Society For Risk Analysis Annual Meeting 2012

Advancing Analysis

Session Schedule & Abstracts


* Disclaimer: All presentations represent the views of the authors, and not the organizations that support their research. Please apply the standard disclaimer that any opinions, findings, and conclusions or recommendations in abstracts, posters, and presentations at the meeting are those of the authors and do not necessarily reflect the views of any other organization or agency. Meeting attendees and authors should be aware that this disclaimer is intended to apply to all abstracts contained in this document. Authors who wish to emphasize this disclaimer should do so in their presentation or poster. In an effort to make the abstracts as concise as possible and easy for meeting participants to read, the abstracts have been formatted such that they exclude references to papers, affiliations, and/or funding sources. Authors who wish to provide attendees with this information should do so in their presentation or poster.

Common abbreviations

M3-G
Analysis of Cyber Security Risk

Room: Pacific Concourse I   1:30 - 3 PM

Chair(s): Barry Ezell



M3-G.1  13:30   Communicating Application Security Risk & Business Value. O'Kane J.B.*, Atri A.; Vigilant, Inc.   jbokane@thevigilant.com

Abstract: The spread of opportunistic and malicious behavior through online economic networks is an ongoing risk associated with online business transactions. Today, web-facing business applications are an attractive target of choice for malicious adversaries due to the perceived value of data that passes through such applications. To properly secure online commerce and protect information,information security operations teams need to account for the planning, learning, and adaptation of intelligent adversaries. To this end, application security monitoring is now emerging as a key business risk control mechanism. Information security operations teams now have more opportunities to interact with and bring risk mitigation value to a new set of interested stakeholders (e.g. business application owners, application developers, and application production and support teams). Such teams are now challenged with communicating (1) the security risks an application may be subject to, and (2) the available risk control decision options. Drawing upon the lessons learned from multiple application security monitoring development projects, this presentation will outline the risk communication pitfalls security operations teams need to avoid, along with various approaches that can be adopted to improve the communication of application security risk and business value.

M3-G.2  13:50  Industrial Control System Cyber Risk to Regional Transportation. Ezell B*, Robinson M, Flanagan D, Weiss J; Old Dominion University's VMASC, Innovative Decisions, Inc.   bezell@odu.edu

Abstract: There is increasing concern among government officials regarding the potential for a cyber-attack on critical infrastructure control systems (ICS). Experts believe that ICS are more vulnerable today than in the past due to the increased standardization of technologies, the increased connectivity of ICS to other computer networks and the Internet, insecure connections, and the widespread availability of technical information about ICS. ICS are used to monitor, operate, and control major industrial systems including power production, power transmission and distribution, water and wastewater control, and transportation systems such as the bridge tunnel systems. If an attacker were able to access the control system communications network for instance, they would be able to send deceptive signals to disrupt normal transportation operations by overriding fail-safes in systems, and cause severe infrastructure disruption and extensive downtime. Our research assesses the risk to Cyber risk to ICS in the transportation sector. In addition, we address the serious knowledge gap among senior leaders and key stakeholders on ICS vulnerabilities in the transportation infrastructure and the education gap in the computer sciences discipline.

M3-G.3  14:10  A novel integrated approach to cyber-physical infrastructure risk assessment. Panjwani S*; Thane Incorp.   susmit@gmail.com

Abstract: The author conducted acquisition risk assessment for a key program in an initiative identified as one of the most complex systems ever developed by the US government. This paper describes an integrated risk assessment tool designed using the lessons learned from this program. Critical infrastructure is becoming a complex and dynamic network of cyber and physical systems, which faces a portfolio of cyber-security, engineering (reliability and safety), and acquisition (cost, schedule and benefits) risks. Current popular methods for conducting these assessments have their own limitations and there is no integrated framework that combines these methods effectively. Current cyber-security risk assessment methods assume that there are no “known unknowns” or “unknown unknowns” and do not incorporate exploratory nature of the intelligent adversary. Acquisition assessments often use subjective risk matrices and identification methods that cannot effectively calculate the required probabilistic confidence levels. Engineering assessments often do not capture the system dynamics. Risk-informed design provides an opportunity to mitigate risks at their inception. However, current assessments are done independently after the detailed system design is available and requires a significant amount of time. This limits the opportunity to update the initial system design without increasing acquisition risks. The author developed an integrated tool for conducting security, engineering and acquisition risk assessment that alleviates the limitations of current assessment methods. This tool automatically generates risk scenarios using initial high level system architecture. These scenarios can be updated dynamically as more information about system architecture and security threats becomes available. The framework allows combining the risk scenarios generated for different infrastructures. This tool was developed using a new situational automated planning framework created by the author.

M3-G.4  14:30  A stochastic network-interdiction model for cyber security. Ertem M*, Bier VM; University of Wisconsin-Madison   ertem@wisc.edu

Abstract: We propose a general defender-attacker model for security of computer networks, using attack graphs to represent the possible attacker strategies and defender options. The defender’s objective is to maximize the security of the network under a limited budget. In the literature, most network-interdiction models allow the attacker only one attempt (assuming that the attacker is captured and disabled after a single failure); other models allow multiple attempts, but assume that any subsequent attempt begins at the point in the network where the previous attempt failed. These models are not appropriate for computer security, where the attacker could be operating from the safety of a foreign country, and the cost of starting over with a completely different attack strategy may be quite low. To represent the ability of the attacker to launch multiple attempts, we represent the attacker’s success or failure on any one arc of the attack graph probabilistically, and formulate the resulting security problem as a multiple-stage stochastic network-interdiction problem. In the resulting game, a non-myopic defender anticipates both the attacker’s strategy choices, and their probability of success or failure, and chooses a single defensive strategy (i.e., a set of arcs in the attack graph to protect) by which to defend against multiple attempted attacks. The attacker then launches an optimal attack against the system, assuming knowledge of which arcs have been protected. If the attacker fails at the first attempt, a second-stage optimal attack strategy is chosen, based on a revised attack graph showing which arcs have already been successfully traversed (now assumed to have success probabilities of 1), and which arc led to failure of the first-stage attack (now assumed to have a success probability of 0). We solve the resulting stochastic-optimization problem using two-stage stochastic optimization with recourse and explore the attacker’s non-myopic attack strategies.



[back to schedule]