This Small Business Innovation Research (SBIR) Phase I project addresses the challenges of risk management between businesses engaged in cyber-related business relationships. When businesses establish network or other cyber-related connections, they are sometimes poorly informed about the potential risk that they assume. Businesses typically rely on costly and time consuming cyber security audits to inform them about the potential cyber and ensuing business risk of the relationship. The solutions that exist today are inefficient and have yet to properly address the industry's need for a reliable and inexpensive means of assessing the cyber security risk incurred through a particular business relationship. CyberAnalytix's objective is to produce a cyber security score. Businesses would use the cyber security score to inform cyber related business decisions such as outsourcing, vendor IT relationships, and compliance. The Phase I research objective is to develop a scoring methodology that is credible, predictive, scalable and principally automatable. CyberAnalytix anticipates developing the scoring methodology as well as testing the methodology on a small set of business entities to evaluate whether the methodology and resulting score meet the prescribed objective characteristics.
Historically credit scoring has been a cost- and time-saving technology that has provided tremendous value to lenders and borrowers alike by helping to reduce cost, predict future loan performance, and to improve credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their cyber security risk. There is an opportunity to address a costly and inefficient industry pain point and have a broad economic impact. The need for cost effective, high-quality, and reliable business cyber security scoring will continue to increase as more services are network enabled, outsourced, or accessed through the network "cloud." If this effort were to succeed, businesses would reap the same time and cost savings that lenders do from credit scoring services from credit bureaus. The scoring methodology will enable businesses to make better, more informed, data-driven decisions about business risk in the cyber security and broader business context.
Background SBIR Phase I project "Enterprise Cyber Security Scoring" addresses the challenges of risk management between businesses engaged in cyber-related business relationships. Today when businesses establish network or cyber-related connections they are poorly informed about the potential risk that they assume. There is a clear business need to address a costly and inefficient industry pain point surrounding business information security risk management. The Phase I research objective was to develop a scoring methodology that was credible, predictive, scalable and principally automatable. The project also required testing the methodology on a small set of businesses to evaluate whether or not the methodology and resulting rating would meet the prescribed objective characteristics. Results CyberAnalytix has successfully implemented and tested a rating methodology and was able to produce information security ratings for enterprises. The methodology was used to rate various businesses and network operators and was validated against internal ratings and industry benchmarks of security performance. Although the Phase I project was successful in making substantial progress toward the research objectives; additional research, development, and testing are still required. Follow on research and development for the rating methodology has been proposed as part of a National Science Foundation Phase II SBIR award and is pending approval.