Determining a Return on Investment for Cybersecurity Technologies in Networked Critical Infrastructures.

Much of modern life is dependent on networked critical infrastructure systems—many known to be susceptible to cyberattacks—such as the electrical grid, water purification, and transportation systems. The consequences of a successful cyberattack on these systems could be catastrophic. Appropriate levels and strategies for cybersecurity investment for networked critical infrastructures present a serious challenge that administering organizations, whether public or private, must overcome in order to provide resilient services. This challenge includes understanding the actual vulnerabilities of an organization's networked systems, as well as the cost of a successful cyberattack on those systems. On top of this, an organization's cybersecurity acquisition workforce must be able to discern reality from the marketing hype that is produced by cybersecurity sales forces. Many product offerings from industry promise to secure critical infrastructures, but there is no good method for determining which product (or combination of products) is most effective for a specific environment or scenario. This paper presents a return on cybersecurity investment (ROCI) model utilized, together with a previously-developed framework for evaluating cybersecurity technologies, by the resilient critical infrastructures through secure and efficient microgrids (ReCIst) capability. ReCIst uses this model to guide decision makers on how to best implement cybersecurity towards energy resiliency, from financial, security posture, and energy efficiency perspectives. Challenges and the current state of cyber investment modeling in this domain are presented along with technical details on ReCIst's ROCI model and future work.