Loss Magnitude Estimation in Support of Business Impact Analysis

December 2020 • Technical Report

Daniel J. Kambic, Andrew P. Moore, David Tobar, Brett Tucker

The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2020-TR-008

Subjects

Cyber Risk and Resilience ManagementCyber Risk and Resilience Management

Abstract

This report describes the initial results of a research project to develop a transparent estimation method. This method leads to greater confidence in and improved ranges for estimates of potential cyber loss magnitude. The project team refined the Cybersecurity & Infrastructure Security Agency, Office of the Chief Economist (CISA OCE) Business Impact Analysis (BIA) method to support this estimation approach, including identifying factors and forming questions to ask stakeholders to elicit input for the loss magnitude estimation process. The project team also characterized the context for using factor tree analysis to produce an executable model in support of the refined BIA method since it can be applied to future cybersecurity assessments.

Download PDF

Cite This Report

SEI

Kambic, Daniel; Moore, Andrew; Tobar, David; & Tucker, Brett. Loss Magnitude Estimation in Support of Business Impact Analysis. CMU/SEI-2020-TR-008. Software Engineering Institute, Carnegie Mellon University. 2020. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=650828

IEEE

Kambic. Daniel, Moore. Andrew, Tobar. David, and Tucker. Brett, "Loss Magnitude Estimation in Support of Business Impact Analysis," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2020-TR-008, 2020. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=650828

APA

Kambic, Daniel., Moore, Andrew., Tobar, David., & Tucker, Brett. (2020). Loss Magnitude Estimation in Support of Business Impact Analysis (CMU/SEI-2020-TR-008). Retrieved January 23, 2021, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=650828

CHI

Daniel Kambic, Andrew Moore, David Tobar, & Brett Tucker. Loss Magnitude Estimation in Support of Business Impact Analysis (CMU/SEI-2020-TR-008). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2020. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=650828

MLA

Kambic, Daniel., Moore, Andrew., Tobar, David., & Tucker, Brett. 2020. Loss Magnitude Estimation in Support of Business Impact Analysis (Technical Report CMU/SEI-2020-TR-008). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=650828

BibTex

@techreport{KambicLossMagnitude2020,
title={Loss Magnitude Estimation in Support of Business Impact Analysis},
author={Daniel Kambic and Andrew Moore and David Tobar and Brett Tucker},
year={2020},
number={CMU/SEI-2020-TR-008},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=650828} }

Ask a question about this Technical Report

Software Engineering Institute