Skip directly to content

FAQ & Policies


Predictive Analytics Modeling Project: Measuring the Effectiveness of Cybersecurity and Supply Chain Strategies and Controls


Frequently Asked Questions


1. What is the purpose of the project?

The Predictive Analytics Modeling Project seeks to research and build the tools

necessary to measure and assess the effectiveness of cybersecurity and related

supply chain strategies and controls. The effort will use voluntary, secure and

anonymized risk assessments based on the Cybersecurity Framework to begin

developing a large-scale anonymized data set that seeks, for the first time, to

demonstrate cause and effect relationships between cybersecurity and supply chain

capability levels and organizational performance outcomes over time.


2. What is the purpose of the assessment and why should my organization


The main purpose of this assessment is to support NIST’s Cyber SCRM Program by

providing organizations a convenient, secure way to self-evaluate and benchmark

their cybersecurity practices.

The assessment will help organizations to clearly identify areas of strength where

their cybersecurity practices meet or exceed established benchmarks; and other

areas where more work and investment are needed. Finally, organizations will be

able to anonymously compare their cybersecurity and supply chain strategies and

controls against those attained by Standard Industrial Classification-derived

industry peer groups.


3. What is the benefit to the larger cybersecurity community of participating

in this research?

This research project will conduct a rigorous statistical analysis of the effectiveness

of common cybersecurity and supply chain practices. It will match our sample

universe’s assessment results with publically-reported breach data to provide

evidence about the efficacy of cybersecurity practice in helping organizations to

anticipate risks; and to target investments in areas of cybersecurity with significant

operational payback. Such evidence-based research is scarce or non-existent and is

important to the advancement of the cybersecurity and supply chain disciplines and

enterprise risk management more broadly.


4. How will my organization’s privacy be assured?

Assurances: The University of Maryland’s R.H. Smith School Of Business will never

disclose, share or sell individual corporate data to any third party. This includes

UMD’s institutional commitment to never disclosing corporate data to the Federal

Government for compliance/ monitoring purposes; or to the insurance industry for

underwriting purposes.


In addition, individual corporate identities or a specific organization’s assessment

results will never be reported upon. Research results will be thoroughly

anonymized with reporting only done on an aggregated basis. For example, we

might compare assessment results across industry sectors and subsectors using

Standard Industrial Classification codes.


5. What about the security of our company’s data?

UMD has gone to great lengths to implement a security process that is

comprehensive and represents best information security practice.

Registration: It starts with multi-factor authentication (MFA) of all registration

accounts using text message or call back authentication. The MFA provider (Duo)

was selected because of its commitment to the standards referenced in the

Cybersecurity Framework and being validated to FIPS 140-2.


Protecting Data At Rest: Data sets for registration, respondent demographic

information and performance assessments are contained in separated table

structures to align with information security best practices. In addition, the entire

database that contains these structures resides on an encrypted disk; and disk

backups are also encrypted using AWS EBS volume encryption.

Protecting Data in Transit: All data in transit employs SSL (Secure Socket Layer)



Overall site security has been maximized through the implementation of Drupal

access control and security configuration best practices; and through the migration

of the production environment to Amazon Web Services (AWS) with accompanying

implementation of AWS Identity and Access Management (IAM) and AWS Security

Groups controls, as well as AWS CloudTrails Log Audits.

For more information about UMD’s Data Security policies, please go to the following



6. Who developed the assessment and contributed to the questions set being


The assessment is the joint product of a public-private research team composed of

cybersecurity professionals from NIST, the General Services Administration(GSA),

the Department Of Homeland Security (DHS), Zurich Insurance, Beecher Carlson and

the University Of Maryland’s R.H. Smith School Of Business. The assessment

combines expertise in information security, supply chain and risk management; and

builds on a decade of cybersecurity assessment research by team members.


7. How can we reach NIST or the University Of Maryland if we have further


For NIST, please contact Mr. Jon Boyens at:; or 301-975- 5549(o).

For the University Of Maryland, please contact Dr.Sandor Boyson at; or 301-405- 2205 (o).