Cybersecurity Acquisition Framework Based on Risk Management: Economics Perspective

Document Type


Publication Date


Publication Title

Proceedings of the Seventeenth Annual Acquisition Research Symposium


13 pp.

Conference Name

Seventeenth Annual Acquisition Research Symposium


Investments in the cyber domain are subject to constraints that may be similar to those in other domains, such as cost and effectiveness. However, cyber is a dynamic domain where the effectiveness and efficiency of investments are harder to measure. The interdependency of assets poses an additional challenge to make decisions on investments for the cyber domain. Therefore, organizations need to answer hard questions: whether, how much, and when to invest in cybersecurity. Analyzing the attack surface of a system or an enterprise in cyberspace, prioritizing assets according to their business values, and quantifying cybersecurity risk in monetary values would help to make better decisions while choosing a risk management strategy. The aim of this article is to develop a risk-informed cybersecurity investment decision model by considering the ripple effects in an organization based on the Functional Dependency Network Analysis (FDNA) methodology. Several simulations are conducted to test the effectiveness of the developed model.


This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.

Original Publication Citation

Kucukkaya, G., Keskin, O., Kucukozyigit, A., Pinto, C., Tatar, U., & Alfaqiri, A. (2020). Cybersecurity Acquisition Framework Based on Risk Management: Economics Perspective. http://hdl.handle.net/10945/65981