Skip to main content Scroll Top
NEWS
NEWS
NEWS

Workshop on 11/20/2025: Measuring Cybersecurity Through End-User Harm

In November, the Ostrom Workshop Cyber Public Health Working Group hosted a workshop titled “Measuring Cybersecurity Through End-User Harm” led by Michael Hicks.
 
About the Talk

Has the state of cybersecurity improved, declined, or stayed the same? To answer, we need a reliable way to measure “the state of cybersecurity” and assess how it has changed over time. Some current measures include counts of vulnerability (e.g., CVE) reports and/or exploitations (as done by MITRE and Google Project Zero), counts of data breaches (as done by Verizon), and operational costs and revenue losses to companies due to cyber incidents (as estimated by affected companies). In this talk, I propose another measure: harms experienced by end users. End-user harms relate to business-centered measures like those above, but provide essential context about their severity. As an analogy, the Bureau of Labor Statistics surveys both employers and employees because these sources may tell different stories; business and end-user reports about cybersecurity harms may do likewise. A key challenge is how to collect the data. Surveys, device monitors (such as part of security software deployments), and local population studies may be options. 

About the Speaker

Michael Hicks is the Cecilia Fitler Moore Professor in the Computer and Information Science Department at the University of Pennsylvania, and the Director of its Schlein Center for Cybersecurity. From 2022-2025 he was a Senior Principal Scientist at Amazon Web Services, where he co-led scientific development of the Cedar authorization policy language. From 2002-2022 he was a Professor at the University of Maryland. He was the first Director of the University of Maryland’s Cybersecurity Center (MC2). His research has focused on ways to improve software’s security, availability, and reliability, often by leveraging programming language-based techniques. He has also carried out several projects studying the empirical foundations of software security practices. Learn more about his work at https://mhicks.me. 

 
We hope you can join us for future workshops!
 

To join the working group, to be notified of upcoming workshops, and to learn more about our ongoing research, please sign up for the mailing list.

For more details about the working group, click here.

Back

PRIVACY POLICY

CyberGreen (“us”, “we”, or “our”) operates the CyberGreen website (the “Website Service”).

This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Website Service.

We will not use or share your information with anyone except as described in this Privacy Policy.

We use your Personal Information for providing and improving the Website Service. By using the Website Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Use, accessible at https://www.cybergreen.net.

MANUAL INFORMATION COLLECTION AND USE

While using our Website Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:

  • Name
  • Email address
  • Affiliation
  • Internet Protocol (“IP”) address/range (if requesting opt out from CyberGreen scans)

BROWSER INFORMATION (LOG DATA)

We collect information that your browser sends whenever you visit our Website Service (“Log Data”). This Log Data may include information such as your computer’s IP address, browser type, browser version, the pages of our Website Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

API & DATA SERVICES LOGGING

When you interact with https://stats.cybergreen.net, including our API and data download services, we may log additional request details. This may include your IP address, requested URL, request method (e.g., GET, POST), response time, status code, and network metadata (such as ASN and approximate location based on IP address). This data helps us monitor performance, detect abuse, and improve our services.

COOKIES

Cookies are files with small amounts of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.

We use cookies to collect, store, and/or correlate information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Website Service.

SERVICE PROVIDERS

We may employ third-party companies and individuals to facilitate our Website Service, to provide the Website Service on our behalf, to perform Website Service-related services or to assist us in analyzing how our Website Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

SECURITY

The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

LINKS TO OTHER SITES

Our Website Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

CHILDREN’S PRIVACY

Our Website Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our servers immediately.

COMPLIANCE WITH GDPR

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

COMPLIANCE WITH LAWS

We will disclose your Personal Information where required to do so by law or subpoena.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

CONTACT US

If you have any questions about this Privacy Policy, please contact us.

PRIVACY POLICY

CyberGreen (“us”, “we”, or “our”) operates the CyberGreen website (the “Website Service”).

This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Website Service.

We will not use or share your information with anyone except as described in this Privacy Policy.

We use your Personal Information for providing and improving the Website Service. By using the Website Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Use, accessible at https://www.cybergreen.net.

MANUAL INFORMATION COLLECTION AND USE

While using our Website Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:

  • Name
  • Email address
  • Affiliation
  • Internet Protocol (“IP”) address/range (if requesting opt out from CyberGreen scans)

BROWSER INFORMATION (LOG DATA)

We collect information that your browser sends whenever you visit our Website Service (“Log Data”). This Log Data may include information such as your computer’s IP address, browser type, browser version, the pages of our Website Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

API & DATA SERVICES LOGGING

When you interact with https://stats.cybergreen.net, including our API and data download services, we may log additional request details. This may include your IP address, requested URL, request method (e.g., GET, POST), response time, status code, and network metadata (such as ASN and approximate location based on IP address). This data helps us monitor performance, detect abuse, and improve our services.

COOKIES

Cookies are files with small amounts of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.

We use cookies to collect, store, and/or correlate information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Website Service.

SERVICE PROVIDERS

We may employ third-party companies and individuals to facilitate our Website Service, to provide the Website Service on our behalf, to perform Website Service-related services or to assist us in analyzing how our Website Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

SECURITY

The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

LINKS TO OTHER SITES

Our Website Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

CHILDREN’S PRIVACY

Our Website Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our servers immediately.

COMPLIANCE WITH GDPR

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

COMPLIANCE WITH LAWS

We will disclose your Personal Information where required to do so by law or subpoena.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

CONTACT US

If you have any questions about this Privacy Policy, please contact us.

PRIVACY POLICY

CyberGreen (“us”, “we”, or “our”) operates the CyberGreen website (the “Website Service”).

This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Website Service.

We will not use or share your information with anyone except as described in this Privacy Policy.

We use your Personal Information for providing and improving the Website Service. By using the Website Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Use, accessible at https://www.cybergreen.net.

MANUAL INFORMATION COLLECTION AND USE

While using our Website Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:

  • Name
  • Email address
  • Affiliation
  • Internet Protocol (“IP”) address/range (if requesting opt out from CyberGreen scans)

BROWSER INFORMATION (LOG DATA)

We collect information that your browser sends whenever you visit our Website Service (“Log Data”). This Log Data may include information such as your computer’s IP address, browser type, browser version, the pages of our Website Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

API & DATA SERVICES LOGGING

When you interact with https://stats.cybergreen.net, including our API and data download services, we may log additional request details. This may include your IP address, requested URL, request method (e.g., GET, POST), response time, status code, and network metadata (such as ASN and approximate location based on IP address). This data helps us monitor performance, detect abuse, and improve our services.

COOKIES

Cookies are files with small amounts of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.

We use cookies to collect, store, and/or correlate information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Website Service.

SERVICE PROVIDERS

We may employ third-party companies and individuals to facilitate our Website Service, to provide the Website Service on our behalf, to perform Website Service-related services or to assist us in analyzing how our Website Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

SECURITY

The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

LINKS TO OTHER SITES

Our Website Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

CHILDREN’S PRIVACY

Our Website Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our servers immediately.

COMPLIANCE WITH GDPR

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

COMPLIANCE WITH LAWS

We will disclose your Personal Information where required to do so by law or subpoena.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

CONTACT US

If you have any questions about this Privacy Policy, please contact us.

PRIVACY POLICY

CyberGreen (“us”, “we”, or “our”) operates the CyberGreen website (the “Website Service”).

This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Website Service.

We will not use or share your information with anyone except as described in this Privacy Policy.

We use your Personal Information for providing and improving the Website Service. By using the Website Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Use, accessible at https://www.cybergreen.net.

MANUAL INFORMATION COLLECTION AND USE

While using our Website Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:

  • Name
  • Email address
  • Affiliation
  • Internet Protocol (“IP”) address/range (if requesting opt out from CyberGreen scans)

BROWSER INFORMATION (LOG DATA)

API & DATA SERVICES Logging

When you interact with https://stats.cybergreen.net, including our API and data download services, we may log additional request details. This may include your IP address, requested URL, request method (e.g., GET, POST), response time, status code, and network metadata (such as ASN and approximate location based on IP address). This data helps us monitor performance, detect abuse, and improve our services.

We collect information that your browser sends whenever you visit our Website Service (“Log Data”). This Log Data may include information such as your computer’s IP address, browser type, browser version, the pages of our Website Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

COOKIES

Cookies are files with small amounts of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.

We use cookies to collect, store, and/or correlate information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Website Service.

SERVICE PROVIDERS

We may employ third-party companies and individuals to facilitate our Website Service, to provide the Website Service on our behalf, to perform Website Service-related services or to assist us in analyzing how our Website Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

SECURITY

The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

LINKS TO OTHER SITES

Our Website Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

CHILDREN’S PRIVACY

Our Website Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our servers immediately.

COMPLIANCE WITH GDPR

COMPLIANCE WITH LAWS

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

We will disclose your Personal Information where required to do so by law or subpoena.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

CONTACT US

If you have any questions about this Privacy Policy, please contact us.

TERMS OF USE

The CyberGreen Institute (“CyberGreen”) Is a non-profit, charitable organization dedicated to the creation and dissemination of metrics measuring the Cyber health of networks along with related data, metrics, and analysis. We also assist network operators with the adoption of Cyber hygiene best practices and risk remediation. A big part of our mission is the collection, calculation, and public distribution of our CyberGreen Index. The CyberGreen Index and the other data that we publish on this website is released under the Affero General Public License (version 3) (the “License”). The use of License ensures that our data remains freely accessible and freely useable by members of the public. (In rare circumstances, we may use another license to distribute data, in which case the specific data set will not be available without a click-thru notice specifying the specific license that applies.)

We do ask that you cite us properly in any academic work as the source for anything that you take from this website. If you are a commercial firm and wish to incorporate our data into a commercial product, you must acknowledge CyberGreen as the source of the data that you used and provide your customers with a link to this website with simple instructions on how to find the data that you took from our site.

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

TERMS OF USE

The CyberGreen Institute (“CyberGreen”) Is a non-profit, charitable organization dedicated to the creation and dissemination of metrics measuring the Cyber health of networks along with related data, metrics, and analysis. We also assist network operators with the adoption of Cyber hygiene best practices and risk remediation. A big part of our mission is the collection, calculation, and public distribution of our CyberGreen Index. The CyberGreen Index and the other data that we publish on this website is released under the Affero General Public License (version 3) (the “License”). The use of License ensures that our data remains freely accessible and freely useable by members of the public. (In rare circumstances, we may use another license to distribute data, in which case the specific data set will not be available without a click-thru notice specifying the specific license that applies.)

We do ask that you cite us properly in any academic work as the source for anything that you take from this website. If you are a commercial firm and wish to incorporate our data into a commercial product, you must acknowledge CyberGreen as the source of the data that you used and provide your customers with a link to this website with simple instructions on how to find the data that you took from our site.

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

TERMS OF USE

The CyberGreen Institute (“CyberGreen”) Is a non-profit, charitable organization dedicated to the creation and dissemination of metrics measuring the Cyber health of networks along with related data, metrics, and analysis. We also assist network operators with the adoption of Cyber hygiene best practices and risk remediation. A big part of our mission is the collection, calculation, and public distribution of our CyberGreen Index. The CyberGreen Index and the other data that we publish on this website is released under the Affero General Public License (version 3) (the “License”). The use of License ensures that our data remains freely accessible and freely useable by members of the public. (In rare circumstances, we may use another license to distribute data, in which case the specific data set will not be available without a click-thru notice specifying the specific license that applies.)

We do ask that you cite us properly in any academic work as the source for anything that you take from this website. If you are a commercial firm and wish to incorporate our data into a commercial product, you must acknowledge CyberGreen as the source of the data that you used and provide your customers with a link to this website with simple instructions on how to find the data that you took from our site.

We do not publish personally identifiable information (PII) or other information that implicates third party privacy rights. CyberGreen is committed to being compliant with GDPR. Our compliance efforts have been certified by the Institute for Social Internet Public Policy (ISIPP).

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy Preferences.
Required
CyberGreen
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.