TY - BOOK ID - 138573968 TI - Measuring Cybersecurity and Cyber Resiliency AU - Snyder, Don AU - Fox, Bernard AU - Genc, Suzanne AU - Hura, Myron AU - Mayer, Lauren A. AU - Tarraf, Danielle C. AU - Weichenberg, Guy AU - Welburn, Jonathan W. PY - 2020 PB - Santa Monica, Calif. RAND Corporation DB - UniCat UR - https://www.unicat.be/uniCat?func=search&query=sysid:138573968 AB - This report presents a framework for the development of metrics—and a method for scoring them—that indicates how well a U.S. Air Force mission or system is expected to perform in a cyber-contested environment. These metrics are developed so as to be suitable for informing acquisition decisions during all stages of weapon systems' life cycles. There are two types of cyber metrics: working-level metrics to counter an adversary's cyber operations and institutional-level metrics to capture any cyber-related organizational deficiencies. The cyber environment is dynamic and complex, the threat is ubiquitous (in peacetime and wartime, deployed and at home), and no set of underlying "laws of nature" govern the cyber realm. A fruitful approach is to define cyber metrics in the context of a two-player cyber game between Red (the attacking side) and Blue (the side trying to ensure a mission). The framework helps, in part, to reveal where strengths in one area might partially offset weaknesses in another. Additional discussions focus on how those metrics can be scored in ways that are useful for supporting decisions. The metrics are aimed at supporting program offices and authorizing officials in risk management and in defining requirements, both operational requirements as well as the more detailed requirements for system design used in contracts, the latter often referred to as derived requirements. ER -