search menu icon-carat-right cmu-wordmark

Loss Magnitude Estimation in Support of Business Impact Analysis

December 2020 Technical Report
Daniel J. Kambic, Andrew P. Moore, David Tobar, Brett Tucker

The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2020-TR-008

DOI (Digital Object Identifier):
10.1184/R1/13042955

Abstract

This report describes the initial results of a research project to develop a transparent estimation method. This method leads to greater confidence in and improved ranges for estimates of potential cyber loss magnitude. The project team refined the Cybersecurity & Infrastructure Security Agency, Office of the Chief Economist (CISA OCE) Business Impact Analysis (BIA) method to support this estimation approach, including identifying factors and forming questions to ask stakeholders to elicit input for the loss magnitude estimation process. The project team also characterized the context for using factor tree analysis to produce an executable model in support of the refined BIA method since it can be applied to future cybersecurity assessments.