Article Review

Article #2 Cost Benefit Analysis and NIST RMF

Posted by kmcfa007 on

Every President since President Bush has recognized the risk of cybersecurity breaches in the ever-expanding interconnected digital world of the Internet. President Obama in his Executive Order (EO) 13636 described how important it was to improve critical infrastructure cybersecurity. In this EO there is an established requirement that the “National Institute for Standards and Technology (NIST), which is part of the US Department of Commerce, develop a Cybersecurity Framework that includes “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks (Gordon).” Later President Trump issued EO 13800 which made that Cybersecurity Framework a requirement for use by all Federal agencies. Since then, NIST Risk Management Framework (RMF) has been widely adopted by many companies, agencies and organizations, which allows network interactions between them all to be flexible. The article’s objective “is to provide a logical approach for integrating cost–benefit analysis into the NIST Cybersecurity Framework.
The recommended approach is based on the Gordon–Loeb Model (GL Model) for cybersecurity investments (Gordon).”

The Models Use

According to the article, NIST RMF has been adopted by companies and government agencies around the world. With the overall focus of NIST RMF to be broad and flexible so that that the cybersecurity risk management process can be carried out, it is no wonder it has been embraced so widely. It describes that there are four-tier levels of which an organization might implement NIST RMF, Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive). Tier 1 Partial the organization does not have a formal integrated cyber risk management process, most of their cybersecurity defense is reactive rather than proactive. Tier 2 Risk Informed, they tend to have an unenforced and loose cybersecurity risk management program. Tier 3 Repeatable, their RMF is a formally integrated process, which is both reactive and proactive in their risk management. Tier 4 Adaptive, these organizations take an adaptive
approach by continuously monitoring their system for changes that need be made to their RMF, which is a formal and fully integrated process. NIST recommends that implementation be based on a cost-benefit analysis, the GL Model is one such method that is already widely accepted. Since no system has a 100% secure system, the GL Model assumes that the systems belonging to these organizations are vulnerable. The GL Model uses a serious of equations to identify the likelihood of a cyber-breach and the benefit from implementing RMF. Based on the results of the equation, the value helps determine the level of implementation that an organization should use. The GL Model uses a four-step process:
“Step 1: Estimate the value of the information being protected, which also represents the potential loss (L).
Step 2: Estimate the probability that the information will be breached (i.e., estimate the information’s vulnerability [v] to a successful attack).
Step 3: Combine the first two steps such that the expected loss is derived.
Step 4: Allocate cybersecurity investments to the information to be protected, based on the productivity of the investments and the cost of the investments (i.e., based on cost– benefit analysis) (Gordon).”


The value of [v] must be significant enough to warrant a company to move up to a higher tier. The combination of NIST RMF and GL Model helps with appropriate application and implementation.


Conclusion
In conclusion, cybersecurity has been a growing priority for U.S. Presidents since President Bush, as the risks associated with an interconnected digital world continue to expand. Executive Orders (EOs) issued by Presidents Obama and Trump, particularly EO 13636 and EO 13800, underscore the importance of strengthening critical infrastructure cybersecurity and adopting frameworks like the NIST Cybersecurity Framework (CSF). NIST’s Risk Management Framework (RMF) provides a flexible, tiered approach for organizations to assess and manage cybersecurity risks. This framework’s broad adoption by both government agencies and private companies speak to its practicality in adapting to different organizational needs. The integration of cost-benefit analysis, particularly through the Gordon–Loeb Model (GL Model), offers organizations a logical and structured way to allocate resources efficiently for cybersecurity investments. By estimating potential losses, vulnerabilities, and the cost-effectiveness of cybersecurity measures, the GL Model enables organizations to determine the appropriate level of cybersecurity protection, balancing risk with investment. As cybersecurity threats continue to evolve, the combination of NIST RMF and the GL Model provides organizations with the tools to develop adaptive, proactive cybersecurity strategies. The tiered approach allows organizations to start from a basic level of risk management and progressively mature their cybersecurity efforts, ensuring that they can protect valuable information and systems while optimizing their investments in cybersecurity measures. Ultimately, the continued integration of these frameworks will contribute to a more resilient digital infrastructure, helping to mitigate the growing risks of cyber breaches.

Article Reference Link

Lawrence A Gordon, Martin P Loeb, Lei Zhou, Integrating cost–benefit analysis into the NIST
Cybersecurity Framework via the Gordon–Loeb Model, Journal of Cybersecurity,
Volume 6, Issue 1, 2020, tyaa005, https://doi.org/10.1093/cybsec/tyaa005

Leave a Reply

Your email address will not be published. Required fields are marked *