Loss Magnitude Estimation in Support of Business Impact Analysis
December 2020 • Technical Report
Daniel J. Kambic, Andrew P. Moore, David Tobar, Brett Tucker
The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
Publisher:
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2020-TR-008
DOI (Digital Object Identifier):
10.1184/R1/13042955Subjects
Abstract
This report describes the initial results of a research project to develop a transparent estimation method. This method leads to greater confidence in and improved ranges for estimates of potential cyber loss magnitude. The project team refined the Cybersecurity & Infrastructure Security Agency, Office of the Chief Economist (CISA OCE) Business Impact Analysis (BIA) method to support this estimation approach, including identifying factors and forming questions to ask stakeholders to elicit input for the loss magnitude estimation process. The project team also characterized the context for using factor tree analysis to produce an executable model in support of the refined BIA method since it can be applied to future cybersecurity assessments.