The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded a total of $1,272,320 across two universities to develop new solutions to improve the capability of organizations to understand and improve their cybersecurity control investment decisions.
“Research in cyber risk economics is an important element in S&T’s cybersecurity portfolio,” said William N. Bryan, Senior Official Performing the Duties of the Under Secretary for Science and Technology. “S&T is working to improve cybersecurity practices—particularly in the areas of risk management and investment decision making—through improved models and metrics that will help organizations make informed acquisition and deployment decisions about cybersecurity products on the market today.”
The Cyber Risk Economics (CYRIE) project intends to improve the value-based decision-making of those who own, operate, protect and regulate the nation’s vital data assets and critical infrastructure. CYRIE research and development (R&D) supports empirically-based measurement, modeling and evaluation of:
- Investment into cybersecurity controls;
- Impact of investment on the probability, severity and consequences of actual risks;
- Value correlation between business performance measures and cybersecurity investments and impacts; and
- Incentives to optimize cybersecurity risk management
The awards were made through the DHS S&T Long Range Broad Agency Announcement.
- University of California, San Diego was awarded $1,045,015 for a multi-year effort to develop threat intelligence tools and techniques for measuring the reliability and value of a threat intelligence source to an enterprise. The project will include four kinds of metrics—technical, comparative, operational and risk—to allow end-users to compare different threat intelligence products reliably; ultimately increasing transparency and incentivizing more effective controls within the threat intelligence market place.
- University of Illinois, Chicago was awarded $227,305 for a twelve-month effort to develop a cyberattack economic impact model, and a tool to automate data collection and analysis in order to provide near real-time estimates of cyberattack outcomes. The model and reference implementation will provide a standard baseline against which organizations can evaluate and quantify estimated economic impacts of cyberattacks for cybersecurity investment decision support.
“These additions to the CYRIE portfolio address capability gaps to help make cyber control investment decisions that decrease our exposure to risk,” said CYRIE Program Manager Erin Kenneally. “The threat intelligence metrics research will help organizations evaluate investments in threat intelligence products and services. The standard model for the cost of cybersecurity attacks research will provide organizations a baseline to evaluate potential cyberattacks impacts in order to make sound investment decisions; something that is difficult today because of the absence of an open source, data-driven model for understanding and characterizing harms.”