When it comes to improving the cybersecurity posture of the nation’s critical infrastructure and vital data assets, there are a host of questions that need to be answered before actionable cybersecurity risk-management strategies can be developed and resources deployed.
These questions can be addressed along four broad dimensions:
- Investment: How and why are cybersecurity investments made?
- Impact: What impact do cybersecurity investments have on risk and harm?
- Value: What is the relationship between cybersecurity risk and traditional business risk?
- Incentives: What incentives are needed to encourage optimal cyber-risk management?
Addressing these questions is the primary focus of the Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Cyber Risk Economics (CYRIE) program. Launched in 2017, CYRIE seeks to embrace these challenges by funding applied research and development (R&D), knowledge products and interdisciplinary convening efforts.
“Through its current and upcoming R&D programs, CYRIE is fostering data, measurements, models and metrics to help organizations understand the cyber risks they face, how to better invest in controls that reduce cyber risk exposure and manage harm when controls fail,” said CYRIE Program Manager Erin Kenneally. “We are also providing our government partners better knowledge of the tools available to them—making and enforcing policy and regulation, convening stakeholders, adopting technology and enabling R&D—to be used to reduce cyber risk exposure.”
CYRIE funds applied R&D and knowledge products, and gathers together stakeholders across government, industry and academia to discuss cyber risk economics capability gaps and needs. Through these stakeholder discussions, along with scholarly cybersecurity economics research literature reviews and authoritative U.S. federal government documents, DHS S&T developed the newly released Cyber Risk Economics Capability Gaps Research Strategy. The Research Strategy extends beyond the traditional economics view of cybersecurity incentives to consider business, legal, technical and behavior factors impacting cyber risk.
“The strategy’s objective is to narrow the gap between research and practice by apprising the research community of real-world cyber risk economics challenges, and ultimately, to inform evidence-based policy and actions by industry and government,” said Kenneally.
Outlined in six themes encompassing 12 focus areas, the strategy will be used to drive the program’s future research to address many of the hardest cyber risk economics challenges.
- The quantification of risk
- Role of government, law and insurance
- Third party risk
- Organizational behavior and incentives
- Data collection and sharing
- Threat dynamics
“CYRIE’s goal is to improve value-based decision-making by those who own, operate, protect and regulate the nation’s vital data assets and critical infrastructure,” said Kenneally. “By employing a holistic approach to cyber risk economics research, CYRIE incorporates perspectives on cybersecurity-related decision-making and behavior from a number of social and behavioral sciences alongside more familiar risk economics, ultimately becoming effective in addressing strategy and tactics for optimal cyber-risk avoidance, acceptance, mitigation and transfer.”
The Research Strategy is intended to progress toward solutions to cyber risk challenges in order to improve real-world cyber risk management, help academic and researchers prioritize their work and government and other funding sources identify and prioritize areas of investment.