SBIR-STTR Award

This Small Business Innovation Research (SBIR) Phase I project addresses the challenges of risk management between businesses engaged in cyber-related business relationships. When businesses establish network or other cyber-related connections, they are sometimes poorly informed about the potential risk that they assume. Businesses typically rely on costly and time consuming cyber security audits to inform them about the potential cyber and ensuing business risk of the relationship. The solutions that exist today are inefficient and have yet to properly address the industry's need for a reliable and inexpensive means of assessing the cyber security risk incurred through a particular business relationship. CyberAnalytix's objective is to produce a cyber security score. Businesses would use the cyber security score to inform cyber related business decisions such as outsourcing, vendor IT relationships, and compliance. The Phase I research objective is to develop a scoring methodology that is credible, predictive, scalable and principally automatable. CyberAnalytix anticipates developing the scoring methodology as well as testing the methodology on a small set of business entities to evaluate whether the methodology and resulting score meet the prescribed objective characteristics. Historically credit scoring has been a cost- and time-saving technology that has provided tremendous value to lenders and borrowers alike by helping to reduce cost, predict future loan performance, and to improve credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their cyber security risk. There is an opportunity to address a costly and inefficient industry pain point and have a broad economic impact. The need for cost effective, high-quality, and reliable business cyber security scoring will continue to increase as more services are network enabled, outsourced, or accessed through the network "cloud." If this effort were to succeed, businesses would reap the same time and cost savings that lenders do from credit scoring services from credit bureaus. The scoring methodology will enable businesses to make better, more informed, data-driven decisions about business risk in the cyber security and broader business context

This Small Business Innovation Research (SBIR) Phase II project builds upon earlier work to develop an information security ratings service. When businesses connect their networks with partners or share data with them, they are often poorly informed about the potential risks they assume. Businesses have 3rd party relationships for a variety of operational reasons and these partnerships almost always involve sharing sensitive and confidential data. Data shared can be customer information, intellectual property, social security numbers etc. Businesses are worried about losing data through breaches in partner networks as they face the consequences - financial, legal, and regulatory. Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior. Historically, credit scoring has been a "cost and time-saving technology" that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix's ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix's solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.