The system of interest for this project is a modern digital enterprise and its external operating environment. Currently, the design, deployment, and operation of enterprise cyber risk management strategies are not significantly reducing the level of success of motivated threat actors. New methods are needed for faster and more effective enterprise cyber risk management. The National Institute of Standards and Technology (NIST) currently provides guidance on enterprise cyber risk management strategy design in Special Publication 800-39. This document calls for the creation of a senior cyber risk manager role responsible for creating an enterprise’s cyber risk management strategy. While NIST describes a work process for designing a cyber risk management strategy, it does not make a specific recommendation for tools that will assist a senior cyber risk manager in their design work. NIST SP800-39 was published in 2011. Subsequently in 2014, NIST published “On Enabling a Model-Based System Engineering Discipline". In 2020, NIST also cited a paper titled “Model-Based Cybersecurity Engineering for Connected and Automated Vehicles” as a best practice. From this, it can be concluded that NIST is aware of model-based systems engineering and its usefulness when applied to cyber risk management strategy design. The gap area this project addresses is the application of model-based systems engineering for enterprise cyber risk management strategy design. An enterprise cyber risk management strategy design needs to secure all five elements of its attack surface. As a practical matter, this project's scope is limited to just one attack surface element, supply chain security. A proof-of-concept web application was developed for designing a supply chain cyber risk management strategy using a commercially available model-based system engineering application. The selected model-based system engineering application does not currently support a geographic information system view, which is recommended for holistically visualizing a supply chain network. Research suggests that a holistic view minimizes decision-making risk based on incomplete or inaccurate information. This gap was addressed by creating a middleware application which functionally generates the necessary view using supplier information entered into the model-based system engineering application. Two use cases for the application were considered. The first use case is a student who is learning how to design a supply chain cyber risk management strategy. The second use-case is a senior cyber risk manager who is tasked with designing a supply chain cyber risk management strategy for the enterprise they are defending. Successful validation of the contemplated proof-of-concept functionality has highlighted the benefit of this approach and enabled follow-up work to address the other remaining enterprise attack surface elements. A better tool for enabling enterprise cyber risk management strategy design will benefit all enterprises in their competition with motivated threat actors.

Recommended Citation: Pena I., Stoker G., Greer J., Layman L., (2024). Integrating a Model-Based Systems Engineering Application with a Geographic Information System for Cyber Supply Chain Risk Management. UNCW MS CSIS Proceedings. V. 18 , N. 14 .