Society For Risk Analysis Annual Meeting 2017

Session Schedule & Abstracts

* Disclaimer: All presentations represent the views of the authors, and not the organizations that support their research. Please apply the standard disclaimer that any opinions, findings, and conclusions or recommendations in abstracts, posters, and presentations at the meeting are those of the authors and do not necessarily reflect the views of any other organization or agency. Meeting attendees and authors should be aware that this disclaimer is intended to apply to all abstracts contained in this document. Authors who wish to emphasize this disclaimer should do so in their presentation or poster. In an effort to make the abstracts as concise as possible and easy for meeting participants to read, the abstracts have been formatted such that they exclude references to papers, affiliations, and/or funding sources. Authors who wish to provide attendees with this information should do so in their presentation or poster.

Common abbreviations

Cyber and Game Theory

Room: Salon E   10:30 am–12:00 pm

Chair(s): Diane Henshel

Sponsored by Security and Defense Specialty Group

W2-E.1  10:30 am  Expert Elicitation of Cyber Security Experts: What is Cyber Security Risk? Henshel DS*, Cains MG, Taber DL, King ZM; Indiana University, Bloomington

Abstract: Cyber security risk assessment has traditionally been narrow in focus and often based on a business risk assessment approach (quantifying replacement costs). Within a defensive environment, cyber security risk assessment requires holistic consideration of impacts well beyond the financial costs of replacing hardware and software by explicitly accounting for the user, analyst, defender, and attacker as risk initiators and risk mitigators. A holistic cyber security risk assessment approach is being developed within the Cyber Security Collaborative Research Alliance (CSec CRA). Based on guidelines used in other risk assessment fields (e.g. human health, ecology), rigorous problem formulation and the development of assessment goals are crucial for constructing a representative risk assessment. Due to the diversity of disciplines and number of participants in the CSec CRA, semi-structured interviews were conducted to determine the collective definition of cyber security and cyber security risk, as well as a baseline goal for a more holistic cyber security risk assessment approach. Twenty-seven principal investigators and researchers from the U.S. Army and within academia participated in the interview process. Data-driven thematic analysis was performed on the interview corpus; interviewees remarked that much of cyber security risk arises from a lack of understanding of the interactions, motives, and effects of human factors on cyber security. Nearly all of the interviewees stated that the traditional vulnerability triad of confidentiality, integrity, and availability encompasses the risks posed to cyber security. Academic interviewees indicated a need for more military-specific information from their Army counterparts (e.g. specific military operation scenarios) to allow more military-relevant cyber security risk modeling. We will discuss the CSec CRA’s collective definition of cyber security and cyber security risk.

W2-E.2  10:50 am  Cyber Risk Analysis for a Smart Grid: How Smart is Smart Enough? A Multi-Armed Bandit Approach to Cyber Security Investment. Smith MD, Pate-Cornell ME*; Stanford University

Abstract: As electric sector stakeholders make the decision to upgrade traditional power grid architectures by incorporating smart grid technologies and new intelligent components, the benefits of added connectivity must be weighed against the risk of increased exposure to cyberattacks. Therefore, decision makers must ask: how smart is smart enough? This dissertation presents a probabilistic risk analysis (PRA) framework to this problem, involving systems analysis, stochastic modeling, economic analysis, and decision analysis to quantify the overall benefit and risk facing the network and ultimately help decision makers formally assess tradeoffs and set priorities given limited resources. Central to this approach is a new Bayes-adaptive network security model based on a reformulation of the classic “multi-armed bandits” problem, where instead of projects with uncertain probabilities of success, a network defender faces network nodes that can be attacked at uncertain Poisson-distributed rates. This new technique, which by similarity we call “multi-node bandits,” takes a dynamic approach to cybersecurity investment, exploring how network defenders can optimally allocate cyber defense teams among nodes in their network, in effect taking teams that traditionally respond to cyber breaches after they occur, and instead employing them in a proactive manner for defensive and information gathering purposes. We apply this model to a case study of an electric utility considering the degree to which to integrate demand response technology into their smart grid network, jointly identifying both the optimal level of connectivity and the optimal strategy for the sequential allocation of cybersecurity resources.

W2-E.3  11:10 am  Cyber Attack Risk Evaluation using a Stochastic Epidemiological Framework. Alexeev A, Henshel DS, Agarwal V, Cains MG*; Indiana University

Abstract: Security is a crucially important concern for sustainable operation of computer and communication networks given the plethora of attack vectors and the number of attacks per minute launched in virtually any network. Propagation of malware represents one of the main risk threats to network security. The process of malware spread and its dynamics can be modeled using adapted epidemiological models. Most models are deterministic in their nature, which produces an almost completely identified dissemination path. Deterministic models do not account for heterogeneity of the network components, such as in devices, software, and users. Behavioral and chance attributes of human agents (users) alone justify employment of a stochastic framework. Stochastic models allow for variability between simulations, permitting such useful features as stochastic resonance or stochastic extinction. Stochastic behavior becomes particularly important in small networks or when the number of initially compromised computers is small. This paper presents results of a study of malware spreading in heterogeneous networks using a stochastic epidemiological SIR-modeling framework that includes attacking and defending networks, and explicitly introduces their interaction. We describe malware propagation in a computer network with heterogeneous components using a system of ordinary differential equations to model deterministic dynamics of propagation. The deterministic trajectories are compared to those with stochastic input to either network as a unified whole or to specific input into a single component of one network. Simulations are conducted to model variation in multiple parameters or variables. The stochastic framework incorporates different characteristics of the attacking network, such as attack intensity and periodicity. The paper concludes with a discussion of the effect of stochastic behavior on risk of malware propagation in diverse computer networks.

W2-E.4  11:30 am  Integrating Defenders and Attackers into Cyber Security Risk Models. Agarwal V*, Henshel DS, Alexeev A, Cains MG; Indiana University

Abstract: Current approaches to modeling cyber security risk assessment typically only include assets, the hardware and software of a cyber network, especially those based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Human factors are considered primarily in terms of how users use networks, which help defenders and IT managers prioritize assets; while the defenders and IT managers consider risk from their perspective of how to best protect their system. Risk management within the context of the NIST framework does not consider humans as actual risk factors, initiators and mitigators of risk, and therefore potential components of a predictive model of network security risk. Attributes of the human actors, attackers, defenders, and users, such as experience or knowledge, may significantly influence how human actors contribute to or mitigate cyber-risk, and thus are appropriate parameters to include in a predictive cyber security risk model. Extending our previous work which modeled the contribution of human factors to aggregate cybersecurity risk, we introduce human factor parameters to incorporate attacker and defender skills into our modeling framework. We use empirical distributions for the nodes in the Bayesian network, adapted from data observed and documented by studies of SQL injection attacks. Using empirical evidence gives a more versed view of how changes in the network affect the overall risk, in comparison to using theoretical assumptions. We discuss how including human factors contribute to increasing or mitigating risk in cyber networks, detailing the potential impacts and effects of human actors on risk posture, strategy, and response. We model and evaluate the risks for an SQL injection attack on a highly sensitive database server. We will discuss parametrization and validation of the model using empirical data obtained in the experiment on a virtual network test bed.

[back to schedule]