“CYsyphus” – The Cyber Security Recommendations Project

Team: Jason Healey, Jennifer Lake, Danielle Murad Waiss, Louis Jarvers

Department: Columbia University’s School of International and Public Administration (SIPA)

Institute: Saving Cyberspace Initiative at A. Saltzman Institute of Peace and War Studies

"CYsyphus" (pronounced SIGH-si-fis) is a decision-support tool, that provides users with an easy-to-search online database on existing cyber reports and recommendations. CYsyphus facilitates the discovery of past wisdom to avoid repetition and enable leapfrogging to new insights and recommendations in support of policy makers, congressional staffers, journalists and students. The project uses NLP-driven classification and categorization algorithms to corroborate and expand the existing collection of approx. 1,200 recommendations from 130 reports. With CYsyphus, researchers and policy staffers will increase the speed at which policy is created, improve the quality of those decisions, and allow researchers to assess policy effectiveness.

The Problem – Ignoring Past Cyber Recommendations

For decades, the Federal government, private sector, universities, and think tanks have issued thousands of recommendations to improve cybersecurity. Despite their abundance, these reports are often overlooked and forgotten. Like the Greek mythological figure Sisyphus, who has to roll a boulder up a hill for eternity, new task forces are created, that ignore prior work and propose similar recommendations.

The Solution – Storing and Finding Past Cyber Recommendations

The cybersecurity community must develop longer memories. This requires a comprehensive collection, review and organization of existing recommendations into a new decision-support system. This will make the lessons of the past more searchable for faster, more effective cyber policy decision making. The primary product of CYsyphus is an interactive, publicly accessible decision support tool that allows front-end users to search and filter for existing cyber policy recommendations. As secondary product, CYsyphus will allow researchers access to the full database as well as the collected metrics derived from the collective use of the decision support tool (e.g., key word frequency, time development, policy gaps, filter options). This back-end analysis leverages the understanding of policy research and formulation and lays groundwork for an intellectual framework to guide metrics for measuring policy success.


With the long-term vision to capture and code every cybersecurity recommendation made in the English language, the decision-support tool aims to reduce, by an order of magnitude, the amount of time it takes to ideate and create policy-relevant recommendations.

Future Users

  1. Executive-branch decision makers and their staffs can create new cybersecurity policies, as researchers and analysts can pull relevant recommendations and draft policy memos to help guide new policies.
  2. Legislators and their staffs can easily reference past recommendations, gauge progress or source ideas for new legislation to position members on emerging issues.
  3. Cyber Security Researchers gain access a rich history of public policy on a critical issue underpinning national security, as well as the digital economy and society.
  4. Industry, may access information about recommendations pertaining to supply chain, third-party risk, and other systemic issues for setting internal policies and cyber security standards.
  5. Others, including journalists, students and presidential campaign

Methods and Analytical Approach

CYsyphus started as a small-scale and informal project at Columbia University. Four years, students collected and coded recommendations from dozens of reports into a searchable database. The current dataset of approx. 1,200 recommendations from 130 reports contains the recommendations, a categorization and available meta-data from the reports. The project will employ an NLP-driven categorization of existing data (re-classification) as well as an identification of new recommendations from manually and web-crawled reports.


CYsyphus is designed and implemented under the Saving Cyberspace Initiative at Columbia University’s School of International and Public Affairs (SIPA). The team of four is led by Jason Healey, director of the Program on Future Cyber Risks and a senior research scholar at SIPA. The project is a joint venture with the Atlantic Council’s Brent Scowcroft Center for Strategy and Security that supports this project particularly through outreach and back-end research. Over the next two years, the team will expand the database with a focus on recommendations produced in the past four years and set up the user-friendly front-end.