Business Rationale for Cyber Security Project

home > projects > Business Rationale for Cyber Security Project

Business Rationale for Cyber Security (Pdf.)

THE CHALLENGE

As society grows more reliant on information technology for daily transactions, reliable and secure communications are imperative. At the same time, cyber threats from many sources require businesses and governments to deploy cyber security defenses. A successful attack against one organization can affect the business processes of another. For example, manufacturers rely on the Internet to coordinate supply chains with business partners. A successful attack against one business can have ripple effects throughout the entire supply chain, business sector, or even a significant portion of the US economy. Organizations must decide what kind of security controls to deploy in light of only limited knowledge of the threats they face, the probable consequences should an attack occur, and the likely effects of a security solution on their risk profile and business needs. The rapid increase in advanced uses of computer- based systems has historically outpaced the investment in research on creating more effective methods for managing cyber security investments.

PROJECT OVERVIEW

The Business Rationale for Cyber Security project, supported by the Institute for Information Infrastructure Protection (I3P), brings together cross-disciplinary research at leading national institutions to address the challenge of how organizations can make better cyber security investment decisions. This research will answer such questions as:

What processes are required to support a more effective approach to cyber risk management?
What data are needed and are available to support investment models and the decisions they support?
What are the effects of each investment alternative on individual businesses and business sectors?

A Security Executive Advisory Council consisting of industrial executives interested in addressing this need will participate in refining and evaluating the research efforts.

WHAT MAKES THIS PROJECT UNIQUE?

This research will examine cyber security decisions not only in terms of how they affect organizations and their partners, but also how they create ripple effects across industry sectors and the entire economy. Our results will help decision makers better understand their options, particularly in the context of other, competing business requests for resources. The models will enable policy makers to evaluate tradeoffs and suggest more effective incentives for cyber security investment and compliance. Because the project’s models are data-driven; the research team will use a framework that maps models to credible data sources, so that real-world data will inform decision-support tools. Moreover, case studies with industry managers will infuse the research with real-world experiences about investment decision-making.

PROJECT GOALS

Researchers will work with industry partners to understand and translate their unique security needs into security questions. Improved models for understanding security decisions and their effects will form the underpinnings of a decision support tool to help decision makers explore various aspects of their security choices.

RESEARCH APPROACH

Assess decision support models that can be of immediate use to decision makers.
Analyze how organizations respond to emerging changes in cyber security threats and solutions.
Collect information about current practices and policies organizations use to make cyber security decisions, including case studies of industry partners.
Describe interdependencies among different organizations’ information processes.
Build an open-source decision support tool to help organizations learn more about how their business and cyber security needs affect each other and their business partners.

TEAM MEMBERS

FOR MORE INFORMATION

Project Leader: Barry Horowitz, (434) 924-0306
I3P Associate Director for Research: , (603) 646-0692

Search the I3P Website