Risk and the Five Hard Problems of Cybersecurity (original) (raw)
Related papers
2016 IEEE Symposium on Technologies for Homeland Security (HST), 2016
Decision-making in cyber-security is mostly ad-hoc and highly reliant on static policies, as well as human intervention. This does not fit current networks/systems, as they are highly dynamic systems where security assessments have to be performed, and decisions have to be made, automatically and in real-time. To address this problem, we propose a risk-based approach to cybersecurity decision-making. In our model, the system undergoes a continuous security risk assessment based on risk; decisions for each action are taken based on constructing a sequence of alternative actions and weighing the cost-benefit trade-offs for each alternative. We demonstrate the utility of our system on a concrete example involving protecting an SQL server from SQL injection attacks. We also discuss the challenges associated with implementing our model.
Managing cyber risk, a science in the making
Scandinavian Actuarial Journal
Not a day goes by without news about a cyber attack. Fear spreads out and lots of wrong ideas circulate. This survey aims at showing how all these uncertainties about cyber can be transformed into manageable risk. After reviewing the main characteristics of cyber risk, we consider the three layers of cyber space: hardware, software and psycho-cognitive layer. We ask ourselves how is this risk different from others, how modelling has been tackled and needs to evolve, and what are the multi-facetted aspects of cyber risk management. This wide exploration pictures a science in the making and points out the questions to be solved for building a resilient society.
Harmonizing and Uniting the Key Technical Disciplines for Risk Management of Cyber Security
This paper addresses the need to bridge the cultural, educational, and technical divides that are impeding professionals and organizations engaged in system and software development and associated security problems. In particular, harmonizing and uniting several key technical disciplines (software engineering, computer science, systems engineering) are critical for a sustainable risk management process incorporating the best practices of cyber security and information assurance. We identify the foundations for raising the level of shared culture and technical knowledge for system and software development, and suggest steps toward closing the cultural and technical gaps that divide the disciplines, including the development of joint curricula and other educational initiatives. A fundamental issue is how to link "mission assurance" with "information assurance," recognizing that more and more missions are being provided with automation support and therefore are more and more information dependent. The paper is in six parts: Introduction, Six
Cyber risk logics and their implications for cybersecurity
International Affairs, 2024
Cybersecurity in national and international security is frequently discussed in an existential register. However, most cybersecurity activities are normal and routine, including diverse practices of cyber risk management. The intricacies of cyber risk and its connection to security and threat politics have received surprisingly little attention in the cyber politics literature. This article addresses this gap through a twofold theoretical proposition. The first argues that cyber risk in policy and practice inhabits a continuum between 'classical' risk and security postures. The second proposes the existence of multiple risk logics located in different positions on this continuum. To illustrate this, we outline two distinct cyber risk logics-'risk as potential threats' and 'risk as uncertainty'. Through an exploratory case study of UK risk policy and guidance, we find indications of the simultaneous existence of these risk logics, including in specific organisational contexts. We propose that 'risk as potential threats', in particular, acts as a 'bridge' between conventional risk and security. We conclude by discussing how differentiating cyber risk logics facilitates a finer-grained appreciation of cybersecurity policy and practice and provides opportunities for disciplinary engagement with the organisational and institutional politics of cybersecurity and 'the international'.
The Marriage Between Safety and Cybersecurity: Still Practicing
Lecture Notes in Computer Science, 2021
Emerging technologies, like self-driving cars, drones, and the Internet-of-Things must not impose threats to people, neither due to accidental failures (safety), nor due to malicious attacks (security). As historically separated fields, safety and security are often analyzed in isolation. They are, however, heavily intertwined: measures that increase safety often decrease security and vice versa. Also, security vulnerabilities often cause safety hazards, e.g. in autonomous cars. Therefore, for effective decision-making, safety and security must be considered in combination. This paper discusses three major challenges that a successful integration of safety and security faces: (1) The complex interaction between safety and security (2) The lack of efficient algorithms to compute systemlevel risk metrics (3) The lack of proper risk quantification methods. We will point out several research directions to tackle these challenges, exploiting novel combinations of mathematical game theory, stochastic model checking, as well as the Bayesian, fuzzy, and Dempster-Schafer frameworks for uncertainty reasoning. Finally, we report on early results in these directions.
Risk based approach in scope of cybersecurity threats and requirements
Procedia Manufacturing, 2020
Paper is focused on theoretical and practical considerations related to risk management and cyber security based on the cyber kill chain concept introduced by Lockheed Martin. Proposed approach of cyber risk management embedded on the cyber kill chain is new and not reflected in the available literature. Proposed risk management process of identifying, analyzing, evaluating, assessing and ultimately responding to cyber threats and monitoring risks in each stage of the cyber kill chain is the heart of proposed approach. The approach may be used in organizations which are going to implement security mechanisms to align with the in-force requirements or to reduce cyber risks to accepted level. The process of the risk assessment introduced by the authors follows with the description of the example risk evaluation method based on a continuous-time Markov chain as a model of the cyber kill chain.
What the Profession of Cybersecurity Needs to Know and Do
EDPACS, 2019
Presently, 71% of annual losses are due to failures in the physical and human attack domains, while electronic breaches account for roughly 29%. While the lowest percentage of losses (29%) falls into the area of the classic technology-based attacks, unfortunately these are often the only kind of attacks factored into an organization's cybersecurity planning. Surprisingly, in most organizations, human or physical types of threats are simply not part of traditional cyberdefense thinking. Most active cyberdefense solutions do not consider embodying integrated and welldefined behavioral controls into the cybersecurity process. And as a result, well executed attacks against the non-electronic attack surface are almost certain to succeed. We argue that the profession must find ways to ensure that the real-world practice of cybersecurity involves the creation and adoption of a complete, correct, and highly effective set of well-defined and commonly accepted controls; ones that are capable of closing off every feasible type of adversarial action. To be completely effective, the solution must amalgamate all of the essential concepts of cyberdefense into a single unifying practice model, one that has real-world currency. Professional societies help to serve as the developers and sanctioners of the fundamental ideas in their respective fields and the creation of the CSEC2017 document provides an authoritative statement of the elements of the field of cybersecurity for a broad array of practitioners. This paper discusses the CSEC2017 thought model and outlines the eight knowledge areas specified for the discipline to represent the complete body of knowledge within the field. It has been well documented that we have a problem securing
Cyber-security Risk Assessment
2011
Cyber-security domain is inherently dynamic. Not only does system configuration changes frequently (with new releases and patches), but also new attacks and vulnerabilities are regularly discovered. The threat in cyber-security is human, and hence intelligent in nature. The attacker adapts to the situation, target environment, and countermeasures. Attack actions are also driven by attacker's exploratory nature, thought process, motivation, strategy, and preferences. Current security risk assessment is driven by cyber-security expert's theories about this attacker behavior.
Technix International Journal for Engineering Research (TIJER), 2024
The research paper embarks on an in-depth exploration of the pivotal role risk management plays in mitigating the multifaceted threats that permeate the ever-evolving cybersecurity landscape. Through a retrospective analysis of cyber incidents over the past decade, this study reveals the escalating sophistication of cyber adversaries and the imperative need for robust and adaptable risk management frameworks. The paper delves into the qualitative assessments and analysis of major cyber attacks, highlighting recurring themes and vulnerabilities exploited by cybercriminals. It further elucidates the multifaceted nature of current cyber threats, encompassing ransomware attacks, phishing scams, supply chain attacks, and zero-day exploits. A detailed exposition of a comprehensive risk management framework, encompassing risk identification, assessment, mitigation, and monitoring, is provided. The crucial role of IT risk management in mitigating cyber threats is emphasized, with a specific focus on risk governance, risk assessment methodologies, and the integration of IT risk management into overall enterprise risk management. The paper concludes by advocating for a proactive and adaptable approach to cybersecurity, emphasizing the importance of continuous vigilance, employee training, and technological innovation in mitigating cyber risks in the years to come.