Columbia International Affairs Online: Working Papers

CIAO DATE: 09/2014

Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity

Julie M. Anderson, Karen S. Evans, Franklin S. Reeder, Meghan M. Wareham

March 2013

The National Academy of Public Administration

Abstract

SafeGov has developed a framework to spur the creation of a more effective approach to cybersecurity evaluation. As part of its strategy for developing this framework, SafeGov engaged the National Academy of Public Administration to convene an expert Panel of its Fellows to conduct an independent review. Based on its review, the Academy Panel believes that the cybersecurity evaluation framework developed by SafeGov in this report is an important step toward building a more dynamic, risk-based approach that will yield more robust protection from cyber threats across the government.

A key strength of this approach lies in the tools it suggests to IGs and agency management to ground their assessments and decision-making on common standards and methodologies. If implemented, this tools-based approach will help enable consistently higher levels of protection across the government, while enabling flexibility in its application to the diverse circumstances of federal departments, agencies and programs. Further, the Panel believes that the success of this new approach will require additional outreach to stakeholders to refine and build support for the framework, as well as a strategy to address significant administrative challenges.