The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) announced today that it issued $1,272,320 of funding awards to develop new solutions to “improve the capability of organizations to understand and improve their cybersecurity control investment decisions.” The funding will be split between University of California, San Diego and University of Illinois, Chicago.
The awards are a part of S&T’s Cyber Risk Economics (CYRIE) project, which is designed to improve the “value-based decision-making” of individuals and organizations involved with vital data assets and critical infrastructure in the United States.
“Research in cyber risk economics is an important element in S&T’s cybersecurity portfolio,” said William N. Bryan, senior official performing the duties of the under secretary for Science and Technology. “S&T is working to improve cybersecurity practices–particularly in the areas of risk management and investment decision making–through improved models and metrics that will help organizations make informed acquisition and deployment decisions about cybersecurity products on the market today.”
University of California, San Diego received $1.04 million as part of a multi-year effort to develop “threat intelligence tools and techniques for measuring the reliability and value of a threat intelligence source to an enterprise.” S&T said the project will increase transparency and incentivize more effective controls within the threat intelligence marketplace. University of Illinois, Chicago was awarded the remaining $227,305 for a twelve-month effort to develop a standard “cyberattack economic impact model, and a tool to automate data collection and analysis in order to provide near real-time estimates of cyberattack outcomes.”
“These additions to the CYRIE portfolio address capability gaps to help make cyber control investment decisions that decrease our exposure to risk,” said CYRIE Program Manager Erin Kenneally. “The threat intelligence metrics research will help organizations evaluate investments in threat intelligence products and services. The standard model for the cost of cybersecurity attacks research will provide organizations a baseline to evaluate potential cyberattacks impacts in order to make sound investment decisions, something that is difficult today because of the absence of an open source, data-driven model for understanding and characterizing harms.”