Cybersecurity is a multidimensional problem that demands multidisciplinary attention. The Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Cyber Risk Economics (CYRIE) project supports research into the business, legal, technical and behavioral aspects of the economics of cyber-threats, vulnerabilities and controls. CYRIE R&D emphasizes empirically based measurement, modeling and evaluation of:
- Investment into cybersecurity controls (technology, regulatory, and legal) by private-sector, government and private actors;
- Impact of investment on the probability, severity and consequences of actual risks and resulting cost and harm;
- Value of the correlation between business performance measures and evaluations of cybersecurity investments and impacts; and
- Incentives to optimize the investments, impacts and value basis of cyber-risk management.
In 2013, then-President Barack Obama signed Executive Order 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive 21, Critical Infrastructure Security and Resilience. Both are aimed at enhancing the capability of owners and operators of the nation’s critical infrastructure to protect against cyberattacks.
These policy documents gave DHS S&T a coordinating role in pursuing the cybersecurity objectives outlined in each document and directed the National Institute of Standards and Technology (NIST) to develop a voluntary framework owners and operators could use to improve their cybersecurity posture. DHS led an interagency working group focused on cyber economic incentives and with the Departments of Commerce and Treasury prepared an analysis of federal policy options for encouraging adoption of the NIST framework.
The working group and resulting analysis focused primarily on policy and incentives from a microeconomic-based view of marginal costs and benefits of adoption. While this analysis provided a solid start for the study of incentives in cybersecurity, a more holistic approach to research in the area of cyber-risk economics is clearly needed, one that incorporate perspectives on security decisions and behavior from a wide range of social and behavioral sciences.
The CYRIE project endeavors to improve the value-based decision-making of those who own, operate, protect and regulate the nation’s vital data assets and critical infrastructure. The project looks beyond the traditional economic-based view of incentives for cybersecurity—a view in which individuals are assumed to be rational actors who know how to maximize their well-being—and considers a broader array of factors that include business, legal and behavior economics. In this way, CYRIE R&D can more effectively address strategy and tactics for optimal cyber-risk avoidance, acceptance, mitigation and transfer.
CYRIE executes its vision along four related dimensions:
- Investment -- How and why cybersecurity investments are made.
- Impact -- What impact those investments have on risk and harm when controls are inadequate to protect against cyber-disruptions, including understanding the impact on information and functions as well as component and systemic consequences.
- Value -- What is the relationship between cybersecurity risk—both the anticipated risk that leads to specific levels and mix of investments in controls and realized risk as measured by incident impact evaluations—and conventional business performance and financial frameworks such as competitive advantage, return on investment and liability.
- Incentives -- What incentives are needed to encourage optimal cyber-risk management. Broad attention to incentives is essential given the shared nature of the cyber environment, the gap between the limited private costs and potentially vast social costs incurred following cybersecurity failures, and the negative externalities that result from this gap.
CYRIE aspires to enable data and models to help organizations understand the specific cyber-risks they face, how to invest across the range of controls available to mitigate these risks, and the size and scope of actual harm when controls fail. The project also will provide government entities better knowledge of how the tools available to them—making and enforcing policy and regulation, convening stakeholders, adopting technology and enabling R&D—can be used to reduce cyber-risk levels.
University of Tulsa: The Economics of Cybersecurity Research Data Sharing
This effort is studying data usage and production by researchers to construct a better picture of the value of and prospects for cybersecurity data-sharing. The effort will examine the published research literature to identify what data is being produced to understand the data that can be shared, how we are falling short, and ultimately recommend how sharing can be improved to enhance evidence-based policy and technology solutions. Additionally, the effort will analyze usage of the research data stewarded by CSD’s Information Marketplace for Policy and Analysis of Cyber-risk & Trust project to understand how existing datasets are being leveraged by others when shared. Last, the effort will empirically estimate the costs associated with data-sharing using information gathered by DHS.
University of Michigan: New Paradigm in Risk-Informed Cyber Insurance Policy Design
Cyber insurance is a method for transferring and mitigating cybersecurity risks and a potential incentive mechanism for internalizing the externalities of security investments. This effort will tackle some of the most significant challenges to cyber insurance. The technical approach consists of developing risk-informed insurance policies that are derived from theoretically-sound, yet practical algorithms. It also will addresses risk-aggregation via empirical and analytical studies aimed at extracting interdependencies and embedding this acquired understanding in the modeling of aggregated risk of a portfolio of insurance policies. The results are intended to make concrete progress toward a quantitative risk-assessment tool that is needed to effectively mitigate moral hazard for the insurance industry.
418 Intelligence: The Benchmarking Cyber Threat Controls Through Crowdsourcing
This effort will prototype and pilot a crowdsourced solution for the problems of understanding the real-world effectiveness and value of cybersecurity controls. It will develop a novel game-based forecasting prototype platform and user experience that will engage participants in competition and mastery of the latest developments in cybersecurity. This prototype will be backed up by anonymous information-sharing made safe by a data encryption technology designed to enforce complete control over the digital rights to information while in-motion and at-rest. The approach will engage stakeholders in an ongoing, risk-oriented, game experience where incentives based in a game economy. It will result in real benefits that will drive exchanging high-value information on cybersecurity controls that currently are opaque and stove-piped.
- Cyber Risk Economics Capability Gaps Research Strategy
- Federal Cybersecurity Research and Development Strategic Plan, February 2016 (PDF, 52 Pages, 950 KB)
- Internet Infrastructure Risk Economics Research Issue Brief
- SRI International Work on Cybereconomic Incentives for the Department of Homeland Security Science and Technology Directorate Cyber Security Division, January 31, 2015
- The National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014
- The Department of Homeland Security, Department of Homeland Security Integrated Task Force. Summary Report: Executive Order 13636: Improving Critical Infrastructure Cybersecurity, Incentives Study Analytic Report. June 12, 2013 (PDF, 4 Pages, 682 KB)
- The Department of Homeland Security, Department of Homeland Security Integrated Task Force, Analytic Report: Executive Order 13636 Cybersecurity Incentives Study (PDF, 69 pages, 1.22MB)
- The Department of Treasury. Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636. Undated (PDF, 25 Pages, 368 KB)
- The Department of Commerce. Discussion of Recommendations to The President On Incentives for Critical Infrastructure Owners and Operators to Join a Voluntary Cybersecurity Program (PDF, 32 Pages, 152 KB)