Return On Cyber Security Investment (ROCSI)

网络安全投资回报率 (ROCSI)

• 批准号: ES/W005964/2
• 负责人: Ying He
• 金额: $ 25.38万
• 依托单位: Queen Mary University of London
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2023
• 资助国家: 英国
• 起止时间: 2023 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=ES%2FW005964%2F2
• 关键词: Return; Cyber; Security; Investment; ROCSI

To be of business value, any investment must be selective and focus on high priority areas of the business. However, boards find it difficult to justify the cost of investment and formulate ROI arguments on cyber security due to their inability to fully understand and anticipate the direct and indirect impact of cyber threats. The fundamental problem is the absence of transparent ways of integrating cyber threats into the boards' decisions about investment in cyber security. In an investment decision, organisations are required to determine business impact if the threats were to manifest, calculate the direct cost (e.g. cyber threat mitigations, cyber insurance charges) and indirect cost (e.g. impact on system performance, share price drop) to optimise the organisation's security defence capability. The key decision makers are security managers (e.g. CISO) and board members. However, they find it difficult to estimate the costs of investing and balancing these against potential benefits procured or impacts mitigated as the cyber security investments prevent potential losses but may not generate revenue directly. There is a lack of a clear way of linking cyber threat mitigations to the cyber security ROI. This is compounded by the uncertainties resulting from the changing threat landscape and business context (e.g. adding devices to the system or changing of threat mitigation decisions). The proposed ROCSI is designed to address these challenges by comprehensively capturing threat data from multiple threat sources and integrating it into the cyber security investment decision processes. The ROCSI aims to deliver threat-informed, user-tailored and up-to-date decision support which is continuously updated as new threat data becomes available. The ROCSI will output the ROI analysis on threat mitigations in response to the business processes ranked by decision makers.This project will deliver the foundations for a novel approach to cyber security decision making at the board and strategic level through combining multidisciplinary data and human factors to improve the transparency and quality of decision making. It will contribute to the national strategy on cyber security through the research of threat-informed decision making at the board and strategic level, with the aim of enhancing organisations' cyber defence capability and improve organisational resilience. It addresses the theme "Incentives and behaviours" of the NCSC Research Problem Book, through incentivising boards and organisations to proactively invest into cyber security and adopt positive security behaviours. The proposed research sits in the Global Uncertainties theme, where Cyber Security is listed as a priority. This project is in a unique position to deliver impact in both research communities and industries based on the PI's previous engagement with NCSC, RITICS, RISCS, Innovate UK, and the PI's established contacts who will help shape, evaluate and refine the proposed research. this project uniquely benefits from the host organisation's strong track record in human decision making (the LUCID research lab) and behaviour science (the ESRC funded NIBS) research, its partnership with NCSC, GCHQ, and Dstl and the Horizon DER Institute that enables the widest dissemination and exploitation of research outcomes.

要具有商业价值，任何投资都必须是有选择性的，并专注于业务的高优先级领域。然而，董事会发现，由于无法充分理解和预测网络威胁的直接和间接影响，他们很难证明投资成本的合理性，并就网络安全提出投资回报率的论点。根本问题在于，缺乏将网络威胁纳入董事会有关网络安全投资决策的透明方式。在投资决策中，组织需要确定威胁出现时的业务影响，计算优化组织安全防御能力的直接成本(例如，网络威胁缓解、网络保险费)和间接成本(例如，对系统性能的影响、股价下跌)。关键决策者是安全经理(例如CISO)和董事会成员。然而，他们发现很难估计投资成本，并在这些成本与潜在收益或缓解的影响之间取得平衡，因为网络安全投资防止了潜在损失，但可能不会直接产生收入。缺乏一种明确的方式将网络威胁缓解与网络安全投资回报联系起来。不断变化的威胁格局和业务环境(例如，向系统添加设备或更改威胁缓解决策)带来的不确定性加剧了这一问题。拟议的ROSSI旨在通过全面捕获来自多个威胁源的威胁数据并将其整合到网络安全投资决策过程中来应对这些挑战。ROSSI的目标是提供了解威胁的、用户定制的和最新的决策支持，并在新的威胁数据可用时不断更新。ROSI将输出威胁缓解的ROI分析，以响应决策者排名的业务流程。该项目将通过结合多学科数据和人为因素来提高决策的透明度和质量，为在董事会和战略层面制定网络安全决策的新方法奠定基础。它将通过研究董事会和战略层面的威胁知情决策，为国家网络安全战略做出贡献，目的是增强组织的网络防御能力，提高组织的复原力。它通过激励董事会和组织积极投资于网络安全并采取积极的安全行为，解决了NCSC研究问题书中的“激励和行为”这一主题。这项拟议的研究涉及全球不确定性主题，网络安全被列为优先事项。该项目处于独特的地位，能够在研究社区和行业产生影响，这是基于PI之前与NCSC、RITICS、RISCS、Innovate UK的接触，以及PI建立的帮助形成、评估和完善拟议研究的联系人。该项目特别受益于主办组织在人类决策(清醒研究实验室)和行为科学(ESRC资助的NIBS)研究方面的良好记录，以及与NCSC、GCHQ、DSTL和Horizon der Institute的合作伙伴关系，使研究成果得以最广泛地传播和利用。