The United States Cyber Consequences Unit


The U.S. Cyber Consequences Unit


The U.S. Cyber Consequences Unit (US-CCU) is an independent, non-profit (501c3) research institute.  It provides assessments of the strategic and economic consequences of possible cyber-attacks and cyber-assisted physical attacks.  It also investigates the likelihood of such attacks and examines the cost-effectiveness of possible counter-measures.

Although the US-CCU aims to provide credible estimates of the costs of ordinary hacker mischief and white collar crime, its primary concern is the sort of larger scale attacks that could be mounted by criminal organizations, terrorist groups, rogue corporations, and nation states.

The mission of the US-CCU is to provide America and its allies with the concepts and information necessary for making sound security decisions in a world where our physical well-being increasingly depends on cyber-security. The reports and briefings the US-CCU produces are supplied without charge to the government, to entire critical infrastructure industries, and to the public.

Intensive, Day-Long Courses 
Top of Page 

For over a decade, the US-CCU has been the world leader in anticipating new cyber threats, quantifying their consequences, demonstrating the ROI for counter-measures, and, in general, showing how to implement a quantitative, risk-based approach to cyber security. In response to many requests, we are now offering courses to teach as much as we can of what we have discovered over our years of research.

   Cyber Security for Senior Management Top of Page

Learn: Which cyber risks are real and which are mostly hype. How computers and networks actually operate, without the usual technical gobbledygook. What questions to ask cyber security professionals. How to take account of cyber-security in the initial planning of new operations and systems, in order to avoid large costs later. How to tell whether a given cyber-security strategy makes sense.

[Detailed description]

Dates: To be announced.

   Cyber Threat Analysis Top of Page

Learn: How to anticipate what kinds of cyber attacks are coming, even when they haven’t been seen them yet. How to analyze and model cyber attackers and the way they are developing. What things to watch for and how to understand what they mean. How to estimate how soon or how frequently a given attack will occur. Strategies for threat reduction.

[Detailed description]

Dates: To be announced.

   Cyber Consequence Analysis Top of Page

Learn: How to estimate the costs of cyber attacks, even when those costs do not take the form of immediate expenditures. In particular, how to estimate the costs of damage to customer relationships,damage to brand, and theft of technical or business information. Strategies for increasing resilience and reducing consequences.

[Detailed description]

Dates: To be announced.

   Cyber Vulnerability Analysis Top of Page

Learn: How to see the full range of vulnerabilities from both an offensive and a defensive perspective. How to evaluate vulnerabilities collectively and quantitatively. How to estimate the collective effect of vulnerabilities on prospective losses. Understanding the effects of defensive measures on the expenditures and skill levels needed by attackers.

Dates:To be announced.

   Cyber Policy Analysis Top of Page

Learn: How to estimate the return on investment for different security policies. The reasons for market failures in cyber security and what can be done about them. The reasons for administrative failures in cyber security and what could be done about those. The implications of cyber attacks for corporate, national, and military strategic planning.

Dates:To be announced.

   Practical Cyber Intelligence Top of Page

Learn: How to use sources that are readily available, but under-utilized. How to tie together threat intelligence from difference sources. How to see cyber-attack developments in relation to other kinds of events. Finding the real affiliations of groups that are falsifying their identities. Deducing their technical capabilities. Analyzing probes, scans, and criminal offerings to make counter-moves before the associated attacks.

Dates: To be announced.

Key Features of the US-CCU’s Research 
Top of Page 

   • State-of-the-Art Analysis  Top of Page

The US-CCU, since its inception, has been the leading source of new concepts and information for understanding the intersection of cyber, physical,  and  economic  security.   Its  staff  includes  pioneering . . .

   • Scrupulously Neutral  Top of Page

The US-CCU’s research results are generally accepted as the most objective available. This objectivity is vital to its work, because the US-CCU regularly functions as a  trusted  third  party,  processing . . .

   • Utterly Confidential  Top of Page

The reason the US-CCU was set up as an independent, non-governmental organization was so it could rigorously protect the proprietary  information  of  private  sector  corporations.    This . . .

   • Real-world Oriented  Top of Page

The US-CCU is profoundly engaged with operational and business realities. It carries out nearly all of its research on-site and in-depth. It does not employ questionnaires or phone surveys. It  conducts . . .

   • Interdisciplinary Expertise  Top of Page

In order to understand the role of cyber-security in business and operational contexts, the US-CCU makes use of a much wider range of expertise  than  has  usually  been  employed in  the   security . . .

   • Highly Influential  Top of Page

One of the reasons that many corporations are happy to cooperate with the US-CCU’s research is that it helps government policy makers to take better account of their  concerns.  The  US-CCU   provides . . .

The US-CCU’s Analytic Method Top of Page

The primary analytic method that the US-CCU employs is called Value Creation Analysis. This method was first pioneered and applied to information problems by the US-CCU’s director in the mid-1990's. It draws on his earlier work in culture-based economics, on Harborne Stuart and Adam Brandenburger's work in value-based business strategy, and, more broadly, on cooperative game theory. The value-based approach has been part of the business school curricula at Harvard, Columbia, Wharton, UCLA, Dartmouth, NYU, and other leading universities for a number of years. It resulted in breakthroughs in pricing theory and in other areas of business strategy. It is only recently, however, that this approach was developed into a theory of value destruction by the US-CCU’s director and applied to the analysis of cyber-attacks. As far as the staff of the US-CCU are aware, this value creation/value destruction model is currently the only method for evaluating the economic consequences of cyber-attacks that can stand up to critical scrutiny.

Corporate Cyber-Security Exercises Top of Page

In addition to its research activities, the US-CCU regularly conducts cyber-security exercises for critical infrastructure corporations and other institutions. These exercises normally consist of four table-top sessions . . .

The US-CCU’s Role as a Trend-Setter Top of Page

The US-CCU director, chief technology officer, and staff have been among the leaders in each of the changes in cyber-security focus over the last several years.  They have helped to shift the focus from cyber-attacks that merely interrupt services to those that use false information to do active damage or destroy trust, from mass attack viruses and worms to attacks targeted at specific businesses and processes, from perimeter defense to internal monitoring and recovery, from cyber-vandalism and petty theft to large indirect-payoff cyber-crimes, and from cyber-security as a separate field to the integration of cyber and physical security.  Almost every recent trend in cyber-attack strategies and technologies has been anticipated or identified in its earliest stages by US-CCU researchers.

Although US-CCU’s research lays out the possible consequences of cyber-attacks and the likely effects of counter-measures in some detail, it does not make specific recommendations about how to bring about the needed security reforms.  Instead, the US-CCU attempts to identify the ways in which counter-measures need to take account of the special circumstances and business conditions in specific industries.  Despite the urgency of this subject, it is not an area in which hasty or one-size-fits-all solutions are likely to be good solutions.

The US-CCU's International Outreach Top of Page

International cooperation is essential if we are to have any chance of limiting the destruction that can be caused by cyber-attacks. Cyber-attacks can  now  be  launched  from  virtually  anywhere,  and  their  targets . . .

The Urgency of This Cyber-Security Work Top of Page

Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great.  The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated.  But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive.  Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage.  At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies.  At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.

Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions.  The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks.  Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed.  This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited.  It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.

Top of Page

Photo of Scott Borg

Scott Borg

Director and Chief Economist (CEO)

Scott Borg originated many of the concepts and categories currently being used to understand the strategic and economic implications of cyber-attacks. He founded the US-CCU at the request of senior government officials, who wanted an independent, economically-oriented source of cyber-security research. He has lectured at Harvard, Yale, Columbia, London, and other leading universities.

Photo of Warren Axelrod

Warren Axelrod

Research Director for Financial Services

Warren Axelrod is one of the leading authorities on the cyber-security of financial institutions. He helped create some of the financial industry practices that are now standard. In addition to his CISSP and other cyber-security qualifications, he has a Ph.D. in economics from Cornell and degrees in engineering and statistics from the University of Glasgow.

Photo of John Bumgarner

John Bumgarner

Research Director for Security Technology(CTO)

John Bumgarner is a celebrated “über-hacker” with 18 years of service in Special Operations and intelligence. His private sector certifications include CISSP, GIAC (Gold), and duel Masters degrees in Information Systems Management and Security Management.

Photo of Joel Gordes

Joel Gordes

Research Director for Electrical Power

Joel Gordes has been a recognized expert on energy policies and electrical utilities for nearly thirty years, winning respect from all parties. His interest in security issues dates from his military days, when after graduating from the U.S. Air Force Academy, he flew over 130 combat missions, receiving Distinguished Flying Cross and Air Medal with eight oak leaf clusters.

Photo of Paul Thompson

Paul Thompson

Research Director for Manufacturing Supply Chains

Paul Thompson is an expert on cognitive hacking and text mining. He has served on the computer science faculties of Dartmouth College, the University of Minnesota, and George Mason University. His Ph.D. is from the University of California at Berkeley.

Photo of Charles Wheeler

Charles Wheeler

Research Director for East Asian Partnerships

Charles Wheeler is an expert on the international activities of East Asian businesses and on their historical roots. He has served on the faculty of the University of California at Irvine. His doctorate in Southeast Asian history is from Yale, and his undergraduate studies in Chinese were at the University of Washington.

Senior Research Fellows

Photo of Harborne Stuart

Harborne Stuart

Consulting Director for Analytic Methods

Gus Stuart is responsible for several of the key concepts in game-theory-based business strategy, including the rigorous formulation of Added Value. He has a doctorate in decision science, an MS in engineering sciences, and a BA in mathematics, all from Harvard. He is currently an Associate Professor in the Business School of Columbia University.

Senior Research Associates


April Andrews

Consulting Financial Analyst

April Andrews is a Certified Financial Analyst (CFA) who specializes in matters related to information technology. Her MBA is from Duke University, and her undergraduate education was at Amherst College.

Photo of Steffani Burd

Steffani Burd

Consulting Statistician

Steffani Burd is a statistician specializing in homeland security and cyber-security. She received her Ph.D. from Columbia University and her undergraduate education at the University of Chicago.

Ardith Spence

Consulting Research Economist

Ardith Spence is an economist with special expertise in resource management, energy, and air transport. She has served on the faculties of Smith College and the Brookings Institution. She received her Ph.D. from the University of Chicago and her undergraduate education at Carleton College.

  Copyright © 2004- U.S. Cyber Consequences Unit. All Rights Reserved.