Quantifying Cybersecurity Risk for NASA Missions

An end-to-end cyber risk assessment process is presented that is based on the combination of guidelines from the National Institute of Standards & Technology (NIST), the standard 5x5 risk matrix, and quantitative methods for generating loss exceedance curves. The NIST guidelines provide a framework for cyber risk assessment, and the standard 5x5 matrix is widely used across the industry for the representation of risk across multiple disciplines. Loss exceedance curves are a means of quantitatively assessing the loss that occurs due to a given risk profile. Combining these different techniques enables us to follow the guidelines, adhere to standard 5x5 risk management practices and develop quantitative metrics simultaneously. Our quantification process is based on the consideration of the NASA and JPL Cost Risk assessment modeling techniques as we define the cost associated with the cybersecurity risk profile of a mission as a function of the mission cost.