Predictive Analytics Modeling Project: Measuring the Effectiveness of Cybersecurity and Supply Chain Strategies and Controls
Frequently Asked Questions
1. What is the purpose of the project?
The Predictive Analytics Modeling Project seeks to research and build the tools
necessary to measure and assess the effectiveness of cybersecurity and related
supply chain strategies and controls. The effort will use voluntary, secure and
anonymized risk assessments based on the Cybersecurity Framework to begin
developing a large-scale anonymized data set that seeks, for the first time, to
demonstrate cause and effect relationships between cybersecurity and supply chain
capability levels and organizational performance outcomes over time.
2. What is the purpose of the assessment and why should my organization
The main purpose of this assessment is to support NIST’s Cyber SCRM Program by
providing organizations a convenient, secure way to self-evaluate and benchmark
their cybersecurity practices.
The assessment will help organizations to clearly identify areas of strength where
their cybersecurity practices meet or exceed established benchmarks; and other
areas where more work and investment are needed. Finally, organizations will be
able to anonymously compare their cybersecurity and supply chain strategies and
controls against those attained by Standard Industrial Classification-derived
industry peer groups.
3. What is the benefit to the larger cybersecurity community of participating
in this research?
This research project will conduct a rigorous statistical analysis of the effectiveness
of common cybersecurity and supply chain practices. It will match our sample
universe’s assessment results with publically-reported breach data to provide
evidence about the efficacy of cybersecurity practice in helping organizations to
anticipate risks; and to target investments in areas of cybersecurity with significant
operational payback. Such evidence-based research is scarce or non-existent and is
important to the advancement of the cybersecurity and supply chain disciplines and
enterprise risk management more broadly.
4. How will my organization’s privacy be assured?
Assurances: The University of Maryland’s R.H. Smith School Of Business will never
disclose, share or sell individual corporate data to any third party. This includes
UMD’s institutional commitment to never disclosing corporate data to the Federal
Government for compliance/ monitoring purposes; or to the insurance industry for
In addition, individual corporate identities or a specific organization’s assessment
results will never be reported upon. Research results will be thoroughly
anonymized with reporting only done on an aggregated basis. For example, we
might compare assessment results across industry sectors and subsectors using
Standard Industrial Classification codes.
5. What about the security of our company’s data?
UMD has gone to great lengths to implement a security process that is
comprehensive and represents best information security practice.
Registration: It starts with multi-factor authentication (MFA) of all registration
accounts using text message or call back authentication. The MFA provider (Duo)
was selected because of its commitment to the standards referenced in the
Cybersecurity Framework and being validated to FIPS 140-2.
Protecting Data At Rest: Data sets for registration, respondent demographic
information and performance assessments are contained in separated table
structures to align with information security best practices. In addition, the entire
database that contains these structures resides on an encrypted disk; and disk
backups are also encrypted using AWS EBS volume encryption.
Protecting Data in Transit: All data in transit employs SSL (Secure Socket Layer)
Overall site security has been maximized through the implementation of Drupal
access control and security configuration best practices; and through the migration
of the production environment to Amazon Web Services (AWS) with accompanying
implementation of AWS Identity and Access Management (IAM) and AWS Security
Groups controls, as well as AWS CloudTrails Log Audits.
For more information about UMD’s Data Security policies, please go to the following
6. Who developed the assessment and contributed to the questions set being
The assessment is the joint product of a public-private research team composed of
cybersecurity professionals from NIST, the General Services Administration(GSA),
the Department Of Homeland Security (DHS), Zurich Insurance, Beecher Carlson and
the University Of Maryland’s R.H. Smith School Of Business. The assessment
combines expertise in information security, supply chain and risk management; and
builds on a decade of cybersecurity assessment research by team members.
7. How can we reach NIST or the University Of Maryland if we have further
For NIST, please contact Mr. Jon Boyens at: firstname.lastname@example.org; or 301-975- 5549(o).
For the University Of Maryland, please contact Dr.Sandor Boyson at
email@example.com; or 301-405- 2205 (o).