When defending an organization against cyberattacks, cybersecurity professionals are faced with the dilemma of selecting from a large set of cybersecurity defensive measures while operating with a limited set of resources with which to employ the measures. Engaging in this selection process is not easy and can be overwhelming. Furthermore, the challenge is exacerbated by the fact that many cybersecurity strategies are presented as itemized lists, with few hints at how to position a given action within the space of alternative actions. This report aims to address these difficulties by explaining the menu of actions for defending an organization against cyberattack and recommending an approach for organizing the range of actions and evaluating cybersecurity defensive activities.

       Table of Contents Chapter One

       Motivation

       Chapter Two

       Core Concepts

       Chapter Three

       Ring 2

       Chapter Four

       Ring 3

       Chapter Five

       Using This Work

       Chapter Six

       Conclusion

       Research conducted by RAND National Security Research Division

       The study was sponsored by Program, Analysis, and Evaluation (PA&E) of the Office of the Chief Financial Officer, DHS and conducted in the RAND Homeland Security and Defense Center(HSDC), a joint center of two research divisions: RAND Justice, Infrastructure, and Environment and the RAND National Security Research Division.

       This report is part of the RAND Corporation tool series. RAND tools may include models, databases, calculators, computer code, GIS mapping tools, practitioner guidelines, web applications, and various toolkits. All RAND tools undergo rigorous peer review to ensure both high data standards and appropriate methodology in keeping with RAND's commitment to quality and objectivity.

       Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

       The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.