Article Preview
Top1. Introduction
Cybersecurity is a complex challenge faced by many organizations, from individuals surfing the Internet to public and private organizations. Both public and private organizations have fallen victim to cyberattacks (Davis 2015, Cieply & Barnes 2015). Moreover, as Internet-connected systems are integrated more and more into the average person’s daily life, cyberattacks have become a normal aspect of modern life for many people. While many attacks are of little to no consequence, many attacks end up becoming high-visibility and costly cyber incidents, causing long-lasting damage to the organization. There are any number of reasons for an organization’s network to be susceptible to a cyberattack, ranging from personnel with poor online practices to not patching vulnerabilities in a timely manner. Cybersecurity investment is another challenge for organizations. Indeed, “cybersecurity investment” deals with multiple challenges including underinvestment, lifecycle management, etc.
For organizations that own and operate cyber-physical systems—specifically industrial systems, critical infrastructure, or other legacy systems—cybersecurity is an especially challenging problem due to the fact that these systems are often comprised of components that were not designed with security or modern interconnectedness in mind. Moreover, a country’s networked critical infrastructure systems can make an enticing target for unscrupulous adversaries. Indeed, cyberattacks against critical infrastructure are well known to lead to severe consequences (Liang et al. 2016), as energy system disruption can lead to critical systems (e.g.,waste processing, hospital/medical systems, traffic lights,refrigeration/storage systems, etc.) failing. Many countries’ critical infrastructure systems are known to be vulnerable to cyberattack and, in spite of the fact that they are not in active conflict, adversarial actors may have already compromised those systems (US-CERT 2018).
To address these challenges, we developed the Resilient Critical Infrastructures through Secure and Efficient Microgrids (ReCIst) project, funded through the United States’ Office of Naval Research Energy System Technology Evaluation Program (ESTEP)1, to develop a decision-support capability that provides visibility into the true costs of introducing cybersecurity solutions to industrial power grids. The decision of what cybersecurity solution would be best is ultimately a financial decision, therefore we developed a return on investment model to help acquisition workers navigate the costs of their own facilities in comparison with the costs and benefits associated with a virtual marketplace of potential cybersecurity solutions. This paper synthesises and extends our previous work as follows:
- •
We recap our previously-developed decision support framework for a cybersecurity acquisition workforce (Romero-Mariona., Hallman, Kline, Miguel, Major & Kerr 2016) and demonstrate its utility by incorporating technology evaluations into a fully-described framework for determining a Return on Cybersecurity Investment (ROCI) (Hallman et al. 2020, Major et al. 2020);
- •
We further describe an instantiation of the ROCI model to quantify the effects of cybersecurity investment for critical infrastructure.
To the best of our knowledge, ours is the first cybersecurity investment framework that attempts to quantify a return on investment for the critical infrastructure sector.
The remainder of this paper is organized as follows: Background information is provided in Section 2, along with a survey of previous work on cybersecurity investment strategies and cybersecurity economics. A recap of our cybersecurity technology evaluation and decision support framework is given in Section 3. Section 4 describes the Return on Cybersecurity Investment model within the context of industrial control systems and networked critical infrastructure while Section 5 demonstrates the feeding of technology evaluations to determine a ROCI for the adoption of a suite of cybersecurity technologies. Concluding remarks and ongoing/planned work is found in Section 6.
TopWe begin by presenting background information covering attempts to quantify the true costs of a cyberattack, cyber insurance, and risk modeling. We then present a literature review of previous cybersecurity investment models. The overwhelming majority of work cited focuses on information technology systems rather than operational technology systems.