Quantifying Complexity: Cybersecurity Performance Goals Analysis

 Small and medium-sized companies are challenged with executing secure business practices due to limited resources and inadequate expertise in the cybersecurity industry. The United States Small Business Administration reports that in 2020, “there were over 700 thousand attacks against small businesses, with damages totaling 2.8 billion dollars and the numbers continue to rise every year” [17]. Insufficient resources leave them ill-equipped to identify and rectify vulnerabilities within their systems, rendering them vulnerable targets for cybercriminals. The Cybersecurity and Infrastructure Security Agency (CISA) addresses that “small organizations face difficulties in identifying where to invest for the greatest impact to their cybersecurity posture and specific guidance on how to effectively implement cybersecurity protections” [7]. Throughout this paper, the Cybersecurity Performance Goals (CPGs) will be analyzed and evaluated to provide insight into how small and medium-sized companies can implement these goals for their organizations. By taking an in-depth look at how the CISA has rated the complexity of each CPG, we will be recommending, explaining, and describing why each of the goals should be defined as low, medium, or high complexity through the CISA CPG checklist. Our purpose for evaluating the complexity of each CPG goal is to inform companies on how to protect organizational assets to further advance the growth of the American economy.