A Cross-Reference of Mission-Based Cyber Risk Assessment (MBCRA) Inputs and Outputs
Abstract
Mission based cyber risk assessments (MBCRAs) are methodologies used to identify, estimate, assess and prioritize cybersecurity risks for hardware and information systems being employed in operations. Current Department of Defense (DoD) policy does not provide any guidance on how to evaluate the quality of mission-based cyber risk assessment methodologies; nor does it define specific criteria to examine or results that must be generated by MBCRAs to inform system security decisions. Using previous Institute for Defense Analyses (IDA) work in consultation with MBCRA source documentation in this study facilitated the development of a reference of common MBCRA data inputs and output formats, across the active methodologies. For the sample of twenty active MBCRAs identified there are eleven common required data inputs, five common output formats to report risk results and each data input maps to at least one of the risk reporting output formats. This analysis of the commonalities and connections between MBCRAs provides the DoD community information to inform evaluation criteria for MBCRA methodologies to support testing.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 01, 2022
- Accession Number
- AD1228867
Entities
People
- Allyson M. Buytendyk
- Rachel K. De Naray
Organizations
- Institute for Defense Analyses