Sovereign Credit Rating Processes Adapted to Critical Infrastructure Cyber Risk Assessment
- Sandia National Laboratories (SNL-CA), Livermore, CA (United States)
- Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States)
- Zeichner Risk Analytics, Arlington, VA (United States)
United States critical infrastructure entities are increasingly targeted by motivated and capable threat actors and must be prepared to assess and treat a diverse range of cyber risks. Consequently, this necessitates some form of analytical process to evaluate risks and inform cyber security investment decisions. A potential solution for structuring cyber risk evaluation exists within the field of sovereign credit ratings – where agencies employ mature approaches that integrate quantitative and qualitative data to produce a singular value of assessment. Adapting such approaches, we present a novel criterion and methodology for measuring and communicating the likelihood element of cyber risk. The methodology is composed of three sequential phases: a quantitative baseline organized by distinct capability frames, a bounded qualitative adjustment per frame, and a greater-bounded qualitative adjustment spanning the entire process. The process culminates in publication of a cyber capability rating that communicates a critical infrastructure entity’s ability and willingness to mitigate discontinuous function due to cyberattack.
- Research Organization:
- Sandia National Laboratories (SNL-CA), Livermore, CA (United States)
- Sponsoring Organization:
- US Department of Homeland Security (DHS); USDOE National Nuclear Security Administration (NNSA)
- DOE Contract Number:
- NA0003525
- OSTI ID:
- 2999456
- Report Number(s):
- SAND--2024-08939; 1747723
- Country of Publication:
- United States
- Language:
- English
Similar Records
Critical infrastructure systems of systems assessment methodology.
Risk assessment for physical and cyber attacks on critical infrastructures.