Cybersecurity Cost of Quality: Managing the Costs of Cybersecurity Risk Management

There is no standard yet for measuring and controlling the costs associated with implementing cybersecurity programs. To advance research and practice towards this end, we develop a mapping using the well-known concept of quality costs and the Framework Core within the Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) in response to the Cybersecurity Enhancement Act of 2014. This mapping can be easily adopted by organizations that are already using the NIST CSF for cybersecurity risk management to plan, manage, and continually improve cybersecurity operations. If an organization is not using the NIST CSF, this mapping may still be useful for linking elements in accounting systems that are associated with cybersecurity operations and risk management to a quality cost model.

[1]  Zhao Yang Dong,et al.  The 2015 Ukraine Blackout: Implications for False Data Injection Attacks , 2017, IEEE Transactions on Power Systems.

[2]  Nicole Radziwill Cost of Quality (CoQ) metrics for telescope operations and project management , 2006, SPIE Astronomical Telescopes + Instrumentation.

[3]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[4]  Lei Zhou,et al.  The impact of information security breaches: Has there been a downward shift in costs? , 2011, J. Comput. Secur..

[5]  Rainer Böhme,et al.  Security Metrics and Security Investment Models , 2010, IWSEC.

[6]  Thomas Nowey,et al.  A Closer Look at Information Security Costs , 2012, WEIS.

[7]  T. Moore,et al.  Identifying How Firms Manage Cybersecurity Investment , 2015 .

[8]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[9]  Walter Miron,et al.  Cybersecurity Capability Maturity Models for Providers of Critical Infrastructure , 2014 .

[10]  J. Campanella Principles of Quality Costs: Principles, Implementation and Use , 1999 .

[11]  Vince Thomson,et al.  Managing cost of quality: insight into industry practice , 2006 .

[12]  Morgan C. Benton,et al.  Design for X (DfX) in the Internet of Things (IoT) , 2017, ArXiv.

[13]  Lei Zhou,et al.  Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model , 2015 .

[14]  Lawrence J. Trautman,et al.  Industrial Cyber Vulnerabilities: Lessons from Stuxnet and the Internet of Things , 2017 .

[15]  Stephen Knox,et al.  Modeling the Cost of Software Quality , 1993, Digit. Tech. J..

[16]  Sultan Almuhammadi,et al.  Information Security Maturity Model for Nist Cyber Security Framework , 2017, ICIT 2017.

[17]  Russell Cameron Thomas Total cost of security: a method for managing risks and incentives across the extended enterprise , 2009, CSIIRW '09.

[18]  Barack Obama,et al.  Executive Order 13636: Improving Critical Infrastructure Cybersecurity , 2013 .