To be presented during the 2019 International Forum on COCOMO and Systems/Software Cost Modeling, October 28th and 29th at USC…
Cybersecurity and information security dominate the news these days. As software solutions become ubiquitous and highly interconnected via networking, the internet, cloud solutions, remote computing, etc., the chance for breaches is increasing at an alarming rate.
“Since 1988’s Morris Worm, which infected 10% of the estimated 60,000 computers connected to the internet, cybersecurity has grown into an industry expected to exceed $1 trillion in global spending between 2017 and 2021. “
Cybercrime will cost the global business market an estimated average of $6 trillion annually through the same time frame .
Every entity at every level of industry and government is aware of the perils of ignoring cyber and information security threats. But organizations are asking themselves the following questions: How much security is enough? How will we know when we get there? How much will it cost? Where is the tipping point where our expenditures exceed the value added through cyber and information security initiatives? In order to answer these questions, organizations must assess their current state and begin to develop a security focused measurement system to track the progress, successes and failures of their cybersecurity investments and to effectively predict costs and benefits of future initiatives.
The savvy organization in 2019 understands that investment in cyber and information security is essential and measurement is a vitally important aspect to their cybersecurity related initiatives. Measurement will justify these investments, measure the impacts of initiatives, facilitate continuous improvement of cybersecurity security processes and practices, and create a framework to predict costs and benefits of future investments. Many of these same organizations struggle to figure out where to start down this road. According to the 2017 State of Cybersecurity Measurement Annual Report , more than half of the respondents (58%) scored a failing grade when self-evaluating their efforts to measure investments and performances against best practices. More disturbing, less than twenty percent (18%) gave themselves an A.
This paper begins with a brief discussion around cybersecurity and information security; what these concepts mean, how they are alike and different, and how they have evolved over time. Following this, the concept of measurement in the cyber and information security context will be discussed and a framework for evaluating potential metrics will be presented. Some potential cyber and information security metrics will be defined, aligned with the International Standards Organization/International Electrotechnical Committee (ISO/IEC) 27K Standards along with some thoughts on the strengths and weaknesses of those metrics. The paper will conclude with some general thoughts on the future of measurement and cost estimation in the world of cybersecurity.
 “Cybersecurity Performance: 8 Indicators”, Carnegie Mellon University Software Engineering Institute – Insider Threat Blog, March 25, 2018, available at https://insights.sei.cmu.edu/insider-threat/2018/03/cybersecurity-performance-8-indicators.html, retrieved 1/21/2019
 “The 2017
State of Cybersecurity Metrics Annual Report”, Thycotic, available at https://thycotic.com/resources/cybersecurity-metrics-report-2017/,
 based on a survey of over 400 global business and security executives