RAND Corporation researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology features 12 scales in two categories (impact and exploitability) that allow the Navy to score potential cybersecurity investments in the Program Objective Memorandum (POM) process. The authors include a test implementation using publicly available historical U.S. Navy data to demonstrate how the methodology facilitates valuable comparisons of potential cybersecurity investments.
When compared with existing methods used by the Navy, this methodology could improve the consistency of ratings and provide a more defined structure for thinking through the risk reduction and prioritization of different investments.
A major advantage of this methodology is its simplicity
- No complex modeling is required. The risk matrixes align with U.S. Department of Defense processes, making the methodology more approachable for analysts. The level of effort required is further reduced by the need to assess only the risk factors that are relevant to an investment.
Information security economic approaches are not directly applicable to the Navy context
- Existing models have multiple issues that make it very challenging to apply them in the context of the Navy—not the least of which is their dependency on the monetization of loss. Ultimately, the lack of information that the Navy has at its fingertips regarding the cybersecurity state of systems and the potential impact of future and ongoing investments is a key limiting factor.
- Although complex models offer greater potential for precision and accuracy, it comes at the expense of computational, data, and understandability needs, which are a key challenge area for the Navy.
Source: A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy | RAND
This is a risk assessment methodology which is specific to the domain the navy works in, which is different from the domains of most commercial companies.