This report describes the initial results of a research project to
develop a transparent estimation method. This method leads to greater
confidence in and improved ranges for estimates of potential cyber loss
magnitude. The project team refined the Cybersecurity &
Infrastructure Security Agency, Office of the Chief Economist (CISA OCE)
Business Impact Analysis (BIA) method to support this estimation
approach, including identifying factors and forming questions to ask
stakeholders to elicit input for the loss magnitude estimation process.
The project team also characterized the context for using factor tree
analysis to produce an executable model in support of the refined BIA
method since it can be applied to future cybersecurity assessments.
Publisher Statement
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.* These restrictions do not apply to U.S. government entitiesCopyright Statement
Copyright 2020 Carnegie Mellon University.This material is based upon work funded and supported by the Department of Homeland Security under Con-tract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.