Description:
Organizations throughout the American economy and government are faced with designing and then
operating
cybersecurity risk management, in a complicated and dynamic environment. They have been provided
with a useful starting point, a cybersecurity risk management framework, developed by NIST,
supported by DHS, and filled out in some detail by different critical infrastructure sectors and
organizations. But sustaining risk management operations is more difficult, as organizations must
somehow blend a great deal of technical input (vulnerability reports, incident reports, threat
analysis, technical guidance, etc.) with their own organizational experience. The cybersecurity
“knowledge management” challenge is significant for any particular organization, regardless of size
or critical infrastructure domain.
Additionally, several million organizations and companies across the country are faced with this
challenge, continuously. Most information sharing systems assume that these many organizations and
companies should report their cybersecurity experiences vertically to commercial and governmental
centers, which are to synthesize these various reports and report back analytical insight. But
what does not yet exist is a peer-to-peer version of this reporting activity, where an organization
can directly leverage related experiences of thousands of organizations and companies, through a
tool that can capture and report their own experiences and connect them with comparable experience
of other organizations and companies, to better help them understand and manage their cybersecurity
risk.
The end product of this effort should address capabilities such as:
• Key internal risk assessment elements
• The time/dynamics of internal risk assessment elements
• Outside context for these assessments (vulnerabilities, operating data, etc.)
• Multiple information sharing mechanisms (one to one, one to many, collaboration drafts, etc.)
The key requirement is that this tool must be able to support enterprise consideration of
cybersecurity risk, by bringing into the process valuable insight from other enterprise’ consideration of risk