an ara based framework and dss for cybersec risk … 2019.pdfan ara based framework and dss for...

An ARA based framework and DSS for

Cybersec risk managment

Aitor Couce, David Rios ICMAT-CSIC

GDRR’19, May GWU

david.rios@icmat.es

Games and Decisions in

Cyber Risk

Aitor Couce, David Rios and CYBECO team

GDRR’19, May GWU

Agenda

• Cybersecurity

• A model for cybersecurity risk analysis

• The CYBECO tool

• A motivating case

• Discussion

Cyber risks

• 450b$ impact over global economy 2014

• 0.8% global GDP

• Black market

• Fifth operational space

• Cyber risks in supply chain. Interconnectedsystems– Target attack through its AC supplier

4

Cyber risks

• Stuxnet, Flame, Duqu,… targeted against

Iran’s nuke program

• Shamoon targeted against ARAMCO

• Targeted attack against Estonia

• Wannacry. Not targeted. Stopped UK

NHS, affected Telefónica, BBVA,…

5

Cyber risks. Context

• Systems increasingly connected and relying on ICT

– Cars, planes, investing platforms, voting systems,…

• Increasing variety, number and sophistication of

attacks and attackers

– Virus, worms, trojans, spyware, APTs, ransomware, …

– Countries, cybercriminals, insiders, …

• Potential to cause very large damage

– Economic, physical, national security, reputation, …

6

Cybersecurity. WEF GRM 2018

Cybersecurity in the press

(SP) National Security Strategy

Cybersecurity. NIST

Industry standards

• Frameworks for risk analysis: CRAMM, EBIOS,

ISAMM, Magerit, ISO 27005, MEHARI, NIST 800-30, ISO

31000,...

• Compliance frameworks: ISO27001, ISO 27002,

SANS Critical Security Controls, Common Criteria, GDPR,

ISO 27031, Cloud Security Alliance Cloud Controls Matrix,…

• Excellent catalogues of assets, threats,

controls,….

11

Catalogues. Example

• Vulnerabilities. CVE

Code Name Descriptiom

CVE-2016-5195 Dirty COW …….

CVE-2017-6607 CISCO ASA DNS

DoS

…..

´´´´´´´´´´´´´´

UK Cyber essentials

1. Download software updates

2. Use strong passwords

3. Delete suspicious emails

4. Use anti-virus

5. Raise staff awareness

Approaches

• Frameworks for risk analysis

• Compliance frameworks

• Excellent catalogues of assets, threats,

controls,….

• But when referring to risk management

14

Cybersecurity

15

Risk matrices

Intentionality

HMG1

Cox (2008)

Thomas et al

(2014)

Hubbard,

Seiersen (2016)

Alodi, Massacci

(2017)

Analytic approaches

• Optimisation

• Game theory

• Decision analysis

• Multicriteria decision analysis

• Combinatorial optimisation

Pointers and review:

Fielder et al (2016), Ganin et al (2017)

DRI et al (2019)

Cyber insurance

• AXA, Generali, Zurich,….

• Yet to take off (at least in EU)

Pointers and reviews:

Marotta et al (2017)

Romanosky et al (2018)

Eling and Wirfs (2019)

Cyber risks and cyber insurance.

CYBECO considerations

• Cyber insurance as a complementary risk treatment in cybersecurity.

• Cybersecurity at social level: Global costs. Accumulation problems. Network

effects.

• Cyber insurance: Relatively recent product and comparatively small market.

– Development of cyber insurance products.

• Data scarce in cybersecurity and losses. Companies not disclosing data

breaches.

– Structured expert judgement. Behavioural experiments.

• Modelling intentionality in cybersecurity.

– Adversarial risk analysis.

• Moral hazard problems. Incentives for improving cybersecurity at large. Role of

reinsurers.

– Policy nudges in cybersecurity.

– Policy recommendations.

• Valuing information assets, reputation, …

– Multi-attribute utility theory.

• Basic tools for cybersecurity risk analysis

– Decision support tool for cybersecurity investments.18

Company

Expert

Cove

r losse

s

due

to c

yb

er

risk

Collect necessary

data

Provide results

Security

provider

Threat

Reinsurance

provider

Sector

regulator

Provide security services

Compliance with

regulations

Pay p

rem

ium

sDamage or steal

company's assets

Request for a specific

expertiseInsurance

regulator

Compliance with

regulations

Invest in security controls

Policymaker

Interests of insurers

(e.g., insurance federation)

ConsumerProvide

product/service

Po

licy c

ha

ng

es

Research

Po

licy r

ecom

me

nd

ation

s

Provide

product/service

Vendor

Interests of companies

(e.g., SME association)

Insurer

Research results

Cover part of insurer's

clients losses

Interests of consumers

(e.g., consumer rights

supervisory authority)

Insurance

broker Advice on cyber

insurance offerings

Negotiate policy

conditions

Security services for insurer and its clients

Agenda

• Cybersecurity

• A model for cybersecurity risk analysis

• The CYBECO tool

• A case

• Discussion

Cyber security risk management

Cyber security risk management

Cyber security risk management

Use case 1: Cyber insurance product selection

24

Cyber security risk management

Cyber security risk management

Cyber security risk management

Cyber security risk management

• Attacker problem

Defender

problem

Cyber security risk management

• Defender preferences

• Attacker preferences

• Multiple attackers

Cyber security risk management

• Expected utilities

• Maximising expected utilities

Portfolio selection, APS

Agenda

• Cybersecurity

• A model for cybersecurity risk analysis

• The CYBECO tool

• A case

• Discussion

CYBECO Toolbox scope• Web-based information and consultancy tool that includes

decision-support elements• Facilitates decisions about IT security investments

• Demand side. Organisation deciding IT security investments (SME)

• Supply side. Cybersec companies, Insurance companies and brokers

CYBECO Toolbox features

• Precomputed templates as demos• Templates with possibility of some parameter

tuning• Templates with possibility of ‘full’ parameter

tuning. Time consuming

• Supported by a Knowledge Base that:• Contains hierarchical taxonomies of entities used in

the Risk Analysis Cases • Contains information about related cybersecurity

entities such as threats or security controls. • All entities in the KB are interconnected

CYBECO Toolbox

CYBECO Toolbox

Parametrised models

CYBECO Toolbox

CYBECO Toolbox Parameters

• Features of user (No. servers, Budget,…)

• Features of controls and insurance

products (CAPEX, OPEX, Price,

coverage,…)

• Generic business parameters

• Utility parameters, Utility parameters

• Derived parameters (Productivity,…)

• Model parameters (Probability of fire,…)

Upated in light of data

CYBECO Toolbox Parameters

CYBECO Toolbox

CYBECO toolbox

41

Agenda

• Cybersecurity

• A model for cybersecurity risk analysis

• The CYBECO tool

• A case

• Discussion

Agenda

• Cybersecurity

• A model for cybersecurity risk analysis

• The CYBECO tool

• A case

• Discussion

The behavioural component…

CYBECO experiments address this in three ways:

Experiment 2: Testing the toolbox

● Usability of CYBECO toolbox

● Nudging SMEs towards optimal

protection & cyberinsurance

Experiment 1: Testing the model

● Behavioral insights to support

design of cyberinsurance

products

● Information to produce a

‘behavioural version’ of the

CYBECO modelExperiment 3: Belief formation

● Supporting believe formation in

adversarial cyberinsurance

models

Cybersecurity and cyber insurance.

Behavioural aspects

47

Other models or model uses

• Pricing.

– Maximum price that preserves insurance product in

optimal portfolio

– Minimum coverage that preserves insurance product

in optimal portfolio

– Both

• Return on security investment

• Market segmentation

• Granting an insurance

• Reinsurance

Policy issues

Other relevant issues

• Implementing computations

• Insider threats

• Third parties. Supply chain cyber risk

management

• Expanding the toolbox

• Dynamic insurance products

www.cybeco.eu

Twitter:@CYBECO_project

Linkedin: www.linkedin.com/company/cybeco

Thanks

david.rios@icmat.es