The TAPESTRY model allows one to explore risk in specific subsections of an organization or at the macro level.
Dr. Charles Harry
the_post_thumbnail_caption(); ?>Cybersecurity expert and UMD Associate Research Professor Charles Harry (SPP and INFO), who also serves as Director of the Center for Governance of Technology and Systems (GoTech), has been granted a patent for his innovative approach to assessing, measuring and optimizing cyber risk through a comprehensive modeling platform, TAPESTRY, that incorporates his own framework, developed in collaboration with Trevor Tart, a colleague in the private sector.
Referring to the specific applications of his modeling platform in the field of cybersecurity, and how it has helped organizations such as the Department of Energy (DoE) assess strategic risks, Harry shares, “TAPESTRY is useful to help identify integrated risk in internal processes and supply chains, specifically the ability to measure and prioritize those scenarios that represent a strategic consequence to the organization.”
The TAPESTRY model allows one to explore risk in specific subsections of an organization or at the macro level. It allows policymakers and business leaders to explore risk in a multi-dimensional way. – Charles Harry
Unlike other cybersecurity risk assessment tools in the industry, most of which do not allow one to measure interdependencies or assess consequences in non-dollar terms, Harry explains, “The TAPESTRY model allows one to explore risk in specific subsections of an organization or at the macro level. It allows policymakers and business leaders to explore risk in a multi-dimensional way.” This modeling platform will continue to evolve and potentially assist firms in assessing supply chain risk and help insurance companies predict losses in specific industries.
Harry encountered several challenges throughout the years-long process of developing the software for his modeling platform. “We have had to tackle a myriad of problems. These included the founding of a private firm to allow for the hiring of software developers, provide IP protection through NDAs and other legal means, conduct consulting engagements to test drive the approach, and overcome perceptions that this is more of an academic endeavor than a real-world solution,” states Harry. UMD owns the IP for TAPESTRY, but Harry is working to revise the business model to make it available as a Software as a Service (SaaS) offering which will drive down expenses and enable them to offer it at a significantly reduced price. Balancing the need to protect their intellectual property with the desire to share their research and make it accessible to the wider public, Harry emphasizes, “The patent is a major step in allowing us to more broadly discuss the approach we are using to measure risk and allow us to more systematically apply it in research projects.”
To address any potential ethical considerations that have the potential to arise with this modeling platform, Harry notes, “One challenge is ensuring that the data captured in the model is protected from hackers which would use the insights to identify the optimal pain points for the firm. We are investing a lot of time to provide robust security in the product to ensure these issues are addressed.”
The approach in the newly-patented TAPESTRY model allows for a systems approach to cybersecurity, linking human processes to technical systems and assessing how attacks on technology cascade through to the human process. It is fundamentally different from the current state of the art, and Harry believes the newly-granted patent will contribute to advancing cybersecurity research and enabling broader public access. “The approach in the model allows us to, at scale, assess the range of consequences facing organizations and CISA [Cybersecurity and Infrastructure Security Agency] national critical functions. This is a repeatable and quantitative approach that is now scalable.” The TAPESTRY model has the potential to revolutionize the field of cybersecurity and pave the way for more comprehensive and effective protection of critical infrastructure.