CISA’s Office of the Chief Economist (OCE) is a team of economists within CISA’s Office of the Chief Financial Officer with expertise in economic analysis across the various analytic methods and fields recognized by the American Economic Association (AEA).
- Core Disciplines: microeconomics, macroeconomics, and econometrics.
- Tools and Methods: benefit-cost analysis, risk analysis, mathematical modeling and simulation (e.g., computable general equilibrium analysis and input-output analysis), data science, behavioral economics, and game theory.
OCE applies this expertise to support a wide range of applications for economic analysis for customers throughout CISA, including its Cybersecurity Division, Infrastructure Security Division, and National Risk Management Center (NRMC). This often involves addressing such questions as:
- What are the benefits and costs of a program, regulatory action, or resilience enhancement option?
- How cost effective is a course of action?
- What are the economic consequences or impacts of an adverse event?
- What incentives could be developed to promote cyber and infrastructure security and resilience?
OCE’s current and recent projects span applications in both regulatory and non-regulatory economic analysis, including the Chemical Facility Anti-Terrorism Standards (CFATS), cybersecurity, Unmanned Aerial Systems (UAS), 5G, Global Positioning System (GPS), and soft target security.
This page will be periodically updated with a selection of reports and presentations developed by OCE.
- Cost of a Cyber Incident: Systematic Review and Cross-Validation. In order to support stakeholders with understanding the impacts, costs, and losses from cyber incidents, CISA has cleared for release this October 2020 study. The objectives of the study are to enable cyber risk analysis, understand the benefits of cybersecurity investments, and inform cybersecurity resource allocation decisions. To achieve these objectives CISA’s study reviews cost and loss estimates for a wide range of incidents. While the data analyzed in CISA’s Cost Study can inform the order of magnitude of the potential costs associated with more recent events such as the SolarWinds compromise and Microsoft Exchange server exploit, the impacts associated with these events are not included in the study.
- Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards (CFATS). OCE conducted a retrospective analysis of CFATS, finding the actual costs to chemical facilities to be 83 percent lower than estimated when the program was first proposed.
- Assessment of the Cyber Insurance Market. NRMC requested that OCE assess the current state of the cyber insurance market. The purpose of the assessment was to (1) analyze the cyber insurance market to understand the most current trends and challenges and (2) identify relevant efforts related to cyber insurance that could inform NRMC research and collaboration agenda and aid prioritization of requirements.
- Executive Order 13636, Improving Critical Infrastructure Cybersecurity, Analytic Report. Executive Order (EO) 13636 required DHS to recommend to the President “a set of incentives designed to promote participation in the [cybersecurity] Program…” In 2013, OCE led the development of the DHS incentives study in collaboration with the White House Council of Economic Advisors, Treasury Tax Policy and Insurance Policy Offices, and the former Homeland Security Studies and Analysis Institute. The Analytic Report contains the full EO13636 incentives study.
- Executive Order 13636, Improving Critical Infrastructure Cybersecurity, Summary Report. The Summary Report is a four-page executive summary of the full EO13636 incentives study.
- Supporting Transparency in the Marketplace Summary. Presidential Executive Order (EO) 13800 - Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, required the Secretary of the Department of Homeland Security (DHS), in coordination with the Secretary of Commerce to provide a report to the President by August 9, 2017 that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices, with a focus on publicly traded critical infrastructure entities.