Applying Cause-Effect Mapping to Assess Cybersecurity Vulnerabilities in Model-Centric Acquisition Program Environments

Abstract

Digital engineering approaches are increasingly used in acquisition of systems, changing the current paradigm from documentation-centric to model-centric. Not only are these systems highly vulnerable to cyber threats, so too are their enabling environment and digital assets. While good practices have emerged to support the shift to model-centric program acquisition, such programs experience perturbations over their life cycles that introduce new vulnerabilities that may lead to cascading failures. Cybersecurity vulnerabilities are of particular concern given digital transformation and increasing threat actors, making vulnerability assessment essential throughout acquisition program life cycles. This paper discusses ongoing research that seeks to provide program managers with the means to identify cybersecurity vulnerabilities within model-centric programs (along with other model-related vulnerabilities) and determine where interventions can most effectively be taken. The research builds on recent work in developing a reference model for model-centric program vulnerability assessment that uses the Cause-Effect Mapping (CEM) analytic technique. This research investigates cybersecurity specifically, using CEM and other dynamic analysis approaches, including a prototype for proactive assessment of cybersecurity and evaluation of potential interventions.