CIRI-funded tool receives $100,000 matching award from Commonwealth of Virginia

A cybersecurity risk measurement tool developed at the Critical Infrastructure Resilience Institute, a DHS Center of Excellence, was recently awarded a one-year, $100,000 grant from the Virginia Commonwealth Research Commercialization Fund (CRCF). The award will be matched by the Old Dominion University Research Foundation.

The Cyber Risk Scoring and Mitigation (CRISM) tool allows organizations to measure their cybersecurity risk using advanced threat assessment techniques. The tool, developed at ODU through a grant from CIRI, provides a risk assessment score, with a visual representation of an organization’s overall cybersecurity status, and recommendations for mitigating risks.

“We’re glad the Commonwealth of Virginia recognized the value of this work and the money will be used to support the commercialization of this tool to be deployed in the healthcare sector,” said Sachin Shetty, a CIRI researcher and associate professor in the Virginia Modeling, Analysis and Simulation Center at Old Dominion University. “We’re going to focus all our efforts into testing the viability of the tool.”

After CRISM’s creation in 2016, Shetty said he and Jay Kasan, a professor of law and engineering at the University of Illinois at Urbana-Champaign, did not want the idea to perish in a publication

“There were not a lot of tools in cybersecurity at the time CRISM was developed,” Shetty said. “Everyone has a credit score to measure financial risk, so it makes sense that individuals and organizations could benefit from cybersecurity scores. We want our tool to be applicable to any IT organization and anyone who depends on computers and networks to acquire information.”

​CRISM was initially developed for the insurance industry, with plans to expand to other areas such as healthcare and the power industry. They reached out to a variety of stakeholders and Sentara Healthcare, a not-for-profit healthcare organization in Virginia and northeastern North Carolina, took a serious interest in doing a self-assessment of their security risk regarding their health records. Shetty and his team will be working with Sentara to test the CRISM system in the real world, as well as do comparisons of other similar tools to compare and contrast CRISM’s usability.

“We’re always looking at any tool that will help us improve how we do security risk assessment,” Sentara’s Chief Information Security Officer Daniel Bowden said. “We’re evaluating the capabilities of improving our security risk assessment process by first finding and evaluating software vulnerabilities and sorting out a prioritized mitigation plan.”

The CRCF funding will help move CRISM’s commercialization efforts forward, as they will be spending the bulk of their efforts doing independent testing evaluations, using Sentara’s system as their testbed. Shetty said they have done previous testing with a local Virginia FBI unit, but their work with Sentara will be done in a systematic fashion over the course of a year.

“We believe our partnership with Sentara and their involvement in the commercialization of CRISM and the potential to expand our tool to other healthcare providers contributed to our receiving the funding award,” Shetty said.

Bowden and Sentara have partnered with Old Dominion University in recent years on other projects related to cybersecurity, blockchain and cybersecurity workforce development. According to Bowden, Sentara places high value on working with research centers, as it gives them insight and often influence into how a platform is developed. One aspect that attracted them to working with CRISM was how quickly they were able to receive a prioritized assessment of which system vulnerabilities to address first.

“If we get involved with a research institution early on, we can be closely involved in the development of the product and it helps us validate findings or conclusions we may have when we look at tools from commercialized vendors,” Bowden said.

CRISM was installed on Sentara’s system this month and after running basic functional tests, the researchers will be aggressively testing, using the platform and making adjustments over the next six to eight months.

“Most of CRISM’s development work wasn’t done by industry professionals, so this step is key in being able to make sure that we have the standards required for commercialization,” Shetty said. “We need to see how the system fares in a practical environment when there are lots of dynamic parts or when a tool breaks or malfunctions.”