CybersecurityImproving cybersecurity risk management

Published 7 July 2017

DHS S&T awarded $220,209 to the University of Tulsa to study data production and usage by cybersecurity researchers, information that will help quantify the value of data-sharing and improve sharing incentives to address the interdependency of cyber-risk environments. The award’s primary focus is research into investment, impact, value and incentives related to cybersecurity risk management.

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) awarded $220,209 to the University of Tulsa to study data production and usage by cybersecurity researchers, information that will help quantify the value of data-sharing and improve sharing incentives to address the interdependency of cyber-risk environments.

The award was made through the S&T Cyber Security Division’s (CSD) Cyber Risk Economics (CyRiE) project. CyRiE supports measurement and modeling research into the business, legal, technical and behavioral aspects of the economics of cyber-threats, vulnerabilities and controls.S&T says that the award’sprimary focus is research into investment, impact, value and incentives related to cybersecurity risk management. This focus will provide relevant, timely, accurate and comprehensive data to help shape effective policy, optimize cybersecurity risk management and advance understanding of the cyber-risk landscape.

“Cybersecurity is a data-driven research field that demands access to large and varied data resources held by other researchers,” said Acting DHS Under Secretary for Science and Technology William N. Bryan. “This project will help facilitate enhanced data-sharing among cybersecurity researchers, which will enable researchers to better quantify risks and identify new cyber-defenses.”

Through a project titled “The Economics of Cybersecurity Research Data-Sharing,” the university will examine published research to identify what data is available, how the research community is failing to exploit the wealth of data it produces, and ultimately recommend how data-sharing can be improved to enhance evidence-based policy and technology solutions. Additionally, the project will analyze usage of the research data stewarded by CSD’s Information Marketplace for Policy and Analysis of Cyber-risk & Trust project to understand the return on investment for existing, shared datasets that are being leveraged by others.

The CyRiE project is working to improve value-based decision-making by those who own, operate, protect, and regulate the nation’s vital data assets and critical infrastructure. The project goes beyond the traditional economic-based view of incentives for cybersecurity to approach cybersecurity risk as a multidimensional problem that requires multidisciplinary perspectives. In this way CyRiE research and development (R&D) can more effectively address strategy and tactics for optimal cyber-risk avoidance, acceptance, mitigation and transfer.

“An open secret of cybersecurity R&D is that while empirical data is the lifeblood of developing, testing and evaluating solutions, its ready availability is falsely assumed and its value is grossly understated,” said CyRiE Program Manager Erin Kenneally. “Quantifying what data is being used and produced by cybersecurity researchers and developers is critical to measuring the gaps and value proposition for data-sharing.”