Download

Download eBook for Free

FormatFile SizeNotes
PDF file 0.9 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback88 pages $24.00 $19.20 20% Web Discount

Research Questions

  1. How can the Navy rationalize cybersecurity investments in the yearly POM process with a simple framework?
  2. What challenges must the Navy deal with in prioritizing cybersecurity investments?
  3. Can the Navy use other existing models to prioritize these investments?

RAND Corporation researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology features 12 scales in two categories (impact and exploitability) that allow the Navy to score potential cybersecurity investments in the Program Objective Memorandum (POM) process. The authors include a test implementation using publicly available historical U.S. Navy data to demonstrate how the methodology facilitates valuable comparisons of potential cybersecurity investments.

When compared with existing methods used by the Navy, this methodology could improve the consistency of ratings and provide a more defined structure for thinking through the risk reduction and prioritization of different investments.

Key Findings

The challenges in developing a methodology for cybersecurity investment prioritization and decisionmaking are numerous

  • There is no silver bullet for the challenges of managing cyberattack risk (i.e., vulnerability), quantifying potential losses, and assessing the potential benefits of a particular cybersecurity investment.

A major advantage of this methodology is its simplicity

  • No complex modeling is required. The risk matrixes align with U.S. Department of Defense processes, making the methodology more approachable for analysts. The level of effort required is further reduced by the need to assess only the risk factors that are relevant to an investment.

Information security economic approaches are not directly applicable to the Navy context

  • Existing models have multiple issues that make it very challenging to apply them in the context of the Navy—not the least of which is their dependency on the monetization of loss. Ultimately, the lack of information that the Navy has at its fingertips regarding the cybersecurity state of systems and the potential impact of future and ongoing investments is a key limiting factor.
  • Although complex models offer greater potential for precision and accuracy, it comes at the expense of computational, data, and understandability needs, which are a key challenge area for the Navy.

Recommendations

  • The Navy could provide a structured data framework for recommended investments, ideally through a web portal. This would, at a minimum, enable it to compare investments more quickly and mitigate the challenges of comparing past- and future-year investments.
  • Within the data framework, the Navy should provide common fields that represent priorities and the scope of the investment. The framework could include additional fields that are useful for econometric analysis. It is critical for investment requests to include this information to increase understanding of a given investment's potential impact relative to others. Similarly, having structured, codified, and consistent priorities across investments also enables rapid comparative analysis.

Table of Contents

  • Chapter One

    Motivation, Challenges, and Relevant Literature

  • Chapter Two

    Proposed Methodology

  • Chapter Three

    Example Implementation

  • Chapter Four

    Conclusions, Recommendations, and Next Steps

  • Appendix A

    Relevant Frameworks and Methodologies

This research was sponsored by the U.S. Navy Office of the Chief of Naval Operations (OPNAV) and conducted within the Navy and Marine Forces Center of the RAND National Security Research Division (NSRD).

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.