DHS grants $1.27 million for cyber-risk economics research

The Department of Homeland Security has awarded more than $1.27 million in grants to universities researching cybersecurity risk economics.

The grants — $1,045,015 to the University of California, San Diego, and $227,305 to the University of Chicago — were announced Friday as part of a DHS Science and Technology Directorate project to improve risk management and “value-based decision-making” in protecting data and critical infrastructure.

“Research in cyber risk economics is an important element in S&T’s cybersecurity portfolio,” William N. Bryan, senior official performing the duties of the under secretary for S&T, said in a statement.

Bryan said S&T hopes to improve cybersecurity practices by focusing on four key areas: investment in cybersecurity controls, the impact of investment on the severity of risks, whether there is correlation between investment and business performance, and incentives to optimize risk management in cybersecurity.

UC San Diego will reportedly spend its funding developing tools and techniques for measuring how valuable and reliable threat intelligence sources are to an organization. According to S&T, measuring a number of metrics — such as technical, comparative, operational and risk — will allow organizations to compare and rate tools.

UChicago’s portion of the grant will fund a yearlong study to develop an economic impact model for cyberattacks. After building a tool for automated data collection and analysis, the goal will be to provide “near real-time estimates of cyberattack outcomes,” according to a statement. Officials are hoping the model will create a baseline for organizations estimating the economic impacts of cyberattacks so they can support smarter investment in cybersecurity.

Erin Kenneally, program manager for the S&T initiative says this work is “difficult today because of the absence of an open source, data-driven model for understanding and characterizing harms.”