Defining Cyber Security and Cyber Security Risk within a Multidisciplinary Context using Expert Elicitation

It is important to have and use standardized terminology and develop a comprehensive common understanding of what is meant by cyber security and cyber security risk given the multidisciplinary nature of cyber security and the pervasiveness of cyber security concerns throughout society. Using expert elicitation methods, collaborating cyber researchers from multiple disciplines and two sectors (academia, government–military) were individually interviewed and asked to define cyber security and cyber security risk. Data‐driven thematic analysis was used to identify the most salient themes within each definition, sector, and cyber expert group as a whole with results compared to current standards definitions. Network analysis was employed to visualize the interconnection of salient themes within and across sectors and disciplines. When examined as a whole group, “context‐driven,” “resilient system functionality,” and “maintenance of CIA (confidentiality, integrity, availability)” were the most salient themes and influential network nodes for the definition of cyber security, while “impacts of CIA vulnerabilities,” “probabilities of outcomes,” and “context‐driven” were the most salient themes for cyber security risk. We used this expert elicitation process to develop comprehensive definitions of cyber security (cybersecurity) and cyber security risk that encompass the contextual frameworks of all the disciplines represented in the collaboration and explicitly incorporates human factors as significant cyber security risk factors.