Smoking or non-smoking?
In some branches of insurance there are similar simple measures that enable the segregation of good risks from bad. Think of health insurance. A question such as “Are you are smoker or a non-smoker?” is an easy place to start. Of course, a more exhaustive questionnaire and some medical tests with blood work will provide a much more detailed assessment. But only a few simple questions will separate the sheep from the goats. This is the insurance equivalent of the peacock’s feathers.
So, the question for cyber is “Where are the peacock’s feathers?”. The sad answer is that they are still evolving. There are some published technical standards such as the NIST Cyber Security Framework, the ISO 27000 series standards and the UK Government’s Cyber Essentials certification which set out sensible guidelines. But it is still a fairly open question whether compliance with these guidelines substantially reduces cyber risk. After all, the very best companies still get hacked and even the National Security Agency itself has suffered breaches (e.g. Snowdon).
