Cybersecurity Cost of Quality: Managing the Costs of Cybersecurity Risk Management
This provides a practical tool for organizations managing cybersecurity risks, but it is incremental as it adapts existing frameworks.
The paper tackles the lack of a standard for measuring cybersecurity program costs by developing a mapping between the NIST Cybersecurity Framework and quality cost concepts, enabling organizations to plan and improve cybersecurity operations.
There is no standard yet for measuring and controlling the costs associated with implementing cybersecurity programs. To advance research and practice towards this end, we develop a mapping using the well-known concept of quality costs and the Framework Core within the Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) in response to the Cybersecurity Enhancement Act of 2014. This mapping can be easily adopted by organizations that are already using the NIST CSF for cybersecurity risk management to plan, manage, and continually improve cybersecurity operations. If an organization is not using the NIST CSF, this mapping may still be useful for linking elements in accounting systems that are associated with cybersecurity operations and risk management to a quality cost model.