Skip to main content

This website is no longer being updated. Visit Dartmouth Now for all news published after June 7, 2010.

Dartmouth News
>  News Releases >   2005 >   May

Institute for Information Infrastructure Protection researchers to investigate the business rationale for cyber security

Dartmouth College Office of Public Affairs • Press Release
Posted 05/16/05 • Contact Office of Public Affairs (603) 646-3661

The Institute for Information Infrastructure Protection (I3P) at Dartmouth College launched a $3 million research program today that will help quantify the costs of cyber attacks and measure the effectiveness of current security tools and policies.

"The results of this project can be used to make informed real-world security decisions, thereby helping make the United States and companies operating in the United States safer."

- Shari Lawrence Pfleeger

The I3P is a research consortium funded by the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). It is managed by Dartmouth and was established to address security issues facing the U.S. information infrastructure.

"The research program brings together a multi-institutional team to quantify the economic impact of security failures in information infrastructure at the national, the company and the technology levels," said Martin Wybourne, Vice Provost for Research at Dartmouth and Chair of the I3P. "Data and analysis developed during the program will help provide information that decision makers in industry and government need to make effective security choices."

The research team, which consists of five I3P member institutions, will work to understand how the information security marketplace functions and determine which market and policy mechanisms would be most effective in promoting security at all levels of the information infrastructure. The research team is led by the RAND Corporation and also includes senior scientists from George Mason University's Critical Infrastructure Protection Program, the Massachusetts Institute of Technology's Lincoln Laboratory, the University of Virginia and Dartmouth's Tuck School of Business.

"Not much credible data in this area currently exists," said Shari Lawrence Pfleeger, senior information scientist at RAND and the project team's leader. "By collaborating closely with industry and the government, we will gather data and develop models to gain a more accurate understanding of security investments, strategies and policies. The results of this project can be used to make informed real-world security decisions, thereby helping make the United States and companies operating in the United States safer."

The work will be broken into three distinct, but interconnected, threads to examine the economic aspects of cyber security at the national, corporate and technology levels. At the national level, security experts will analyze the impact of cyber security failures and related defense strategies on the US economy, and assess the ripple effects on other critical infrastructures. At the enterprise or corporate level, the research team will study how companies make cyber security decisions, how they invest in security, and how they perceive risk in the supply chain. At the technology level, researchers will analyze vulnerabilities in Internet infrastructure components, such as the domain name system (DNS) or the border gateway protocol (BGP), and develop models to calculate the costs and benefits of security measures to address these flaws.

According to Pfleeger, new software vulnerabilities are uncovered daily. However, making informed security decisions about how to address them is problematic; lack of data and analysis makes it difficult to determine the costs and benefits of different security options.  Existing cost assessments for viruses or other cyber attacks are questionable and, in most cases, come from convenience surveys or from security firms or consultants with products or services to sell. Furthermore, cyber security risk assessments often cover only a company's own networks; they don't travel down the supply chain or through the Internet's core infrastructure. 

Douglas Maughan, I3P's program manager at DHS's Science and Technology Directorate, said "Close cooperation between industry, academia and government for this project will help companies better understand the costs of cyber attacks, and enable them to make a business case for investing in holistic security programs that include the right mix of policies and technology. This analysis will also help guide government research programs going forward."

M. Eric Johnson, a professor of operations management at Dartmouth's Tuck School, the Director of the Glassmeyer/McNamee Center for Digital Strategies and one of the principal investigators on this project, said "it is currently almost impossible to quantify the cost and benefits of information security. A better understanding of the return on security investments will lead to better business decisions and increase U.S. competitiveness."

About the I3P  

The Institute for Information Infrastructure Protection (I3P) is a national research consortium of universities, federally-funded labs and non-profit organizations, which is managed by Dartmouth College. The I3P functions as a virtual national lab, bringing together experts from around the country to identify pressing problems and develop innovative approaches and technologies to help protect the U.S. information infrastructure.

Dartmouth has television (satellite uplink) and radio (ISDN) studios available for domestic and international live and taped interviews. For more information, call 603-646-3661 or see our Radio, Television capability webpage.

Recent Headlines from Dartmouth News: