Cyber Risk Research Impeded by Disciplinary Barriers

Abstract

Cyber risk encompasses a broad spectrum of risks to digital systems, such as data breaches or full-fledged cyber attacks on the electric grid. Efforts to systematically advance the science of cyber risk must draw on not only computer science but also fields such as behavioral science, economics, law, management science, and political science. Yet, many scholars believe that they have sufficient understanding of other fields to comprehensively address the inherently cross-disciplinary nature of cyber risk. For example, a statistician might apply Bayesian modeling to predict future cyber events, even though it is not entirely clear what bearing historical cyber events have on future ones. Computer scientists might write on data protection laws, yet with little knowledge of legal jurisdiction issues. Such questions of disciplinary ownership, the inability to coordinate across disciplines, and the undefined scope of the problem domain have thus plagued inherently cross-disciplinary cyber risk research. Drawing on global expertise and challenges from industry, academia, nonprofit organizations, and governments, we adapted the classical risk-management process to identify core research questions for cyber risk, gaps in knowledge that need to be addressed for advances in security, and opportunities for cross-disciplinary collaboration for each area. Although we mention specific disciplines reflective of our backgrounds, these are not the only ones that should be conducting cyber risk research.