By The National Institute of Standards and Technology (NIST) and RTI International
U.S. industries spend billions of dollars each year securing their information technology (IT) assets. Yet they still suffer significant economic losses from staff downtime and time spent on issue resolution, delayed shipments or reduced product quality, changes in public perception, and legal and regulatory consequences. Some organizations do not have the technical ability or capacity to address attacks. Other organizations, with very complex communications infrastructures, invest in cybersecurity more in response to attacks or breaches rather than by acting proactively.
The possibility of catastrophic attacks, such as one on the U.S. electricity grid or financial system, looms. In 2010, sophisticated attacks included the Stuxnet attack on Iranian nuclear facilities, the Night Dragon attack that infiltrated five large U.S. energy companies, and the Operation Aurora attack on companies such as Google.
The National Institute for Standards and Technology (NIST) commissioned RTI International, a not-for-profit research institute, to conduct an economic analysis of the cybersecurity technology infrastructure needs of U.S. industries. The objective of this study is to identify which gaps in the cybersecurity technology infrastructure impose the largest costs on the U.S. economy and to quantify those costs.
To identify and quantify these technology gaps, three overarching estimates are being calculated:
1. current expenditures on the cybersecurity technology infrastructure
2. current cybersecurity spending by industry on both proactive and reactive solutions, as well as anticipated future cybersecurity spending (without an improved cybersecurity infrastructure) resulting from increased use of applications such as cloud computing, social networking, and mobile-based computing
3. potential economic benefits—cost savings or quality improvements—that could result from specific improvements in the cybersecurity technology infrastructure
RTI used case studies to identify a set of specific cybersecurity technology infrastructure gaps that, if filled, would have the greatest potential to reduce current spending and losses.
During December 2011 and January 2012, NIST and RTI are asking IT security managers around the world to participate in a 15-minute survey. Respondents taking the survey will help both the public and private sectors identify inadequacies in the technology-based cybersecurity infrastructure and quantify the economic benefits of improvements in these areas. Survey results will be used to estimate the national economic impact of specific improvements, which then could be made to the cybersecurity infrastructure.