QUANTIFYING THE RISK MANAGEMENT FRAMEWORK
Loading...
Authors
Heier, Mark I.
Morales, Angel J.
Subjects
Risk Management Framework
RMF
National Institute of Standards and Technology
NIST
qualitative
quantitative
cyber security
information systems security
cyber resiliency
risk
RMF
National Institute of Standards and Technology
NIST
qualitative
quantitative
cyber security
information systems security
cyber resiliency
risk
Advisors
Boger, Dan C.
Miller, Scot A.
Date of Issue
2020-06
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
For the past thirty-five years the DOD/DON have worked diligently to address the exponentially increasing challenges that cyber security presents. While the current Risk Management Framework (RMF) approach improves upon its predecessors, it is once again in need of an overhaul. Derived from National Institute of Standards and Technology (NIST) and DOD directives, the DON’s RMF process blindly inherited the ambiguity necessary for larger governing organizations, failing to tailor the RMF to specific Navy organizational needs and practices. The DON RMF is highly qualitative and lacks standardized definitions, measurements, metrics, and a risk assessment methodology. The qualitative approach of the current RMF is further complicated by the bias, heuristics, groupthink, inconsistency, overconfidence, and overestimation ensuing from subjective inputs manifested throughout the DON RMF. The DON RMF must have a more quantitative RMF consisting of standardized definitions, measurements, metrics, and better training to ensure risk is being measured and mitigated appropriately. These improvements would continuously provide feedback for process improvement, leading to increased cybersecurity and resiliency of naval networks.
Type
Thesis
Description
Series/Report No
Department
Information Sciences (IS)
Information Sciences (IS)
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release. distribution is unlimited
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.