Skip to main content

Vox of Dartmouth, the College's newspaper for faculty and staff, ceased publication in February 2010. For current Dartmouth news and events, see:

· Dartmouth Now
· Periodicals
· Events Calendar

The price of vulnerability

I3P team studies cost of cyber attacks, assesses security measures

The Institute for Information Infrastructure Protection (I3P) at Dartmouth launched a $3 million research program on May 16 that will help quantify the costs of cyber attacks and measure the effectiveness of current security tools and policies.

The I3P is a research consortium funded by the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). It is managed by Dartmouth College and was established to address security issues facing the U.S. information infrastructure.

Martin Wybourne, left and M. Eric Johnson are developing models for accurate assessment of cyber security risks. (photo by Joseph Mehling '69)

"The research program brings together a multi-institutional team to quantify the economic impact of security failures in information infrastructure at the national, the company and the technology levels," said Martin Wybourne, Vice Provost for Research at Dartmouth and Chair of the I3P. "Data and analysis developed during the program will help provide information that decision makers in industry and government need to make effective security choices."

The research team, which consists of five I3P member institutions, will work to understand how the information security marketplace functions and determine which market and policy mechanisms would be most effective in promoting security at all levels of the information infrastructure. The team is led by the RAND Corporation and also includes senior scientists from George Mason University's Critical Infrastructure Protection Program, MIT Lincoln Laboratory, the University of Virginia and Dartmouth's Tuck School of Business.

M. Eric Johnson, Professor of Operations Management at the Tuck School, Director of the Glassmeyer/McNamee Center for Digital Strategies and one of the principal investigators on this project, said "it is currently almost impossible to quantify the cost and benefits of information security. A better understanding of the return on security investments will lead to better business decisions and increase U.S. competitiveness."

"Not much credible data in this area currently exists," said Shari Lawrence Pfleeger, Senior Information Scientist at RAND and the project team's leader. "By collaborating closely with industry and the government, we will gather data and develop models to gain a more accurate understanding of security investments, strategies and policies. The results of this project can be used to make informed real-world security decisions, thereby helping make the United States and companies operating in the United States safer."

The work will be broken into three distinct, but interconnected, threads to examine the economic aspects of cyber security at the national, corporate and technology levels. At the national level, security experts will analyze the impact of cyber security failures and related defense strategies on the U.S. economy, and assess the ripple effects on other critical infrastructures. At the enterprise or corporate level, the research team will study how companies make cyber security decisions, how they invest in security and how they perceive risk in the supply chain. At the technology level, researchers will analyze vulnerabilities in Internet infrastructure components, such as the domain name system (DNS) or the border gateway protocol (BGP) and develop models to calculate the costs and benefits of security measures to address these flaws.

According to Pfleeger, new software vulnerabilities are uncovered daily. However, making informed security decisions about how to address them is problematic; lack of data and analysis makes it difficult to determine the costs and benefits of different security options. Existing cost assessments for viruses or other cyber attacks are questionable and, in most cases, come from convenience surveys or from security firms or consultants with products or services to sell. Furthermore, cyber security risk assessments often cover only a company's own networks; they don't travel down the supply chain or through the Internet's core infrastructure.

Douglas Maughan, I3P Program Manager at DHS's Science and Technology Directorate, said, "Close cooperation between industry, academia and government for this project will help companies better understand the costs of cyber attacks, and enable them to make a business case for investing in holistic security programs that include the right mix of policies and technology. This analysis will also help guide government research programs going forward."


Questions or comments about this article? We welcome your feedback.

Last Updated: 12/17/08