World Congress on Risk 2015
19-23 July, 2015, Singapore

Online Program

Session Schedule & Abstracts

* Disclaimer: All presentations represent the views of the authors, and not the organizations that support their research. Please apply the standard disclaimer that any opinions, findings, and conclusions or recommendations in abstracts, posters, and presentations at the meeting are those of the authors and do not necessarily reflect the views of any other organization or agency. Meeting attendees and authors should be aware that this disclaimer is intended to apply to all abstracts contained in this document. Authors who wish to emphasize this disclaimer should do so in their presentation or poster. In an effort to make the abstracts as concise as possible and easy for meeting participants to read, the abstracts have been formatted such that they exclude references to papers, affiliations, and/or funding sources. Authors who wish to provide attendees with this information should do so in their presentation or poster.

Common abbreviations

Tuesday 21-07-2015

Risks in the Cyber Domain

Room: Aspiration   11:00–12:30

Chair(s): Zach Collier

1    Risk and Resilience in Cyber-Physical Systems. Collier ZA, US Army Engineer Research & Development Center; Linkov I, US Army Engineer Research & Development Center (411)

Abstract: Recent high profile cyber attacks have resulting in calls for enhanced resilience of our critical cyber-enabled infrastructure. However, the concept of resilience is still not well understood and varies across disciplines. In this presentation, we will explore the interconnections between the areas of concern for cyber-physical systems. We will then define resilience and show how a matrix-based approach for generating resilience metrics can be used to facilitate decision making. This approach to resilience integrates the event management cycle defined by the National Academy of Sciences with the physical, information, cognitive, and social domains in which these systems exist, as outlined in the Command and Control literature. This systems-based approach can be used to comparatively assess the relative resilience of different systems and the contributions of individual responses or safeguards to overall system resilience.

2    Cyber-Physical Risk Analysis with Object-Process Methodology: Three-Mile Island Accident Revisited. Mordecai Yaniv, Technion - Israel Institute of Technology; Dori Dov, Technion - Israel Institute of Technology (180)

Abstract: Cyber-physical (CP) systems simultaneously reside and act in the virtual (cyber) and physical domains, impact the physical world based on virtual events, and vice versa. CP Duality (CPD) is the simultaneous existence of an entity as both an authentic embodiment, and a representation held by CP systems interacting with the entity. CPD is a fundamental source of risk that may appear throughout the system’s lifecycle. Many failures and catastrophes can be attributed to system misconception of its surroundings and system operation based on erroneous representations. The recent Malaysia Airlines 370 disappearance is clearly a case of misrepresentation by the air traffic control authorities of the aircraft’s whereabouts and condition, resulting in failure to contact and locate the aircraft in time. CPD-aware aircraft tracking solutions could mitigate the aircraft disappearance risk. We propose a model-based Cyber-Physical Risk Analysis and Mitigation framework. Object-Process Methodology (OPM, ISO 19450) – our underlying conceptual modeling framework – is a holistic systems engineering paradigm for complex and dynamic systems. OPM provides a unified view of the structural, functional, and behavioral aspects of the system, a bimodal textual-graphical representation, and robust, proven conceptual modeling semantics and patterns for risk analysis, exception handling and CPD. These patterns can be applied on top of and in sync with the core functional system model, forming a wide and reliable basis for a high-fidelity risk-aware model. We elaborate OPM’s capability to extend the core functional model to cover the risk mechanisms integrated into the system. We demonstrate our assertions regarding CP risk, by analyzing the Malaysia Airlines 370 event, and also by revisiting the famous Three-Mile Island nuclear accident of 1979, where CP incoherence led to the nuclear meltdown catastrophe. This example emphasizes that CP risk is not only in state-of-the-art cyber technologies.

3    Risk Parameters in Holistic Cyber Security Risk Assessment. Henshel D, Indiana University; Cains M, Indiana University; Alexeev A, Indiana University; Rajivan P, Indiana University (247)

Abstract: All of the current cyber security risk assessment frameworks, as typified by the National Institute of Standards and Technology (NIST) 2014 framework, are reactive and only protect toward weaknesses, threats, and vulnerabilities that are already known. The NIST framework takes into account asset vulnerabilities as in hardware and software. Known cyber threats are well documented in online databases but are limitedly useful for the protection from new, yet unknown, and unidentified vulnerabilities or threats that are likely be developed and exploited with time. In order to develop a more useful predictive and holistic method that is quantifiable, the Cyber Security Collaborative Research Alliance as funded by U.S. Army Research Laboratories has been developing and identifying a more extensive list of vulnerabilities and factors that affect both system and asset level risk. We will present an example showing the identified risk parameters for a very simple system model.

[back to schedule]