Abstract

The National Institute for Standards and Technology (NIST) Cybersecurity Framework has rapidly become a widely accepted approach to facilitating cybersecurity risk management within organizations. An insightful aspect of the NIST Cybersecurity Framework is its explicit recognition that the activities associated with managing cybersecurity risk are organization specific. The NIST Framework also recognizes that organizations should evaluate their cybersecurity risk management on a cost–benefit basis. The NIST Framework, however, does not provide guidance on how to carry out such a cost–benefit analysis. This article provides an approach for integrating cost–benefit analysis into the NIST Cybersecurity Framework. The Gordon–Loeb (GL) Model for cybersecurity investments is proposed as a basis for deriving a cost-effective level of spending on cybersecurity activities and for selecting the appropriate NIST Implementation Tier level. The analysis shows that the GL Model provides a logical approach to use when considering the cost–benefit aspects of cybersecurity investments during an organization’s process of selecting the most appropriate NIST Implementation Tier level. In addition, the cost–benefit approach provided in this article helps to identify conditions under which there is an incentive to move to a higher NIST Implementation Tier.

中文翻译：

---

通过Gordon-Loeb模型将成本效益分析整合到NIST网络安全框架中

摘要

美国国家标准技术研究院（NIST）的网络安全框架已迅速成为促进组织内部网络安全风险管理的一种广泛接受的方法。NIST网络安全框架的一个有深刻见解的方面是它明确认识到与管理网络安全风险相关的活动是特定于组织的。NIST框架还认识到组织应在成本效益的基础上评估其网络安全风险管理。但是，NIST框架未提供有关如何进行这种成本效益分析的指南。本文提供了一种将成本效益分析集成到NIST网络安全框架中的方法。提出了用于网络安全投资的戈登-勒布（GL）模型，作为得出具有成本效益的网络安全活动支出水平和选择合适的NIST实施层级水平的基础。分析表明，GL模型为在组织选择最合适的NIST实施层级别的过程中考虑网络安全投资的成本效益方面时提供了一种逻辑方法。此外，本文提供的成本效益方法有助于确定在哪些条件下有动机转向更高的NIST实施层。分析表明，GL模型为在组织选择最合适的NIST实施层级别的过程中考虑网络安全投资的成本效益方面时提供了一种逻辑方法。此外，本文提供的成本效益方法有助于确定在哪些条件下有动机转向更高的NIST实施层。分析表明，GL模型为在组织选择最合适的NIST实施层级别的过程中考虑网络安全投资的成本效益方面时提供了一种逻辑方法。此外，本文提供的成本效益方法有助于确定在哪些条件下有动机转向更高的NIST实施层。