Download eBook for Free

FormatFile SizeNotes
PDF file 0.3 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Questions

  1. What is the estimated investment portfolio to meet requirements for the JCW program?
  2. What are the potential challenges and uncertainties related to quantifying cost, development time, and operational time of cyber capabilities?
  3. Can a categorization of vulnerabilities provide a better understanding of vulnerability life span uncertainties?

The authors assembled novel datasets of publicly tracked common vulnerabilities and exposures, estimated vulnerability operational times, and collected software update cadence data to explore potential trends across a variety of software product categories. Altogether, the data were used to quantify uncertainties related to cost and operational time of software vulnerabilities and update a cost model to estimate life-cycle costs of the U.S. Marine Corps Joint Cyber Weapons (JCW) program.

A cost-estimating framework developed in prior research—which captured demand requirements for cyber capabilities (CCs), uncertainties surrounding vulnerability decay rates and weapon development costs, variable adversary defense capabilities, and time phasing of acquisitions into service—was updated with the new data assembled in this report. Potential investment portfolios were then explored.

Key Findings

  • Because of the uncertainty surrounding vulnerability life spans and cyber weapon complexity, the estimated costs for the JCW program range from approximately $125 million to $375 million over five years to maintain five working weapons.
  • Collection of open-source data about cyber vulnerabilities presents challenges because of a lack of both precise common vulnerabilities and exposures (CVE) temporal data and uniformity across sources.
  • Across the nine product categories that were used to categorize vulnerabilities in this report, minor software update frequencies display a range from an average of every 20 days for mobile phones to 178 days for industrial control systems, which indicates the short timelines under which JCW must operate.
  • Enterprise information technology (IT) infrastructure and non-enterprise IT infrastructure vulnerabilities had longer historic average life spans than other categories of software at averages of 1,115 and 1,078 days, respectively, which suggests that there is less cost to develop exploits for software in these categories.
  • An expansion of the developed CVE dataset might reveal additional life span trends. However, the lack of a viable automated data collection methods limits the scope of CVE-related analysis.

This research was sponsored by U.S. Marine Corps Systems Command and conducted within the Navy and Marine Forces Program of the RAND National Security Research Division.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.