RAND researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology enables the Navy to rationalize the cost-effectiveness of potential cybersecurity investments without having to monetize potential losses from cybersecurity attacks or consider the probability of such events amid all possible adversaries and attack paths.
A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy
- How can the Navy rationalize cybersecurity investments in the yearly POM process with a simple framework?
- What challenges must the Navy deal with in prioritizing cybersecurity investments?
- Can the Navy use other existing models to prioritize these investments?
RAND Corporation researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology features 12 scales in two categories (impact and exploitability) that allow the Navy to score potential cybersecurity investments in the Program Objective Memorandum (POM) process. The authors include a test implementation using publicly available historical U.S. Navy data to demonstrate how the methodology facilitates valuable comparisons of potential cybersecurity investments.
When compared with existing methods used by the Navy, this methodology could improve the consistency of ratings and provide a more defined structure for thinking through the risk reduction and prioritization of different investments.
The challenges in developing a methodology for cybersecurity investment prioritization and decisionmaking are numerous
- There is no silver bullet for the challenges of managing cyberattack risk (i.e., vulnerability), quantifying potential losses, and assessing the potential benefits of a particular cybersecurity investment.
A major advantage of this methodology is its simplicity
- No complex modeling is required. The risk matrixes align with U.S. Department of Defense processes, making the methodology more approachable for analysts. The level of effort required is further reduced by the need to assess only the risk factors that are relevant to an investment.
Information security economic approaches are not directly applicable to the Navy context
- Existing models have multiple issues that make it very challenging to apply them in the context of the Navy—not the least of which is their dependency on the monetization of loss. Ultimately, the lack of information that the Navy has at its fingertips regarding the cybersecurity state of systems and the potential impact of future and ongoing investments is a key limiting factor.
- Although complex models offer greater potential for precision and accuracy, it comes at the expense of computational, data, and understandability needs, which are a key challenge area for the Navy.
- The Navy could provide a structured data framework for recommended investments, ideally through a web portal. This would, at a minimum, enable it to compare investments more quickly and mitigate the challenges of comparing past- and future-year investments.
- Within the data framework, the Navy should provide common fields that represent priorities and the scope of the investment. The framework could include additional fields that are useful for econometric analysis. It is critical for investment requests to include this information to increase understanding of a given investment's potential impact relative to others. Similarly, having structured, codified, and consistent priorities across investments also enables rapid comparative analysis.
Table of Contents
Motivation, Challenges, and Relevant Literature
Conclusions, Recommendations, and Next Steps
Relevant Frameworks and Methodologies