As companies seek protection from cyber attacks, justifying proper levels of investment in cyber security is essential. Like all investments, cyber defense costs must be weighed against their expected benefits. While some cyber investment models exist that can relate costs and benefits, these models are largely untested with experimental data. This research develops an experimental framework and statistics for testing and measuring the efficacy of cyber mitigation methods, such that they can be integrated into existing cyber investment models. This work surveys cyber security investment models and frameworks. Using cyber exercises as a source of attack data, types of exercises and how information is recorded was studied. A proof of concept for an experimental framework able to record statistics on cyber exercise attacks and defenses was developed. The environment is intended to resemble that of an actual cyber attack, and to collect attack and defense data in a repeatable and technology-agnostic manner. Possible future work could illuminate mathematical relationships between threat and mitigation. Statistics and procedures are proposed that are applicable to the specific proposed and similar frameworks. Such statistics could be incorporated into cyber models, ultimately leading to a more rational understanding of cyber attack and defense.
展开▼