Cover: Managing for Mission Assurance in the Face of Advanced Cyber Threats

Managing for Mission Assurance in the Face of Advanced Cyber Threats

Published May 24, 2021

by Don Snyder, Lauren A. Mayer, Myron Hura, Suzanne Genc, Colby P. Steiner, Laura Werber, Kathryn O'Connor, Keith Gierlack, Paul Dreyer, Bernard Fox


Download eBook for Free

FormatFile SizeNotes
PDF file 1.9 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback74 pages $23.00

Research Questions

  1. What should Air Force official policy and strategy for addressing cybersecurity look like?
  2. How should the roles and responsibilities for cybersecurity risk assessment be managed in the Air Force?
  3. Should the provision of information technology network services and the cybersecurity of those networks be managed together or separately?
  4. How should preparatory and operational cybersecurity activities be apportioned?
  5. In what ways can leaders foster a culture in which all airmen, civilians, and contractors understand and play their roles in cybersecurity?

Current cyberspace threats are highly dynamic, complex, and ubiquitous in time and space. Activities to ensure resiliency to adversarial cyber operations throughout the Air Force have organically organized themselves to be somewhat fractionated, with blurred lines of authority and no overall coordinating mechanism to ensure that all related activities are identified, tasked, and implemented and act in concert to achieve enterprise objectives. The authors develop a foundation for better managing efforts to ensure resiliency to adversarial cyber operations at the enterprise level aimed at mission assurance in the Air Force. This structure includes guidance on the allocation of roles and responsibilities for tasks to ensure resiliency to adversarial cyber operations and mechanisms to create a cohesive initiative in which each individual and organization is working toward a common goal. The authors also stress the need for leaders to instill in airmen, civilians, and contractors an understanding that the conflict in cyberspace is ubiquitous in time and space; that operations in cyberspace might be decisive in warfare; that all airmen, civilians, and contractors play a role in ensuring resiliency to adversarial cyber operations; that nothing can be completely secure in cyberspace, which leads to a sense of responsibility to carry on mission(s) in the face of an attack through cyberspace; that connecting one system to another (or to a network) carries potential risks; and that personnel have an obligation to report anomalies in data, nonnominal procedures, and potential cyber incidents.

Key Findings

Enterprise management to ensure resiliency to adversarial cyber operations has gaps

  • The DoD and the Air Force lack a clearly stated objective for cybersecurity and cyber resiliency that concisely articulates the objective for all airmen, civilians, and contractors.
  • High-level policy in the Air Force does not comprehensively delineate tasks for resiliency to adversarial cyber operations and does not allocate the roles and responsibilities for these tasks to each organization.
  • The culture for cybersecurity in the Air Force is immature and in need of shaping by leadership.


  • The Air Force should issue a clearer objective and strategy for cybersecurity, embracing both cyber defensive measures and the ability to continue missions through adversary cyber operations holistically.
  • This treatment of cybersecurity activities should employ a balance of cyber defensive measures and cyber resiliency measures (of systems and missions) and employ a balance of enterprise networks and cyber-physical systems.
  • Activities that require quick decisions using detailed knowledge in a complex environment should be distinguished from those that do not.
  • Leaders should institute cultural change, promoting recognition that there is conflict in cyberspace between the United States and others that is ubiquitous in time and space and that all individuals and organizations within the Air Force play a role in being resilient to adversarial cyber operations. Failure to perform that role effectively could be decisive.

Research conducted by

This research was commissioned by the Air Force Chief Information Dominance and Chief Information Officer in the Office of the Secretary of the Air Force and conducted within the Resource Management Program of RAND Project AIR FORCE.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.