄弱环节，并为政府提供了早期政策聚焦目标，例如安全教育、事件响应，以及优先将资源投入安全水平最低、每单位安全投入风险降低幅度最大的市政机构。