Project Title: Towards an Economic Behavioral Science Approach to Cyber Security and Economic Risk Models (ToCyR)

Kickoff Template Submission Date: December 1, 2014

Scott Farrow (PI and Transition Lead), Anupam Joshi (Co-Investigator),

2

Project Objectives: Initialization Year 1

• Research Goals– 1 Create a set of more detailed economic models reflective of

cyber security microeconomic concerns, – 2 Identify the ways in which incentives for private mitigation may

differ from public mitigation depending on the details of the cyber attack taxonomy,

– 3 Identify data necessary to operationalize the most promising models for private or public decision-making,

– 4) create a concordance between different methodological approaches to value risk trade-offs.

• Research Transition Goals– 1 Present results at executive level workshop at DHS– 2 Present paper at policy oriented conference

3

DHS Interest and Motivation:

• (Why is DHS interested)– 1 Cyber: interest in a more science and

social science approach to cyber issues– 2 Make better use of new and existing

guidance in Cyber– 3 Ongoing challenge to analyze risk

metrics• (Who at DHS are your contacts)

– 1 Debra Elkins (SPAR)– 2 Tony Cheesebrough (NPPD)

4

Potential non-DHS Stakeholders:

• Who else (operators/customers) could be interested in your research transition?– NIST: UMBC (my home institution) is part of recent

NIST FFRDC to MITRE and the University System of Maryland.

5

Interfaces to Related Research

• (Who else is working on this)– 1

• (Interfaces with others in this field)– 1Gordon and Leob (developers of private sector

investment guidance for cyber) http://en.wikipedia.org/wiki/Gordon-Loeb_Model

– 2

6

Research Technical Plan:

• Cyber task:– Develop a mathematical structure between cyber

security taxonomies of threat, consequence, and tactics with micro-economic modeling

• Risk model task: Meta Model Choice– Research and compare and contrast the varying

assumptions and risk valuation general measures obtained from benefit-cost analysis, decision analysis and multi-attribute utility analysis with an eye toward a decision model of model choice.

7

Research Transition Plan:

– Information and progress sharing, potential executive seminar presentation• Initialization year is to create initial

substance on cyber.• Meta choice for models may be suitable

for a seminar by summer.

8

Milestones and Schedule/Timeline:

• October 15: Meet with NPPD, SPAR, TRA Economic Consequence group (done); continue contact.

• Jan 1: Present initial structure of meta choice model task to academic groups.

• April 1: Reading, scoping and initial design of cyber risk modeling completing

• June 1: Final draft of cyber risk modeling• June 15: Meta choice modeling available for

presentation.