RAND researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology enables the Navy to rationalize the cost-effectiveness of potential cybersecurity investments without having to monetize potential losses from cybersecurity attacks or consider the probability of such events amid all possible adversaries and attack paths.

A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy

Bradley Wilson, Mark V. Arena, Lauren A. Mayer, Chad Heitzenrater, Jason Mastbaum, Kevin J. Connolly

ResearchPublished Sep 28, 2022

RAND Corporation researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology features 12 scales in two categories (impact and exploitability) that allow the Navy to score potential cybersecurity investments in the Program Objective Memorandum (POM) process. The authors include a test implementation using publicly available historical U.S. Navy data to demonstrate how the methodology facilitates valuable comparisons of potential cybersecurity investments.

When compared with existing methods used by the Navy, this methodology could improve the consistency of ratings and provide a more defined structure for thinking through the risk reduction and prioritization of different investments.

Key Findings

The challenges in developing a methodology for cybersecurity investment prioritization and decisionmaking are numerous

  • There is no silver bullet for the challenges of managing cyberattack risk (i.e., vulnerability), quantifying potential losses, and assessing the potential benefits of a particular cybersecurity investment.

A major advantage of this methodology is its simplicity

  • No complex modeling is required. The risk matrixes align with U.S. Department of Defense processes, making the methodology more approachable for analysts. The level of effort required is further reduced by the need to assess only the risk factors that are relevant to an investment.

Information security economic approaches are not directly applicable to the Navy context

  • Existing models have multiple issues that make it very challenging to apply them in the context of the Navy—not the least of which is their dependency on the monetization of loss. Ultimately, the lack of information that the Navy has at its fingertips regarding the cybersecurity state of systems and the potential impact of future and ongoing investments is a key limiting factor.
  • Although complex models offer greater potential for precision and accuracy, it comes at the expense of computational, data, and understandability needs, which are a key challenge area for the Navy.

Recommendations

  • The Navy could provide a structured data framework for recommended investments, ideally through a web portal. This would, at a minimum, enable it to compare investments more quickly and mitigate the challenges of comparing past- and future-year investments.
  • Within the data framework, the Navy should provide common fields that represent priorities and the scope of the investment. The framework could include additional fields that are useful for econometric analysis. It is critical for investment requests to include this information to increase understanding of a given investment's potential impact relative to others. Similarly, having structured, codified, and consistent priorities across investments also enables rapid comparative analysis.

Order a Print Copy

Format
Paperback
Page count
88 pages
List Price
$24.00
Buy link
Add to Cart

Topics

Document Details

  • Copyright: RAND Corporation
  • Availability: Available
  • Year: 2022
  • Print Format: Paperback
  • Paperback Pages: 88
  • Paperback Price: $24.00
  • Paperback ISBN/EAN: 978-1-9774-1002-3
  • DOI: https://doi.org/10.7249/RRA1356-1
  • Document Number: RR-A1356-1

Citation

RAND Style Manual

Wilson, Bradley, Mark V. Arena, Lauren A. Mayer, Chad Heitzenrater, Jason Mastbaum, and Kevin J. Connolly, A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy, RAND Corporation, RR-A1356-1, 2022. As of April 8, 2025: https://www.rand.org/pubs/research_reports/RRA1356-1.html

Chicago Manual of Style

Wilson, Bradley, Mark V. Arena, Lauren A. Mayer, Chad Heitzenrater, Jason Mastbaum, and Kevin J. Connolly, A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy. Santa Monica, CA: RAND Corporation, 2022. https://www.rand.org/pubs/research_reports/RRA1356-1.html. Also available in print form.
BibTeX RIS

Research conducted by

This research was sponsored by the U.S. Navy Office of the Chief of Naval Operations (OPNAV) and conducted within the Navy and Marine Forces Center of the RAND National Security Research Division (NSRD).

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.