By: Lawrence A. Gordon, Ph.D., Martin P. Loeb, Ph.D., William Lucyshyn, Lei Zhou
The underlying objective of the research project described in this Final Report (hereafter referred to as the Report) was to understand more fully the challenges associated with making cybersecurity investments in the private sector, and to recommend policies for facilitating the appropriate level of such investments. Particular emphasis was given to those firms that own and/or operate assets critical to the national infrastructure. As discussed in Section I of the Report, we began by developing a conceptual/analytical framework for making cybersecurity investments. In other words, since cybersecurity investments compete with other investment opportunities available to firms, they need to be justified in terms of showing that the benefits exceed the costs (i.e., ultimately, cybersecurity investments become a business decision in the private sector). This means that companies in the private sector must be able to “make the business case” for investing in cybersecurity activities in a manner that is consistent with the way companies consider other investment decisions.