An adversarial risk analysis framework for cybersecurity

Slides:

Advertisements

Similar presentations

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.

Advertisements

Khammar Mrabit Director Office of Nuclear Security

Control and Accounting Information Systems

Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.

Engineering Economic Analysis Canadian Edition

The Rational Decision-Making Process

Generalised Mean Variance Analysis and Robust Portfolio Construction February 2006 Steve Wright Tel

Company Enterprise Risk Management & Stress Testing Case Study.

The Australian/New Zealand Standard on Risk Management

The Information Systems Audit Process

System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.

Risk Assessment Frameworks

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

MODULE 4 MARKETING STRATEGY A2 Marketing and Accounting and Finance Marketing Decision-making.

Quantifying Disaster Risk and optimizing investment Sujit Mohanty UNISDR – Asia Pacific Protecting development gains: A path towards resilience.

HIT241 - RISK MANAGEMENT Introduction

BSBPMG508A Manage Project Risk 11.4 Perform Quantitative Risk Analysis Adapted from PMBOK 4 th Edition InitiationPlanning ExecutionClose Monitor Control.

MANAGEMENT STRATEGY ELABORATION JAVA TOOL Edward Pogossian Academy of Sciences of Armenia, IPIA State Engineering University of Armenia.

Managing Information Systems Enhancing Management Decision Making Part 2 Dr. Stephania Loizidou Himona ACSC 345.

VTT-STUK assessment method for safety evaluation of safety-critical computer based systems - application in BE-SECBS project.

Introduction PMBOK® © Whizlabs.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Centro de Estudos e Sistemas Avançados do Recife PMBOK - Chapter 11 Project Risk Management.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Marketing Information System (MKiS) What ? –Comprises all computer and non-computer systems which assist the marketing function to operate effectively.

Copyright  2007 McGraw-Hill Pty Ltd PPTs t/a Marketing Research 2e by Hair, Lukas, Bush and Ortinau Slides prepared by Judy Rex 1-1 Chapter One Overview.

Engineering Economic Analysis Canadian Edition

Lecture 7: Requirements Engineering

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Federal Cybersecurity Research Agenda June 2010 Dawn Meyerriecks

Author: Tadeusz Sawik Decision Support Systems Volume 55, Issue 1, April 2013, Pages 156–164 Adviser: Frank, Yeong-Sung Lin Presenter: Yi-Cin Lin.

International Cyber Warfare & Security and B2B Conference Participation of Brazilian Cyber Defense Centre ( )

Guidance document on Water and Climate adaptation Jos G. Timmerman Rijkswaterstaat Centre for Water Management.

S ystems Analysis Laboratory Helsinki University of Technology 1 Decision Analysis Raimo P. Hämäläinen Systems Analysis Laboratory Helsinki University.

Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Improving performance, reducing risk Dr Apostolos Noulis, Lead Assessor, Business Development Mgr Thessaloniki, 02 June 2014 ISO Energy Management.

Trinity Industries, Inc. FEI Presentation May 31, 2012.

Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.

Security and resilience for Smart Hospitals Key findings

Risk management.

IFRS 4 Phase 2 Insurance Contract Model

Probabilistic Project Management for a Terrorist Planning a Dirty Bomb Attack on a Major US Port Workshop on Critical Infrastructure Protection June 5-7,

Capital Project / Infrastructure Renewal – Making the Business Case

11.2 Identify Risks The process of determining which risks may affect the project and documenting their characteristics This is an iterative process as.

Cyber Resilient Energy Delivery Consortium

CHAPTER11 Project Risk Management

Critical Infrastructure Protection Policy Priorities

Recognization and management of RISK in educational projects

MANCOSA Honours Marketing Research.

Project proposal for ISO 27001:2013 implementation

Cyber Security in Ports Business as Usual?

The Extensible Tool-chain for Evaluation of Architectural Models

Risk-informed Decision Making under Incomplete Information

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Chapter 7 Decision-Making Tools and Techniques Pamela S. Lewis

Marketing Information System (MIS)

Security Management Platform

Enhanced alerting and collaborative incident management

Second International Seville Seminar on Future-Oriented Technology Analysis (FTA): Impacts on policy and decision making 28th- 29th September 2006 Towards.

RISK MANAGEMENT MARKET & SOCIAL RESEARCH

XIIIth Madrid Forum (16th/17th October 2007)

Information security planning

Strategic threat assessment

Chapter 4 Risk and Return-Part 1.

Common strategy development process I

Chapter 4 Risk and Return-Part 1.

Presentation transcript:

An adversarial risk analysis framework for cybersecurity D. Ríos Insua1, A. Couce Vieira1, J.A. Rubio2, W. Pieters3, K. Labunets3, D. Garcia Rasines4, K. Musaraj5, P. Briggs6 1ICMAT-CSIC, 2U. Complutense de Madrid, 3Delft TU, 4Imperial College, 5AXA Tech. Serv., 6Northumbria University Part of the H2020 project CYBECO on supporting cyber insurance from a behavioural choice perspective

Challenges/Objectives Overcome risk matrices as risk calculation tool Analyse adversarial cybersecurity threats Include cyber insurance in risk analysis modelling Include decision-maker’s preferences and risk attitudes Facilitate informed decision-making in cybersecurity Implement it as software An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis model template ARA defend-attack model An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis framework Definition of the risk analysis scope – e.g., document management SME, its online e- service and for 1 year. Identification of risk components Organisation assets at risk – e.g. facilities, computer equipment, market share Non-targeted threats – e.g., fire and computer virus Targeted threats (targeted to attack us) – e.g., DDoS attack from a competitor Other uncertainties affecting risk relevant to the organisation – e.g., duration of DDoS Security controls – e.g., anti-fire system, DDoS protection system Cyber insurance products – e.g., traditional, cyber, comprehensive Impacts over the organisation’s assets and interests – e.g., over facilities, market share Impacts over the targeted threats – e.g., being detected Preferences and risk attitudes of the organisation Preferences and risk attitudes of the targeted threats – eg the competitor An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis framework Problem structuring with our risk analysis model An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis framework Problem solving – to solve it first we solve the attacker part, then the defender part. Defender i.e., the organisation Attacker i.e. the competitor An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis framework Problem solving Assess the organisation’s non-strategic beliefs and preferences Modelling the defender problem with the support of data and expert judgement. All nodes, except those that correspond to an attacker decision Assess the random beliefs and preferences of the adv. threat Modelling and simulating the attacker problem to forecast its actions and obtain the probability distribution that we will use to complete the defender model. Solve the organisation’s problem This involves the construction of algorithms and its software implementation An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis framework Implemented in R -- for calculation CYBECO toolbox -- for displaying the results An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

CYBECO Toolbox An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

CYBECO Toolbox An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Risk analysis framework Implementing the previous procedure we are able to calculate: Best security control and insurance portfolio Overall probability of different events Expected impacts given the different probabilities Further analysis are possible: sensitivity analysis, constraints, return on security investment, … An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

Current/future work around the ARA framework Doing a model for a complete risk analysis case study in CYBECO Computational enhancements: Generalised interactions (ie, not only defend-attack cases) Augmented probability simulation (ie, faster optimisation) Other general risk problems: Insurance company on whether to grant cyber insurance to company Insurance company deciding their reinsurance portfolio [for cyber] Preference modelling: Cybersecurity risk management objectives (trees of objectives > attributes that measures them > utility functions) Cyber attacker objectives An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

CSIRA: A method for analysing the risk of cybersecurity incidents Thank you!