全球智库信息集成服务系统

Making the Data Manageable Is Crucial

• Analyzing this issue with a brute force approach is impractical because of the sheer number of permutations to assess and the constantly evolving nature of the information systems, vulnerabilities, and threats.
• The Air Force counts 25 combat support functional communities, many of which have numerous subfunctions, and the sum of the functions are supported by hundreds of information systems.
• There are numerous ways in which a cyber attack can occur and a variety of impacts that might result. These include denial-of-service attacks from outside a firewall, manipulating data from within a firewall, interrupting communications, taking control of a system, and others.
• Analyzing every possible attack on all systems and assessing the impact to both combat support and operations would be impractical. Even if it were done, the results from such an analysis would be obsolete before completion.

A Sequential Process Prioritizes Those Programs Most in Need of Mitigation

• RAND researchers developed a sequential process for identifying those functions and information systems most likely to be problematic for the operational mission during cyber attacks.
• The approach finds the functions and information systems that are simultaneously the most critical to the mission — those that cause repercussions to the operational mission the fastest and those that have the highest risk of attack as defined by the threat, their vulnerability, and the impact of an attack.
• The method is implemented in a Microsoft Excel-hosted decision support tool that does not require any special expertise in the cyber domain.