We interviewed Arastoo Taslim, Director of Business Operations for CyberGreen, about its mission to establish a science of Cyber Public Health dedicated to making the internet safer and more resilient for all, the sustainability issues they face, and how efforts like Common Good Cyber can help.
Can you introduce CyberGreen and explain how your work in “Cyber Public Health” contributes to a more secure global Internet ecosystem?
CyberGreen is a nonprofit focused on promoting a global, data-driven approach to reducing systemic cybersecurity risks. We coined the term “Cyber Public Health” (CPH) to reframe how we understand and respond to these risks, not solely as isolated incidents or threats to individual organizations, but as widespread, measurable conditions that negatively affect the stability and resilience of the entire internet ecosystem.
In a similar way to how public health relies on tracking and mitigating disease at the population level, CPH relies on measurement to address some of the most common and preventable sources of harm online. We spent almost five years developing our Internet Infrastructure Health Metrics Framework (IIHMF), which is a data collection and scoring system related to the security of internet infrastructure worldwide. This includes data on routing vulnerabilities, misconfigurations, outdated infrastructure, open services, and insecure protocols. These are digital equivalents of unvaccinated populations or unsanitary water supplies. While often overlooked, they underpin the severity and scale of some cyber incidents we see today.
Our work centers on producing and sharing global, infrastructure-level risk metrics. By publishing country-level and network-level scores for things like open services, we help policymakers, researchers, and defenders prioritize the “health interventions” most likely to reduce risk on a global scale.
To guide this work, we’ve also adapted the Cyber Belief Model (CBM) – a behavioral framework modeled on the Health Belief Model from public health – to better understand what drives action on cyber hygiene. The CBM helps explain why certain stakeholders adopt preventative security practices while others don’t, by focusing on factors like perceived susceptibility, perceived severity, and the availability of cues to act. Integrating this behavioral perspective helps ensure that our recommendations are both actionable and motivating.
What’s also lacking in today’s cybersecurity ecosystem is a way to track the effectiveness of interventions over time. Just as in public health, where vaccinations or sanitation measures are evaluated for impact, we believe cyber interventions (e.g., patching, protocol deprecations, or awareness campaigns) should be rigorously assessed. Without that feedback loop, we risk repeating ineffective strategies or misallocating resources. Our long-term vision is to fill that gap.
Ultimately, our goal is to help shape cybersecurity into a data-driven, evidence-based discipline which is guided not only by threat intelligence, but by measurable indicators of systemic risk and the demonstrated effectiveness of interventions.
CyberGreen works to gather a more comprehensive set of data and standardize it for researchers. How do you ensure your data and recommendations are accessible and actionable, especially for under-resourced governments or organizations?
Accessibility and actionability are core to our mission. We intentionally design our tools and reporting to serve users beyond the traditional cybersecurity industry (i.e. policymakers, regulators, and CERTs) who may not have large budgets or deep technical capacity.
We offer free access to our global, aggregated metrics for open services through our stats site, to analyze trends and conduct comparative analyses. In some cases, we also work directly with governments and other organizations to provide tailored assessments and policy briefings that highlight practical steps they can take.
In one instance, we worked with officials in ASEAN to track regional progress over 18 months using our IIHMF. These insights fed directly into ministerial meetings for multilateral coordination efforts across the region.
We also publish our methodologies so researchers can replicate or build on our work without needing to rely on proprietary tools.
How does CyberGreen collaborate with other organizations like national CERTs, ISPs, or NGOs to amplify impact without duplicating efforts?
Cyber hygiene and resilience require coordination and we foster an environment for collaboration, not competition. Our goal isn’t to replace what others are doing, but to fill critical gaps, particularly the measurement and framing of population-level risk.
We’ve partnered with national CERTs to translate our metrics into operational guidance or policy recommendations. We’ve also supported research collaborations with academic institutions and think tanks, where our standardized metrics provide a strong foundation for comparative studies or longitudinal research.
As a nonprofit tackling global issues of cyber hygiene and resilience, what are the most pressing funding or sustainability challenges you face?
The biggest challenge we face is a misalignment between the scope of the problem and the funding available to address it. While public health models in other domains might receive robust, long-term investment, cybersecurity funding remains largely reactive and threat-focused.
We’re trying to shift the conversation toward prevention and resilience, but that’s proven difficult to sustain under traditional grant cycles or short-term project funding. Foundations may want proof of impact within 12 months, while governments may fund us sporadically based on regional or ad-hoc priorities that could change at a moment’s notice.
Private sector funding has also been hard to come by, partly because we’re not offering a commercial service or product to enterprises. Instead, our work is closer to a global public good, like climate data or public health surveillance. While critical for long-term resilience, it’s harder to monetize in traditional ways.
The majority of our funding is tied to specific projects rather than unrestricted support. That makes it difficult to invest in the long-term capacity, staffing, and infrastructure needed to grow responsibly and respond quickly when new opportunities arise or cyber risks evolve.
This creates real instability, even though the need for our work is ongoing. We currently operate with a lean team and limited runway, which constrains our ability to expand partnerships or invest in more user-friendly tooling. Sustainable funding, whether through long-term grants or public-private investment, would allow us to provide more consistent support to communities that need it most, and to refine previous work like our IIHMF by building out a dynamic dashboard.
If CyberGreen’s work were interrupted or defunded, what gaps would it leave in the global effort to measure and mitigate cyber threats?
If CyberGreen were no longer operating, the world would lose one of the few independent, nonprofit efforts to systematically measure the health of internet infrastructure at scale.
The absence of these metrics would mean fewer early warning signs about where systemic vulnerabilities are growing, and fewer tools for both assessing network hygiene and measuring the effectiveness of intervention. Without CyberGreen’s work, public debates on cybersecurity would also risk becoming even more threat-centric and reactive, focusing on adversarial threats rather than widespread preventable conditions. That’s not to say we don’t value those efforts. In fact, we view our work as complementary to those existing frameworks, not as a replacement. By measuring and addressing baseline infrastructure risks, our goal is to strengthen the foundation on which all other cybersecurity efforts depend.
