Risk in cyber systems
Abstract/Contents
- Abstract
- Significant uncertainty surrounds cyber security investments. Chief information officers (CIOs) operate with limited resources and typically do not know the relative risk of different cyber attack vectors, such as malicious email, website attacks, or lost laptops. Therefore, CIOs currently have difficulty in assessing the risk reduction associated with different cyber security investments, possibly resulting in a poor allocation of resources. For example, an organization might dedicate significant resources to detecting malicious insiders, even though its risk from website hacking is much larger. Presently, cyber risk is managed qualitatively in most organizations. Current best practices rarely incorporate quantitative risk tools and instead largely advocate the use of risk matrices, which are ambiguous and lack the ability to incorporate system dependencies. This dissertation discusses the application of probabilistic risk analysis (PRA) to cyber systems, which allows decision makers to rigorously assess the value of cyber security safeguards. First, different classes of attack scenarios are modeled. For example, laptops are lost or stolen, websites are defaced, phishing emails attempt to steal employee credentials, and malware infects machines via web browsing. Next, the rate and consequences of each scenario are assessed, drawing heavily from historical data at organizations, academic literature, publicly available data, and expert knowledge. In the case of large or rare cyber incidents where sufficient data do not exist, scenario analysis is used to obtain probabilistic assessments. These data initialize a Monte Carlo simulation to calculate probability distributions of monetary losses resulting from cyber incidents at the organization. Next, safeguards are considered that change the rate or impact of the scenarios. Changing the model structure or the model inputs shows how each safeguard affects the consequence distribution, essentially demonstrating the value of each safeguard. Sensitivity analysis can also be performed to identify the important uncertainties and the robustness of different safeguard implementation decisions. The process described above is a framework for the quantitative assessment of cyber risk in dollar terms. The result is that cyber security safeguards can be valued and prioritized. To demonstrate this framework in action, this dissertation describes a general model combined with a detailed case study of cyber risk quantification at a large organization. Over 60,000 cyber security incidents from that organization are analyzed and used to initialize the model to determine the cost-effectiveness of security safeguards including full disk encryption, two-factor authentication, and network segmentation. These data provide useful statistics for low and medium level incidents, but some incidents may be absent from the data because large incidents have not yet occurred, or have occurred too rarely to obtain good estimates for the probabilities. In this case, classes of scenarios are modeled and initialized with conditional probabilities elicited from experts. The data driven model is combined with the scenario based model by overlapping the two cost curves to ensure that incidents are not double counted, resulting in a complete and comprehensive assessment of cyber risk at the organization. Risk quantification is a critical requirement for organizations. A lack of real-world data and massive uncertainty about cyber impacts has limited progress, but organizations can now be armed with the information and tools needed to measure cyber risk. Cyber security continues to be a rapidly evolving domain, but risk quantification illuminates the cyber landscape and enables defenders to improve resource allocation and optimize decision making.
Description
| Type of resource | text |
|---|---|
| Form | electronic; electronic resource; remote |
| Extent | 1 online resource. |
| Publication date | 2017 |
| Issuance | monographic |
| Language | English |
Creators/Contributors
| Associated with | Kuypers, Marshall A |
|---|---|
| Associated with | Stanford University, Department of Management Science and Engineering. |
| Primary advisor | Paté-Cornell, M. Elisabeth (Marie Elisabeth) |
| Thesis advisor | Paté-Cornell, M. Elisabeth (Marie Elisabeth) |
| Thesis advisor | Bambos, Nicholas |
| Thesis advisor | Lin, Herbert |
| Thesis advisor | Mitchell, John |
| Advisor | Bambos, Nicholas |
| Advisor | Lin, Herbert |
| Advisor | Mitchell, John |
Subjects
| Genre | Theses |
|---|
Bibliographic information
| Statement of responsibility | Marshall A. Kuypers. |
|---|---|
| Note | Submitted to the Department of Management Science and Engineering. |
| Thesis | Thesis (Ph.D.)--Stanford University, 2017. |
| Location | electronic resource |
Access conditions
- Copyright
- © 2017 by Marshall A Kuypers
- License
- This work is licensed under a Creative Commons Attribution Non Commercial 3.0 Unported license (CC BY-NC).
Also listed in
Loading usage metrics...