Graduate Research and Thesis around Security Forecasting
Summary: Hi Everyone! I'm working on completing my masters and to do that I'm soliciting my security friends to help with their participation. My thesis is around analyzing data on the variance of how we all forecast security events and the confidence we have in our forecast. I'll be asking friends that work in both infosec and technology to participate.
If you've never participated in forecasting before, this is a great video to watch: https://www.youtube.com/watch?v=0TNCYVrm8aM
As far as the ask and the methodology. Once a week I will release 1 new question to forecast to 100+ friends.
The goal of these questions was to determine if there was any variance between security participants as well as variance compared to technical participants. In many cases I'm trying to analyze if there is variance also between security practioners of different backgrounds.
In this survey, I asked additional questions so you as participants could help me breakdown if there is a variance in background not only in security but between practioner vs strategic. Participants were asked of their background between strategic (1) and practioner (5), I grouped groups 1-2 together and grops 3-5 together. I also asked participants of their security background 1-5 where 5 indicates you do security for your day-job. I grouped anyone in group 4 and 5 into a non-security group (3rd graph).
How many years until the general public learns of an instance of a processor side-channel attack (e.g., Spector/Meltdown, Zombieload, etc) that was leveraged by a blackhat attacker against cloud infrastructure (i.e. AWS, GCP, Microsoft Azure) of a public company to perform a VM escape or attack shared virtualization resources?
Strategic Security Participants
Practinioner Security Participants
Non-Security Participants
The goal of these questions was to determine if there was any variance between security participants as well as variance compared to technical participants. In many cases I'm trying to analyze if there is variance also between security practioners of different backgrounds.
How many total GDPR Fines / Penalties for data breaches in f500 companies will be issued in 2020?
Variance of Forecasted Answers (Technical Practitioners):
The goal of these questions was to determine if there was any variance between security participants as well as variance compared to technical participants. In many cases I'm trying to analyze if there is variance also between security practioners of different backgrounds.
For these questions two things were asked. 1) a specific numerical forecast and 2) an interval e.g. x-y that allowed the participant to choose an interval range where they felt 70% confident the correct answer would be. You'll see I graphed the forecasted number, and for the interval range I graphed'd the interval size e.g. 100-500 would be an interval size of 400. The thought of graphing this number was that the larger the number, the wider allowance a range the participant felt confortable forecasting with a 70% confidence.
Question: How many in the wild zero-day exploits for a Microsoft product will be publicly discovered in Q4 2020 (October, November, December)?Note:(Forecast an exact number e.g. x, where x is a whole number)(Forecast a range e.g. y-z, where you have 70% confidence that the correct answer will fall within your forecasted range not the format of your answer should be two whole numbers signifying a range e.g. y-z)
Variance of Forecasted Answers (Security Practitioners):
Variance of Forecasted Answers (Technical Practitioners):
The goal of these questions was to determine if there was any variance between security participants as well as variance compared to technical participants.
For these questions two things were asked. 1) a specific numerical forecast and 2) an interval e.g. x-y that allowed the participant to choose an interval range where they felt 70% confident the correct answer would be. You'll see I graphed the forecasted number, and for the interval range I graphed'd the interval size e.g. 100-500 would be an interval size of 400. The thought of graphing this number was that the larger the number, the wider allowance a range the participant felt confortable forecasting with a 70% confidence.
Question A: By the end of 2020, How many Cybersecurity Series A investment deals will there be?
Variance of Forecasted Answers (Security Practitioners):
Variance of Forecasted Answers (Technical Practitioners):
Variance of Interval Size (w/ 70% Confidence) (Security Practitioners):
Variance of Interval Size (w/ 70% Confidence) (Technical Practitioners):
Question B: By the end of 2020, What will be the largest public single payout by a Bug Bounty Program?
Variance of Forecasted Answers (Security Practitioners):
Variance of Forecasted Answers (Technical Practitioners):
Variance of Interval Size (w/ 70% Confidence) (Security Practitioners):
Variance of Interval Size (w/ 70% Confidence) (Technical Practitioners):
Question A: In the next 12 months, which of the Fortune 100 companies will have a new public data breach mentioned in the New York Times first? (Note: Refer to the Fortune 100 list as of May 25th, 2020) (2nd Note: Digital or Print Edition)?
Variance of Forecasted Answers:
Variance of Confidence:
Question B: For the future date of January 1st, 2021, what will be the largest number of individuals notified by a single company/entity documented in the Department of Health and Human Services (HHS) breach portal?
Variance of Forecasted Answers:
Variance of Confidence:
===
Question A: How many unique CVEs will be in the June 2020 Google Android Operating System public security bulletin?
Variance of Forecasted Answers:
Variance of Confidence:
Question B: What will the average enterprise ransomware payment be in Q3 of 2020?
Variance of Forecasted Answers:
Variance of Confidence:
