Cybersecurity Cost of Quality: Managing the Costs of Cybersecurity Risk Management

TL;DR

This paper proposes a mapping between cybersecurity risk management costs and quality costs using the NIST Cybersecurity Framework, aiding organizations in measuring and controlling cybersecurity program expenses.

Contribution

It introduces a novel mapping framework linking cybersecurity risk management costs to quality costs based on NIST CSF, facilitating cost control and improvement.

Findings

Provides a practical mapping for organizations using NIST CSF

Enables linking cybersecurity costs to accounting systems

Supports continuous improvement in cybersecurity operations

Abstract

There is no standard yet for measuring and controlling the costs associated with implementing cybersecurity programs. To advance research and practice towards this end, we develop a mapping using the well-known concept of quality costs and the Framework Core within the Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) in response to the Cybersecurity Enhancement Act of 2014. This mapping can be easily adopted by organizations that are already using the NIST CSF for cybersecurity risk management to plan, manage, and continually improve cybersecurity operations. If an organization is not using the NIST CSF, this mapping may still be useful for linking elements in accounting systems that are associated with cybersecurity operations and risk management to a quality cost model.