H-SB019.1-006
-
Cybersecurity Peer-to-Peer Knowledge/Lessons Learned Tool
Organizations throughout the American economy and government are faced with designing and then operating cybersecurity risk management, in a complicated and dynamic environment. They have been provided with a useful starting point, a cybersecurity risk management framework, developed by NIST, supported by DHS, and filled out in some detail by different critical infrastructure sectors and organizations. But sustaining risk management operations is more difficult, as organizations must somehow blend a great deal of technical input (vulnerability reports, incident reports, threat analysis, technical guidance, etc.) with their own organizational experience. The cybersecurity "knowledge management" challenge is significant for any particular organization, regardless of size or critical infrastructure domain.
Additionally, several million organizations and companies across the country are faced with this challenge, continuously. Most information sharing systems assume that these many organizations and companies should report their cybersecurity experiences vertically to commercial and governmental centers, which are to synthesize these various reports and report back analytical insight. But what does not yet exist is a peer-to-peer version of this reporting activity, where an organization can directly leverage related experiences of thousands of organizations and companies, through a tool that can capture and report their own experiences and connect them with comparable experience of other organizations and companies, to better help them understand and manage their cybersecurity risk.
The end product of this effort should address capabilities such as:
-Key internal risk assessment elements
-The time/dynamics of internal risk assessment elements
-Outside context for these assessments (vulnerabilities, operating data, etc.)
-Multiple information sharing mechanisms (one to one, one to many, collaboration drafts, etc.)
The key requirement is that this tool must be able to support enterprise consideration of cybersecurity risk, by bringing into the process valuable insight from other enterprise' consideration of risk