Analytical Frameworks to Assess the Effectiveness and Economic-Returns of Cybersecurity Investments

Abstract

Critical considerations in engineering today's systems are securing the collection, access, and dissemination of the information they contain. Advanced computing technologies, ubiquitous environments, and sophisticated networks enable globally distributed information access to an uncountable number of consumers - and adversaries. Assuring the integrity of today's missions, and the highly networked systems they depend on, requires economic decisions in rapidly changing technology and cyber threat environments. Knowing that countermeasures effective against today's threats can be ineffective tomorrow, decision-makers need agile ways to assess the efficacies of investments in cyber security on assuring mission outcomes. Analytical methods in cyber security economics need to be flexible in their information demands. Some investment decisions may necessitate methods that use in-depth knowledge about a mission's information systems and networks, vulnerabilities, and adversary abilities to exploit weaknesses. Other investment decisions may necessitate methods that use only a high-level understanding of these dimensions. The sophistication of methods to conduct economic-benefit tradeoffs of mission assuring investments must calibrate to the range of knowledge environments present within an organization. This paper presents a family of analytical frameworks to assess and measure the effectiveness of cyber security and the economic-benefit tradeoffs of competing cyber security investments. These frameworks demonstrate ways to think through and shape an analysis of the economic-benefit returns on cyber security investments - rather than being viewed as rigid model structures.