Software Engineering Institute

Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution

September 16, 2015 • Technical Report

By

Douglas Gray, Julia H. Allen, C. Aaron Cois, Anne Connell, Erik Ebel (Veris Group), William Gulley (Veris Group), Michael Riley (Veris Group), Robert W. Stoddard, Marie Vaughn (Veris Group), and Brian D. Wisniewski

This technical report focuses on cybersecurity at the indirect, strategic level. It discusses how cybersecurity decision makers at the tactical or implementation level can establish a supportive contextual environment to help enable their success.

Publisher

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2015-TR-011

DOI (Digital Object Identifier)

10.1184/R1/6574238.v1

Subjects

Cybersecurity Engineering Governance

Abstract

Although efforts are underway through Information Security Continuous Monitoring initiatives to improve situational awareness and risk mitigation at the operational level, the federal government must make better enterprise-level cybersecurity decisions in the shortest time possible. This report outlines an approach called Data Driven Cybersecurity Governance Decision Making. This approach leverages the Observe, Orient, Decide, Act (OODA) loop used by the U.S. Department of Defense to enable decision makers at the strategic levels of government to best set the conditions for success at the point of execution. To best target the unique considerations of enterprise decision makers, this report discusses the difference between cybersecurity governance and cybersecurity operations. Within this context, it describes best practices in collecting and analyzing authoritative data present in the federal space to develop a level of situational awareness tailored to decision makers’ needs in a cybersecurity governance scorecard. Cybersecurity governance decision makers can leverage this enhanced situational awareness to support a data-driven decision-making process that targets root causes of the problems facing the federal government enterprise. Finally, the report discusses key considerations to ensure success at the point of execution based on work performed in the Observe, Orient, and Decide phases of the OODA Loop.

Cite This Technical Report

APA

Gray, D., Allen, J., Cois, C., Connell, A., Ebel, E., Gulley, W., Riley, M., Stoddard, R., Vaughn, M., & Wisniewski, B. (2015, September 16). Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution. (Technical Report CMU/SEI-2015-TR-011). Retrieved April 19, 2024, from https://doi.org/10.1184/R1/6574238.v1.

BibTeX

@techreport{gray_2015,
author={Gray, Doug and Allen, Julia and Cois, C. Aaron and Connell, Anne and Ebel, Erik and Gulley, William and Riley, Michael and Stoddard, Robert and Vaughn, Marie and Wisniewski, Brian},
title={Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution},
month={Sep},
year={2015},
number={CMU/SEI-2015-TR-011},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6574238.v1},
note={Accessed: 2024-Apr-19}
}

CHI

Gray, Doug, Julia Allen, C. Aaron Cois, Anne Connell, Erik Ebel, William Gulley, Michael Riley, Robert Stoddard, Marie Vaughn, and Brian Wisniewski. "Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution." (CMU/SEI-2015-TR-011). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, September 16, 2015. https://doi.org/10.1184/R1/6574238.v1.

IEEE

D. Gray, J. Allen, C. Cois, A. Connell, E. Ebel, W. Gulley, M. Riley, R. Stoddard, M. Vaughn, and B. Wisniewski, "Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2015-TR-011, 16-Sep-2015 [Online]. Available: https://doi.org/10.1184/R1/6574238.v1. [Accessed: 19-Apr-2024].

MLA

Gray, Doug, Julia Allen, C. Aaron Cois, Anne Connell, Erik Ebel, William Gulley, Michael Riley, Robert Stoddard, Marie Vaughn, and Brian Wisniewski. "Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution." (Technical Report CMU/SEI-2015-TR-011). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 16 Sep. 2015. https://doi.org/10.1184/R1/6574238.v1. Accessed 19 Apr. 2024.

SEI

Gray, Doug; Allen, Julia; Cois, C. Aaron; Connell, Anne; Ebel, Erik; Gulley, William; Riley, Michael; Stoddard, Robert; Vaughn, Marie; & Wisniewski, Brian. Improving Federal Cybersecurity Governance Through Data-Driven Decision Making and Execution. CMU/SEI-2015-TR-011. Software Engineering Institute. 2015. https://doi.org/10.1184/R1/6574238.v1

Ask a question about this Technical Report