Cybersecurity Acquisition Framework Based on Risk Management: Economics Perspective

Abstract

Investments in the cyber domain are subject to constraints that may be similar to those in other domains, such as cost and effectiveness. However, cyber is a dynamic domain where the effectiveness and efficiency of investments are harder to measure. The interdependency of assets poses an additional challenge to make decisions on investments for the cyber domain. Therefore, organizations need to answer hard questions: whether, how much, and when to invest in cybersecurity. Analyzing the attack surface of a system or an enterprise in cyberspace, prioritizing assets according to their business values, and quantifying cybersecurity risk in monetary values would help to make better decisions while choosing a risk management strategy. The aim of this article is to develop a risk-informed cybersecurity investment decision model by considering the ripple effects in an organization based on the Functional Dependency Network Analysis (FDNA) methodology. Several simulations are conducted to test the effectiveness of the developed model.