Measuring Cybersecurity and Cyber Resiliency
RAND ARROYO CENTER SANTA MONICA CA SANTA MONICA United States
Pagination or Media Count:
This report presents a framework for the development of metricsand a method for scoring themthat indicates how well a weapon system or mission is expected to perform in a cyber-contested environment. There are two groups of cyber metrics working-level metrics that aim to counter an adversarys cyber operations and institutional-level metrics that aim to capture any cyber-related organizational deficiencies. The cyber environment is dynamic and complex, the threat is ubiquitous in peacetime and wartime, deployed and at home, and no set of underlying laws of nature govern the cyber realm. A fruitful approach is to define cyber metrics in the context of a two-player cyber game between Red the attacking side and Blue the side trying to ensure a mission. Reds strategy and tactics will be shaped by its assessment of Blues posture and weaknesses. Likewise, Blues posture will be shaped by an expectation of what threats Red poses. Both will continually evolve. No forethought by Blue, no matter how carefully done, will suffice in anticipating all of the possible moves Red might take in the future. Blue will need to use static countermeasures based on known best practices cybersecurity, as well as adaptive, dynamic actions to respond to Red in real time cyber resiliency. Both of these dimensions of cyber metrics need to span nearly the entire scope of the enterprise to capture the full range of concerns. To measure how survivable and effective a mission or system can be in a cyber-contested environment, we must understand how well Red cyber operations are being countered. Therefore, the focus of cyber metrics must be on Reds estimated success or failure, not on the specific countermeasures that Blue might try. Blue countermeasures are important, of course, but their importance is as a means to an endthat of hindering or thwarting Red.
- Computer Systems Management and Standards