SupportingStatement

DOC/NIST Generic Clearance for Program Evaluation Data Collections

OMB Control No. 0693-0033

Expiration Date 10/31/2012

NIST-RTI ECONOMIC ANALYSIS OF THE U.S CYBER SECURITY INFRASTRUCTURE

1. Explain who will be surveyed and why the group is appropriate to survey.

RTI International¹ (RTI) will conduct a series of interviews designed to aid and inform the National Institute of Standards and Technology (NIST) and the broader government community in the planning of future investments in cyber security. Given the measurement and interoperability problems in cyber security, NIST can offer unique expertise in fostering increased standardization of cyber security technology characteristics and process attributes.

For example, NIST currently develops Federal Information Processing Standards (FIPS) Publications and Special Publications Series documents that are compulsory for federal agencies and provide guidance to private-sector organizations. NIST is supporting this RTI data collection effort so that future government investments in cyber security can be made based on the estimated economic impact to the U.S.

In addition to NIST’s role in cyber security, the White House has expressed a strong desire to improve cyber security by focusing and coordinating cross-agency investments. The White House report Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (2009) provided an explicit set of high-level, policy-oriented recommendations for improving cyber security, including improved coordination of government cyber security activities and increased collaboration between the government and private sector. This report identified as particularly important the finance and health care industries, critical infrastructure (e.g., public utilities), and any industry with valuable intellectual property. RTI’s study and data collection efforts are aimed directly at these industries and several others, which were selected based on the potential economic impact of improved cyber security infrastructure.²

RTI will conduct a series of approximately 50 interviews with individuals who manage cyber security investments and operations at companies in the following industries: finance, health care, manufacturing, retail, telecommunications, and utilities. Information collected during these interviews will provide insight into where companies are spending the most on cyber security (i.e., to help identify possible inefficient spending) and what threats they are most concerned about (i.e., to help identify possible insufficient spending and/or lacking security). The information gathered will inform the development of a national survey that will seek to quantify the cost savings and quality benefits associated with an improved cyber security technology infrastructure.

The specific target population for these interviews will be individuals that represent the Information Technology Security staff of these organizations. These individuals are the appropriate group to survey because they would be the most able to identify the security threats faced by their organization and their industry as a whole, as well as being able to speak intelligently about the costs associated with preventing and responding to these threats.

Discerning differences among industries will ensure that industry-specific concerns are captured and used in the development of the national survey. The industries were selected based on factors including total IT spending, total IT security spending and claimed losses, and a Department of Homeland Security risk assessment of industries.

2. Explain how the survey was developed including consultation with interested parties, pretesting, and responses to suggestions for improvement.

In general the interview guide is composed of several types of questions, including questions regarding security threats, security strategies and technologies, and security spending. It was developed based on RTI’s past experience in studying cyber security and characteristics of technology adoption, as well as through consultation with RTI and external technical cyber security experts, including Dr. Douglas Reeves at North Carolina State University, who serves as a consultant to the project. Several industry associations and companies were also consulted via informal discussions about their cyber security spending and concerns. These interviews will provide direct input into the development of the more formal national survey questions.

3. Explain how the survey will be conducted, how customers will be sampled if fewer than all customers will be surveyed, expected response rate, and actions your agency plans to take to improve the response rate.

Because very little is known about the cyber security spending habits or cyber security threat perceptions of businesses across the industries being considered by this study, RTI will be utilizing informal interviews with a small number of representative individuals as a means of better understanding these issues. As detailed in the 2006 “Guidance on Agency Survey and Statistical Information Collections”, informal interviews like these are a good first step to identifying the key issues for more systematic study (p.16 OMB, 2006).

RTI will interview 50 individuals in total. More specifically, RTI will conduct interviews

with 7 to 10 individuals in each of six industries: finance, health care, manufacturing, retail, telecommunications, and utilities. These interviews will be conducted mainly by telephone, though some interviews may be conducted in person, particularly with companies located near San Francisco, CA or Raleigh, NC where RTI project staff are located. The interviews are expected to last 30 minutes; as such, the total estimated time burden for all interviews is

25 hours.

Since the purpose of these interviews is to further RTI’s exploratory investigation before a more systematic survey is undertaken, the data being collected during these interviews will not be used to characterize the entire population of interest. A statistically representative sample will not be collected, as is consistent with qualitative data collection guidelines (p.16 OMB, 2006). Instead, potential participants for these interviews will be identified based on previous contacts established by RTI’s research team and through coordination with industry associations, making sure that each industry selected is adequately represented. As such, we expect our response rate to be over 75% of contacted organizations and will utilize its relationship with industry associations such as Information Systems Audit and Control Association (ISACA) and North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA) to identify additional interview participants as needed.

4. Describe how the results of the survey will be analyzed and used to generalize the results to the entire customer population.

As described above, the data collected through these interviews will not be used to characterize the entire population of interest. Instead, these interviews will serve to provide qualitative information regarding each of these industries that will be used in developing a survey instrument for a larger more nationally representative survey, as is consistent with qualitative data collection guidelines (p.16 OMB, 2006). This subsequent survey will be submitted to the Office of Management and Budget (OMB) approval later this year.

References

Office of Management and Budget. 2006. “Guidance on Agency Survey and Statistical Information Collections.” Memorandum from Administrator John Graham for the President’s Management Council. http://www.whitehouse.gov/OMB/inforeg/pmc_survey_guidance_2006.pdf.