Millions of messages, data files and transactions flow through business networks and across the Internet each day, collectively driving the U.S. economy. Our nation’s dependence on this vast electronic infrastructure is unquestioned; certainly few businesses can survive without safe networks and reliable Internet access.
At the same time, companies are increasingly at risk from cyber attack. Malicious intruders can bring business to a halt, as in a distributed denial-of-service attack that renders a system temporarily inoperable; or they can create thornier problems, as when a hacker unleashes data-destroying code or downloads proprietary secrets. In addition, attacks are seldom isolated: a breakdown in one company can reverberate throughout an entire economic sector, disrupting the flow of vital goods and services to many end-users.
Most businesses understand that cyber security is critical to their operations. Unfortunately, the information assurance community has yet to develop the risk analysis tools needed to understand the economic complexities that influence companies’ security purchases. Deciding how much to spend on what level of protection depends on numerous variables, many of them poorly understood. How, for example, does one measure success when a thwarted attack cannot be distinguished from the lack of attack? Similarly, how does one calculate the costs of inadequate protection when the degree of risk is unpredictable? Finally, how does one account for inadequate security on the part of suppliers and others in one’s business network? What happens, in other words, when a cyber attack directed at one company ripples throughout an entire supply chain? And perhaps most important, how does one compare investments in cyber security to other investment opportunities, such as R&D or enhanced marketing?
With its focus on risk-modeling tools and analyses, the Business Rationale for Cyber Security project represents a key step in addressing the business challenge of making better cyber security investment decisions.
Launched in April 2007, the Business Rationale project represents the first comprehensive study of cyber security economics. Involving more than a dozen experts from four research institutions, the project brings a multi-disciplinary and collaborative approach to this critical need. The project takes a solutions-oriented approach, with team members collecting data, assessing strategies and creating decision-making models.
Central to the study are two questions:
The Business Rationale project is partnering with a reasonably broad set of companies and industry leaders to better understand specific security needs within the business sector and also the multiple impacts a security breach can have both within and beyond a single company. As part of their analysis, researchers will measure such parameters as the likelihood of attack, the prospective consequences of an attack, and the reduction of risk created by differing levels of cyber security investment. At the same time, the team is working to develop tools to facilitate rational investment decisions.
Specifically, the team is undertaking the following strategies:
By developing tools to facilitate appropriate cyber security choices, the Business Rationale project addresses a critical need.
Not only are data obtained by the Business Rationale team contributing significantly to our understanding of a corporation’s economic position vis a vis cyber security, but the group’s solutions-oriented approach is producing tools to directly help harden our nation’s cyber infrastructure.
Specifically, the project’s goals are to:
"Overall, the data and tools developed by the team are expected to play a key role in helping organizations make better cyber security decisions and thus—indirectly—help strengthen the information security of the U.S. economy." Barry Horowitz, University of Virginia and Team Leader.
Team Leader: Barry Horowitz firstname.lastname@example.org
Funded by the Department of Homeland Security (DHS)
Last Updated: 2/20/15