The U.S. Cyber
Consequences Unit (US-CCU) is an independent,
non-profit (501c3) research institute. It
provides assessments of the strategic and
economic consequences of possible cyber-attacks
and cyber-assisted physical attacks. It also
investigates the likelihood of such attacks and
examines the cost-effectiveness of possible
Although the US-CCU
aims to provide credible estimates of the costs
of ordinary hacker mischief and white collar
crime, its primary concern is the sort of larger
scale attacks that could be mounted by criminal
organizations, terrorist groups, rogue
corporations, and nation states.
The mission of the US-CCU is to provide America and its allies with the concepts
and information necessary for making sound security decisions in a world where our physical well-being increasingly depends on cyber-security. The reports
and briefings the US-CCU produces are supplied without charge to the government, to entire critical infrastructure industries, and to the public.
Intensive, Day-Long Courses
For over a decade, the US-CCU has been the world leader in anticipating new cyber threats, quantifying their consequences, demonstrating the ROI for counter-measures, and, in general, showing how to implement a quantitative, risk-based approach to cyber security. In response to many requests, we are now offering courses to teach as much as we can of what we have discovered over our years of research.
Cyber Security for Senior Management
Learn: Which cyber risks are real and which are mostly hype. How computers and networks actually operate, without the usual technical gobbledygook. What questions to ask cyber security professionals. How to take account of cyber-security in the initial planning of new operations and systems, in order to avoid large costs later. How to tell whether a given cyber-security strategy makes sense.
Dates: To be announced.
Cyber Threat Analysis
Learn: How to anticipate what kinds of cyber attacks are coming, even when they haven’t been seen them yet. How to analyze and model cyber attackers and the way they are developing. What things to watch for and how to understand what they mean. How to estimate how soon or how frequently a given attack will occur. Strategies for threat reduction.
Dates: October 14 and November 18 in Washington, DC.
Cyber Consequence Analysis
Learn: How to estimate the costs of cyber attacks, even when those costs do not take the form of immediate expenditures. In particular, how to estimate the costs of damage to customer relationships,damage to brand, and theft of technical or business information. Strategies for increasing resilience and reducing consequences.
Dates: October 15 and November 19 in Washington, DC.
Cyber Vulnerability Analysis
Learn: How to see the full range of vulnerabilities from both an offensive and a defensive perspective. How to evaluate vulnerabilities collectively and quantitatively. How to estimate the collective effect of vulnerabilities on prospective losses. Understanding the effects of defensive measures on the expenditures and skill levels needed by attackers.
Dates: To be announced
Cyber Policy Analysis
Learn: How to estimate the return on investment for different security policies. The reasons for market failures in cyber security and what can be done about them. The reasons for administrative failures in cyber security and what could be done about those. The implications of cyber attacks for corporate, national, and military strategic planning.
Dates: To be announced
Practical Cyber Intelligence
Learn: How to use sources that are readily available, but under-utilized. How to tie together threat intelligence from difference sources. How to see cyber-attack developments in relation to other kinds of events. Finding the real affiliations of groups that are falsifying their identities. Deducing their technical capabilities. Analyzing probes, scans, and criminal offerings to make counter-moves before the associated attacks.
Dates: To be announced
Key Features of the US-CCU’s Research
• State-of-the-Art Analysis
The US-CCU, since its inception, has been the leading source of new concepts and information
for understanding the intersection of cyber, physical, and economic security. Its staff includes
pioneering . . .
• Scrupulously Neutral
The US-CCU’s research results are generally accepted as the most objective available. This objectivity is vital to its work, because the
US-CCU regularly functions as a trusted third party, processing . . .
• Utterly Confidential
The reason the US-CCU was set up as an independent, non-governmental organization was so it could rigorously protect the proprietary information of private sector corporations.
This . . .
• Real-world Oriented
The US-CCU is profoundly engaged with operational and business realities. It carries out nearly
all of its research on-site and in-depth. It does
not employ questionnaires or phone surveys. It
conducts . . .
• Interdisciplinary Expertise
In order to understand the role of cyber-security in business and operational contexts, the US-CCU
makes use of a much wider range of expertise than has usually been employed in the
security . . .
• Highly Influential
One of the reasons that many corporations are happy to cooperate with the US-CCU’s research is that
it helps government policy makers to take better account of their concerns. The US-CCU
provides . . .
The US-CCU’s Analytic Method
The primary analytic method that the US-CCU employs is called Value Creation Analysis. This method was first pioneered and applied to information problems by the US-CCU’s director in the mid-1990's. It draws on his earlier work in culture-based economics, on
Harborne Stuart and
Adam Brandenburger's work in
value-based business strategy, and, more broadly, on
cooperative game theory. The value-based approach has been part of the business school curricula at Harvard, Columbia, Wharton, UCLA, Dartmouth, NYU, and other leading universities for a number of years. It resulted in
breakthroughs in pricing theory and in other areas of business strategy. It is only recently, however, that this approach was developed into a theory of value destruction by the US-CCU’s director and applied to the analysis of cyber-attacks. As far as the staff of the US-CCU are aware, this value creation/value destruction model is currently the only method for evaluating the economic consequences of cyber-attacks that can stand up to critical scrutiny.
Corporate Cyber-Security Exercises
In addition to its research activities, the US-CCU regularly conducts cyber-security exercises for critical
infrastructure corporations and other institutions. These exercises normally consist of four table-top
sessions . . .
The US-CCU’s Role as a Trend-Setter
The US-CCU director, chief technology officer, and staff
have been among the leaders in each of the
changes in cyber-security focus over the last
several years. They have helped to shift the
focus from cyber-attacks that merely interrupt
services to those that use false information to
do active damage or destroy trust, from mass
attack viruses and worms to attacks targeted at
specific businesses and processes, from
perimeter defense to internal monitoring and
recovery, from cyber-vandalism and petty theft
to large indirect-payoff cyber-crimes, and from
cyber-security as a separate field to the
integration of cyber and physical security.
Almost every recent trend in cyber-attack
strategies and technologies has been anticipated
or identified in its earliest stages by US-CCU
Although US-CCU’s research lays out the possible consequences of
cyber-attacks and the likely effects of
counter-measures in some detail, it does not
make specific recommendations about how to bring
about the needed security reforms. Instead, the
US-CCU attempts to identify the ways in which
counter-measures need to take account of the
special circumstances and business conditions in
specific industries. Despite the urgency of
this subject, it is not an area in which hasty
or one-size-fits-all solutions are likely to be
The US-CCU's International Outreach
International cooperation is essential if we are to have any chance
of limiting the destruction that can be caused by cyber-attacks. Cyber-attacks can now be launched from virtually anywhere, and their
targets . . .
The Urgency of This Cyber-Security Work
Based on the work
the US-CCU has already done, it is evident that
the potential economic and strategic
consequences of cyber-attacks are very great.
The US-CCU’s research has demonstrated that the
numbers widely quoted for the costs of
denial-of-service cyber-attacks lasting up to
three days are actually wildly inflated. But
the US-CCU’s findings show that other types of
cyber-attacks are potentially much more
destructive. Especially worrisome are the
cyber-attacks that would hijack systems with
false information in order to discredit the
systems or do lasting physical damage. At a
corporate level, attacks of this kind have the
potential to create liabilities and losses large
enough to bankrupt most companies. At a
national level, attacks of this kind, directed
at critical infrastructure industries, have the
potential to cause hundreds of billions of
dollars worth of damage and to cause thousands
Some of the attack scenarios that would produce the most
devastating consequences are now being outlined
on hacker websites and at hacker conventions.
The overall patterns of cyber intrusion
campaigns suggest that a number of potentially
hostile groups and nation states are actively
acquiring the capability to carry out such
attacks. Meanwhile, the many ways in which
criminal organizations could reap huge profits
from highly destructive attacks are also now
being widely discussed. This means that
American corporations and American citizens need
urgently to be informed, not just of their
technical vulnerabilities, but of the economic
and strategic consequences if those
vulnerabilities are exploited. It is only by
basing our cyber-defenses on a comprehensive
assessment of cyber-attack consequences that we
can make sure those defenses are sensible and
Director and Chief Economist (CEO)
Scott Borg originated many of the concepts and categories currently being used to understand the strategic and economic implications of cyber-attacks. He founded the US-CCU at the request of senior government officials, who wanted an independent, economically-oriented source of cyber-security research. He has lectured at Harvard, Yale, Columbia, London, and other leading universities.
Research Director for Financial Services
Warren Axelrod is one of the leading authorities on the cyber-security of financial institutions. He helped create some of the financial industry practices that are now standard. In addition to his CISSP and other cyber-security qualifications, he has a Ph.D. in economics from Cornell and degrees in engineering and statistics from the University of Glasgow.
Research Director for Security Technology(CTO)
John Bumgarner is a celebrated “über-hacker” with 18 years of service in Special Operations and intelligence. His private sector certifications include CISSP, GIAC (Gold), and duel Masters degrees in Information Systems Management and Security Management.
Research Director for Electrical Power
Joel Gordes has been a recognized expert on energy policies and electrical utilities for nearly thirty years, winning respect from all parties. His interest in security issues dates from his military days, when after graduating from the U.S. Air Force Academy, he flew over 130 combat missions, receiving Distinguished Flying Cross and Air Medal with eight oak leaf clusters.
Research Director for Economic Relationships
Ben Mazzotta is an expert on the international aspects of economic development, with special knowledge of seaports, healthcare, and the financial industry. He received an MA in Law and Diplomacy from the Fletcher School at Tufts, a BA from Yale, and served in the Peace Corps.
Research Director for Oil and Gas
Michael Mylrea is an expert on the oil and gas industry and on the use of the internet by terrorists. He has worked internationally as a journalist and is proficient in Arabic, Hebrew, and Spanish. His graduate studies have been at the Fletcher School at Tufts, and his undergraduate studies were at the University of Wisconsin at Madison.
Research Director for Manufacturing Supply Chains
Paul Thompson is an expert on cognitive hacking and text mining. He has served on the computer science faculties of Dartmouth College, the University of Minnesota, and George Mason University. His Ph.D. is from the University of California at Berkeley.
Research Director for East Asian Partnerships
Charles Wheeler is an expert on the international activities of East Asian businesses and on their historical roots. He has served on the faculty of the University of California at Irvine. His doctorate in Southeast Asian history is from Yale, and his undergraduate studies in Chinese were at the University of Washington.
Senior Research Fellows
Consulting Director for Analytic Methods
Gus Stuart is responsible for several of the key concepts in game-theory-based business strategy, including the rigorous formulation of Added Value. He has a doctorate in decision science, an MS in engineering sciences, and a BA in mathematics, all from Harvard. He is currently an Associate Professor in the Business School of Columbia University.
Senior Research Associates
Consulting Financial Analyst
April Andrews is a Certified Financial Analyst (CFA) who specializes in matters related to information technology. Her MBA is from Duke University, and her undergraduate education was at Amherst College.
Steffani Burd is a statistician specializing in homeland security and cyber-security. She received her Ph.D. from Columbia University and her undergraduate education at the University of Chicago.
Consulting Research Economist
Ardith Spence is an economist with special expertise in resource management, energy, and air transport. She has served on the faculties of Smith College and the Brookings Institution. She received her Ph.D. from the University of Chicago and her undergraduate education at Carleton College.