Recognizing the need for comprehensive cybersecurity programs, while also realizing the economic difficulties that hinder their development, the U.S. Department of Homeland Security’s Science and Technology Directorate (S&T) recently formed a program to answer and address these issues.
S&T said that the questions can be addressed along four dimensions: how and why are cybersecurity investments made, what impact do they have on risk and harm, what is the relationship between cybersecurity risk and traditional business risk, and what incentives are needed to encourage optimal cyber-risk management. If the Cyber Risk Economics (CYRIE) program can answer those questions, S&T said the government would be on the path to implementing cybersecurity solutions.
“Through its current and upcoming R&D programs, CYRIE is fostering data, measurements, models and metrics to help organizations understand the cyber risks they face, how to better invest in controls that reduce cyber risk exposure and manage harm when controls fail,” CYRIE Program Manager Erin Kenneally said. “We are also providing our government partners better knowledge of the tools available to them—making and enforcing policy and regulation, convening stakeholders, adopting technology and enabling R&D—to be used to reduce cyber risk exposure.”
The program was formed in 2017 with a focus on research and development roadblocks. They have since formed a six-theme strategy meant to address the quantification of risk, the role of government, law and insurance, third-party risk, organizational behavior and incentives, data collection and sharing, and threat dynamics involved in cyber risk economics challenges.
“CYRIE’s goal is to improve value-based decision-making by those who own, operate, protect and regulate the nation’s vital data assets and critical infrastructure,” Kenneally said. “By employing a holistic approach to cyber risk economics research, CYRIE incorporates perspectives on cybersecurity-related decision-making and behavior from a number of social and behavioral sciences alongside more familiar risk economics, ultimately becoming effective in addressing strategy and tactics for optimal cyber-risk avoidance, acceptance, mitigation and transfer.”