Cross-Sector Cybersecurity Performance Goals: Impact

 Our paper’s goal is to propose a methodology for calculating impact scores for Cyber Performance Goals (CPGs). It will begin by defining impact and then move to discussing our method for calculating impact scores, which will be composed of three parts: cost of damages of the risk addressed by the CPG, the extent to which the solution proposed by the CPG addresses the risk, and the frequency at which the risk addressed by the CPG occurs. Each of these three criteria will be scored on a scale from 0-5, giving each CPG a total score between 0 and 15. CPG impact will be determined to be low, medium, or high, based on its score being 0-5, 6-10, or 11-15, respectively. The scale of how a 0-5 is determined for each of the components of the total impact score is in our outline. Next, we will look at five of the CPGs in depth, one from each of the five NIST CSF functions. The CPGs we will discuss are Asset Inventory (Identify), Changing Default Passwords (Protect), Detecting Relevant Threats and TTPs (Detect), Vulnerability Disclosure/Reporting (Respond), and Incident Planning and Preparedness (Recover). For each of the CPGs, we will use our method to calculate an impact score for four companies (Microsoft, Amazon, Ronin, and Rockstar Games). We will compare our calculated scores with those provided by CISA, providing corroboration for our method for CPGs with the same score, and defending our reasoning for any inconsistencies. Finally, we will discuss areas for future research and improvement with our method, including acknowledging that our calculation method is generalized, and that because business and organizational contexts vary, so too will the impact of implementing each CPG.