Measuring Cybersecurity and Cyber Resiliency

Abstract

This report presents a framework for the development of metricsand a method for scoring themthat indicates how well a weapon system or mission is expected to perform in a cyber-contested environment. There are two groups of cyber metrics: working-level metrics that aim to counter an adversarys cyber operations and institutional-level metrics that aim to capture any cyber-related organizational deficiencies. The cyber environment is dynamic and complex, the threat is ubiquitous (in peacetime and wartime, deployed and at home), and no set of underlying laws of nature govern the cyber realm. A fruitful approach is to define cyber metrics in the context of a two-player cyber game between Red (the attacking side) and Blue (the side trying to ensure a mission). Reds strategy and tactics will be shaped by its assessment of Blues posture and weaknesses. Likewise, Blues posture will be shaped by an expectation of what threats Red poses. Both will continually evolve. No forethought by Blue, no matter how carefully done, will suffice in anticipating all of the possible moves Red might take in the future. Blue will need to use static countermeasures based on known best practices (cybersecurity), as well as adaptive, dynamic actions to respond to Red in real time (cyber resiliency). Both of these dimensions of cyber metrics need to span nearly the entire scope of the enterprise to capture the full range of concerns. To measure how survivable and effective a mission or system can be in a cyber-contested environment, we must understand how well Red cyber operations are being countered. Therefore, the focus of cyber metrics must be on Reds estimated success or failure, not on the specific countermeasures that Blue might try. Blue countermeasures are important, of course, but their importance is as a means to an endthat of hindering or thwarting Red.

Document Details

Document Type

Technical Report

Publication Date

Jan 01, 2020

Accession Number

AD1096342

Entities

Tags