Risk Analysis DOI: 10.1111/risa.13309 Perspective Risk and the Five Hard Problems of Cybersecurity Natalie M. Scala , 1,* Allison C. Reilly , 2 Paul L. Goethals , 3 and Michel Cukier 4 This perspectives article addresses risk in cyber defense and identifies opportunities to in- corporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary re- search in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy-governed secure collaboration; (3) security-metrics– driven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to ad- dress these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describ- ing, quantifying, working with, and mitigating risk. KEY WORDS: Cybersecurity; “Five Hard Problems”; system design; vulnerability mitigation 1. INTRODUCTION 1.1. Cybersecurity and the Risk Perspective Cybersecurity—the measures taken to protect network systems and their data against attacks or intrusions—is by definition a risk problem. There is significant uncertainty not only in how, where, and when attacks will occur, but also as to how vulnera- ble systems are to these attacks. While some intru- sions are known to have occurred, others are not. Many attacks may simply go undetected, and those that are detected can wreak significant harm. Most 1 College of Business and Economics, Towson University, Towson, MD, USA. 2 Department of Civil and Environmental Engineering, University of Maryland, College Park, MD, USA. 3 United States Military Academy, West Point, NY, USA. 4 Department of Mechanical Engineering, University of Maryland, College Park, MD, USA. ∗ Address correspondence to Natalie M. Scala, College of Business and Economics, Towson University, 8000 York Road, Towson, MD 21252, USA; tel: +1(410)704-2773; nscala@towson.edu. systems are so complex that no solution can be fully guaranteed to prevent an intrusion. Thus, the cyber- security problem space contains significant epistemic uncertainty. In order to address the complexities of the cy- bersecurity problem, the National Security Agency (NSA) established the “Science of Security” (SoS) initiative to advance scientific practices in the field of cybersecurity and promote interdisciplinary work (U.S. National Security Agency, 2018a). In support of this, SoS created the Five Hard Problems (5HP) to provide structure for a comprehensive, government- driven research program, and to encourage collab- oration across disciplines by formalizing research needs (Nicol, Sanders, Scherlis, & Williams, 2012). Each of the 5HP sits squarely within the principles of risk, although the concept of risk itself, along with uncertainty, is discussed only implicitly in the 5HP. In fact, the term “risk” is only used eight times in the entire 21-page document. All this suggests that risk concepts are only barely driving the research di- rection in a problem space that is inherently driven 1 0272-4332/19/0100-0001$22.00/1 C  2019 Society for Risk Analysis