MIT Technology and Policy Program
Chelsea Conard

Quantifying cyber risk
January 9, 2024

Chelsea Conard is a student in the MIT Technology and Policy Program (TPP) addressing cybersecurity policy through research and education. Her past work spans SRC (strategy, risk and compliance), cyber intelligence, network security, and cloud security.

What is the focus of your research? What sort of knowledge and disciplines does it bring together? How will it make an impact?

Cyber risk models are in their early stages of development and many organizations are striving to create their own models. However, development and validation of these models have been limited by the lack of comprehensive data in the field, largely due to data sensitivity. At the end of 2022, MIT and the Federal Reserve convened a significant gathering focused on Cyber Risk Measurement, where the need for collaboration was discussed. My work is a part of an MIT/Internet Policy Research Initiative (IPRI) initiative to work closely with the Federal Reserve and industry partners to develop cyber risk models.

My research with Taylor Reynolds at IPRI seeks to quantify cyber risk exposure in financial terms, using models of the threat environment to make the assessment. We use sensitive cybersecurity defense and loss input data to construct security benchmarks that inform remediation for private, public, and government organizations.

Our methodology combines data science and financial modeling with cybersecurity knowledge, while also reflecting policy recommendations with consideration to human behavior and decision-making. The United States National Security Strategy (NCS) and its National Cybersecurity Strategy Implementation Plan (NCSIP) call for an increased reliance on metrics to address cybersecurity risk, and the direction of this research can inform international cybersecurity policy.

Last summer you interned with the Center for Cybersecurity Policy and Law (CCPL). Who did you work with and what did you do?

The Center for Cybersecurity Policy and Law (CCPL, led by Ari Schwartz), is a 501(c)(6) nonprofit organization aimed to promote best practices and advance educational opportunities among cybersecurity professionals. The Center hosts groups including the Cybersecurity Coalition, the Coalition to Reduce Cyber Risk, and the DigiAmericas Alliance. Working in support of Alexander Botting of their Global Security and Technology Strategy group, I was able to research trends in national cybersecurity policies, voice concerns over problematic elements of pending cybersecurity law, and produce surveys for technical analysis of the adoption of cloud security. I also joined discussions on policy for the future of ethical hacking and vulnerability disclosure, as well as Security-by-Design and -Default.

How does the internship connect to your interests and future plans?

TPP provides a rare opportunity to engage in both technology and policy, much like CCPL, a unique organization that bridges the domains. Located in Washington D.C., CCPL’s integration of law facilitates its active participation in cybersecurity policymaking with experts who can provide a needed lens on the technical underpinnings of cybersecurity policy and law. My internship allowed me to learn from key opinion leaders who are holding the pen for foundational policies, and I had the privilege to participate in real-time discussions on policy releases.

I am most grateful to meet great people who are passionate about cybersecurity and to join discussions about topics I deeply care about both within TPP, and in settings outside of TPP. For the future, I aspire to be a part of a diverse and enthusiastic community that fosters a work culture where we collectively support the advancement of cybersecurity.

MIT Technology and Policy Program
Massachusetts Institute of Technology
77 Massachusetts Avenue
Cambridge, MA 02139-4307