Looking to Answer Cyber-Risk Questions

Tuesday, October 30, 2018 @ 07:10 PM gHale

When it comes to improving cybersecurity posture of the nation’s critical infrastructure and vital data assets, there are a questions that need to be answered before risk-management strategies can end up developed and resources deployed.

Those questions are difficult to answer, so addressing them is the main focus of the Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Cyber Risk Economics (CYRIE) program. Launched in 2017, CYRIE seeks to embrace these challenges by funding applied research and development (R&D), knowledge products and interdisciplinary convening efforts.

Texas A&M Heads Center for Biological Threats
AI, Machine Learning a DHS Community of Interest
New DHS Business Model
Warning for Connected Farming Technology

These questions can be addressed along four broad dimensions:
1. Investment: How and why are cybersecurity investments made?
2. Impact: What impact do cybersecurity investments have on risk and harm?
3. Value: What is the relationship between cybersecurity risk and traditional business risk?
4. Incentives: What incentives are needed to encourage optimal cyber-risk management?

“Through its current and upcoming R&D programs, CYRIE is fostering data, measurements, models and metrics to help organizations understand the cyber risks they face, how to better invest in controls that reduce cyber risk exposure and manage harm when controls fail,” said CYRIE Program Manager Erin Kenneally. “We are also providing our government partners better knowledge of the tools available to them — making and enforcing policy and regulation, convening stakeholders, adopting technology and enabling R&D—to be used to reduce cyber risk exposure.”

CYRIE funds applied R&D and knowledge products, and gathers together stakeholders across government, industry and academia to discuss cyber risk economics capability gaps and needs.

Through these stakeholder discussions, along with scholarly cybersecurity economics research literature reviews and authoritative U.S. federal government documents, DHS S&T developed the newly released Cyber Risk Economics Capability Gaps Research Strategy. The Research Strategy extends beyond the traditional economics view of cybersecurity incentives to consider business, legal, technical and behavior factors impacting cyber risk.

“The strategy’s objective is to narrow the gap between research and practice by apprising the research community of real-world cyber risk economics challenges, and ultimately, to inform evidence-based policy and actions by industry and government,” said Kenneally.

Outlined in six themes encompassing 12 focus areas, the strategy will be used to drive the program’s future research to address the hardest cyber risk economics challenges, like:
• Quantification of risk
• Role of government, law and insurance
• Third party risk
• Organizational behavior and incentives
• Data collection and sharing
• Threat dynamics

“CYRIE’s goal is to improve value-based decision-making by those who own, operate, protect and regulate the nation’s vital data assets and critical infrastructure,” said Kenneally. “By employing a holistic approach to cyber risk economics research, CYRIE incorporates perspectives on cybersecurity-related decision-making and behavior from a number of social and behavioral sciences alongside more familiar risk economics, ultimately becoming effective in addressing strategy and tactics for optimal cyber-risk avoidance, acceptance, mitigation and transfer.”

Leave a Reply

You must be logged in to post a comment.