an ara based framework and dss for cybersec risk … 2019.pdfan ara based framework and dss for...
TRANSCRIPT
An ARA based framework and DSS for
Cybersec risk managment
Aitor Couce, David Rios ICMAT-CSIC
GDRR’19, May GWU
Games and Decisions in
Cyber Risk
Aitor Couce, David Rios and CYBECO team
GDRR’19, May GWU
Agenda
• Cybersecurity
• A model for cybersecurity risk analysis
• The CYBECO tool
• A motivating case
• Discussion
Cyber risks
• 450b$ impact over global economy 2014
• 0.8% global GDP
• Black market
• Fifth operational space
• Cyber risks in supply chain. Interconnectedsystems– Target attack through its AC supplier
4
Cyber risks
• Stuxnet, Flame, Duqu,… targeted against
Iran’s nuke program
• Shamoon targeted against ARAMCO
• Targeted attack against Estonia
• Wannacry. Not targeted. Stopped UK
NHS, affected Telefónica, BBVA,…
5
Cyber risks. Context
• Systems increasingly connected and relying on ICT
– Cars, planes, investing platforms, voting systems,…
• Increasing variety, number and sophistication of
attacks and attackers
– Virus, worms, trojans, spyware, APTs, ransomware, …
– Countries, cybercriminals, insiders, …
• Potential to cause very large damage
– Economic, physical, national security, reputation, …
6
Cybersecurity. WEF GRM 2018
Cybersecurity in the press
(SP) National Security Strategy
Cybersecurity. NIST
Industry standards
• Frameworks for risk analysis: CRAMM, EBIOS,
ISAMM, Magerit, ISO 27005, MEHARI, NIST 800-30, ISO
31000,...
• Compliance frameworks: ISO27001, ISO 27002,
SANS Critical Security Controls, Common Criteria, GDPR,
ISO 27031, Cloud Security Alliance Cloud Controls Matrix,…
• Excellent catalogues of assets, threats,
controls,….
11
Catalogues. Example
• Vulnerabilities. CVE
Code Name Descriptiom
CVE-2016-5195 Dirty COW …….
CVE-2017-6607 CISCO ASA DNS
DoS
…..
´´´´´´´´´´´´´´
UK Cyber essentials
1. Download software updates
2. Use strong passwords
3. Delete suspicious emails
4. Use anti-virus
5. Raise staff awareness
Approaches
• Frameworks for risk analysis
• Compliance frameworks
• Excellent catalogues of assets, threats,
controls,….
• But when referring to risk management
14
Cybersecurity
15
Risk matrices
Intentionality
HMG1
Cox (2008)
Thomas et al
(2014)
Hubbard,
Seiersen (2016)
Alodi, Massacci
(2017)
Analytic approaches
• Optimisation
• Game theory
• Decision analysis
• Multicriteria decision analysis
• Combinatorial optimisation
Pointers and review:
Fielder et al (2016), Ganin et al (2017)
DRI et al (2019)
Cyber insurance
• AXA, Generali, Zurich,….
• Yet to take off (at least in EU)
Pointers and reviews:
Marotta et al (2017)
Romanosky et al (2018)
Eling and Wirfs (2019)
Cyber risks and cyber insurance.
CYBECO considerations
• Cyber insurance as a complementary risk treatment in cybersecurity.
• Cybersecurity at social level: Global costs. Accumulation problems. Network
effects.
• Cyber insurance: Relatively recent product and comparatively small market.
– Development of cyber insurance products.
• Data scarce in cybersecurity and losses. Companies not disclosing data
breaches.
– Structured expert judgement. Behavioural experiments.
• Modelling intentionality in cybersecurity.
– Adversarial risk analysis.
• Moral hazard problems. Incentives for improving cybersecurity at large. Role of
reinsurers.
– Policy nudges in cybersecurity.
– Policy recommendations.
• Valuing information assets, reputation, …
– Multi-attribute utility theory.
• Basic tools for cybersecurity risk analysis
– Decision support tool for cybersecurity investments.18
Company
Expert
Cove
r losse
s
due
to c
yb
er
risk
Collect necessary
data
Provide results
Security
provider
Threat
Reinsurance
provider
Sector
regulator
Provide security services
Compliance with
regulations
Pay p
rem
ium
sDamage or steal
company's assets
Request for a specific
expertiseInsurance
regulator
Compliance with
regulations
Invest in security controls
Policymaker
Interests of insurers
(e.g., insurance federation)
ConsumerProvide
product/service
Po
licy c
ha
ng
es
Research
Po
licy r
ecom
me
nd
ation
s
Provide
product/service
Vendor
Interests of companies
(e.g., SME association)
Insurer
Research results
Cover part of insurer's
clients losses
Interests of consumers
(e.g., consumer rights
supervisory authority)
Insurance
broker Advice on cyber
insurance offerings
Negotiate policy
conditions
Security services for insurer and its clients
Agenda
• Cybersecurity
• A model for cybersecurity risk analysis
• The CYBECO tool
• A case
• Discussion
Cyber security risk management
Cyber security risk management
Cyber security risk management
Use case 1: Cyber insurance product selection
24
Cyber security risk management
Cyber security risk management
Cyber security risk management
Cyber security risk management
• Attacker problem
Defender
problem
Cyber security risk management
• Defender preferences
• Attacker preferences
• Multiple attackers
Cyber security risk management
• Expected utilities
• Maximising expected utilities
Portfolio selection, APS
Agenda
• Cybersecurity
• A model for cybersecurity risk analysis
• The CYBECO tool
• A case
• Discussion
CYBECO Toolbox scope• Web-based information and consultancy tool that includes
decision-support elements• Facilitates decisions about IT security investments
• Demand side. Organisation deciding IT security investments (SME)
• Supply side. Cybersec companies, Insurance companies and brokers
CYBECO Toolbox features
• Precomputed templates as demos• Templates with possibility of some parameter
tuning• Templates with possibility of ‘full’ parameter
tuning. Time consuming
• Supported by a Knowledge Base that:• Contains hierarchical taxonomies of entities used in
the Risk Analysis Cases • Contains information about related cybersecurity
entities such as threats or security controls. • All entities in the KB are interconnected
CYBECO Toolbox
CYBECO Toolbox
Parametrised models
CYBECO Toolbox
CYBECO Toolbox Parameters
• Features of user (No. servers, Budget,…)
• Features of controls and insurance
products (CAPEX, OPEX, Price,
coverage,…)
• Generic business parameters
• Utility parameters, Utility parameters
• Derived parameters (Productivity,…)
• Model parameters (Probability of fire,…)
Upated in light of data
CYBECO Toolbox Parameters
CYBECO Toolbox
CYBECO toolbox
41
Agenda
• Cybersecurity
• A model for cybersecurity risk analysis
• The CYBECO tool
• A case
• Discussion
Agenda
• Cybersecurity
• A model for cybersecurity risk analysis
• The CYBECO tool
• A case
• Discussion
The behavioural component…
CYBECO experiments address this in three ways:
Experiment 2: Testing the toolbox
● Usability of CYBECO toolbox
● Nudging SMEs towards optimal
protection & cyberinsurance
Experiment 1: Testing the model
● Behavioral insights to support
design of cyberinsurance
products
● Information to produce a
‘behavioural version’ of the
CYBECO modelExperiment 3: Belief formation
● Supporting believe formation in
adversarial cyberinsurance
models
Cybersecurity and cyber insurance.
Behavioural aspects
47
Other models or model uses
• Pricing.
– Maximum price that preserves insurance product in
optimal portfolio
– Minimum coverage that preserves insurance product
in optimal portfolio
– Both
• Return on security investment
• Market segmentation
• Granting an insurance
• Reinsurance
Policy issues
Other relevant issues
• Implementing computations
• Insider threats
• Third parties. Supply chain cyber risk
management
• Expanding the toolbox
• Dynamic insurance products
www.cybeco.eu
Twitter:@CYBECO_project
Linkedin: www.linkedin.com/company/cybeco
Thanks