Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development.

PublishDerrick Tippen Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development."— Presentation transcript:

1 1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 3 Sept 2014

2 Mission: Resiliency of Organizations & Markets  Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational “ecosystem”—the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors  Key questions: Behavioral: What are the attitudes and perceptions of the private sector about cyber security? Managerial: What solutions can feasibly be manipulated by the firm or sector itself, and what can be encouraged or directed by outside actors? Technological: What is effecting product security of key IT components?  Modeling framework to unpack cyber dynamics and provide organizational framework 2

3 Brief Overview of System Dynamics  SDM used as modeling & simulation method over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops  SDM has been applied to numerous domains Software development projects Process Improvement projects Crisis and threat in the world oil market Stability and instability of countries … many many others …  SDM helps to uncover ‘hidden’ dynamics in system Helps understand ‘unfolding’ of situations, Helps anticipate & predict new modes Explore range of unintended consequences 3

4 Mission: Dynamics of Threats and Resilience * Verizon Data Breach Report 67% were aided by significant errors (of the victim) How did breaches (threats) occur? * 64% resulted from hacking 38% utilized Malware Over 80% of the breaches had patches available for more than 1 year How are security and threat processes (resilience) managed? * 75% of cases go undiscovered or uncontained for weeks or months 4

5 Relating Actions to Outcomes Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive? 5

6 6 Not Compromised Identified Attack Vectors Compromised Attacker Capabilities Sector Performance Firm Knowledge And Awareness Indentifying Exploits Resources Motivation Skills Awareness Visibility Technical Capabilities Process Architecture Info Sharing Patching Attack Vector Identification Reverse Engineering Firm Performance Vendor Resilience and Responsiveness

7 7 Architecture Resilience Not Compromised Identified Attack Vectors Compromised Attacker Capabilities Sector Performance Firm Knowledge And Awareness System Compromising Firm Performance Establishing Footholds Remediating Compromising Availability Data Security Public Awareness Defensive Procedures

8 Simulation Modeling Overview Software Security Patching Attacking 8

9 Making the Case 200 150 100 50 0 0102030405060708090100 Week 200 170 140 110 80 0102030405060708090100 Week 200 170 140 110 80 0102030405060708090100 Week Not Compromised Attack Vectors Infected Technical 10 7.5 5 2.5 0 0102030405060708090100 Week 20 17 14 11 8 0102030405060708090100 Week “Upstream Costs”“Downstream Costs” Managers 2,000 1,500 1,000 500 0 0102030405060708090100 Week Total Costs Senior Management (CIO) Blue is base case; red case is patching with configuration standards; green is current case 9

10 Summary of Results  Solving problems “upstream” is more effective than fixing them “downstream.”  Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions.  Nonlinearities and tipping points may exist due to inertia and path-dependence in systems. 10

11 BACKUP 11

12 Valuing Software Portfolios Using System Dynamics Models  Project value changes over time depending on maintenance At first the value rises as application development takes shape It then adjusts overtime according to the maintenance spend  A project may have a high initial expected value, but maintenance dynamics may erode that value over time The graph shows the value of one application given different maintenance Time Value 0 10 0 We plan for the blue case when the red case may be more likely

13 Patching Dynamics 13

14 Downstream Dynamics 14

Download ppt "1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development."

Similar presentations

Welcome to Who Wants to be a Millionaire

Welcome to Who Wants to be a Millionaire
Managing in Global Downturn How to Survive & Thrive in Recessionary Times Manfred Jantzen, Ph.D. Senior Advisor & Lecturer University of the West Indies.

Managing in Global Downturn How to Survive & Thrive in Recessionary Times Manfred Jantzen, Ph.D. Senior Advisor & Lecturer University of the West Indies.
IT Projects and IT Project Management. The Big Picture IT Project do not occur in isolation Project Manager should understand Big Picture of the project.

IT Projects and IT Project Management. The Big Picture IT Project do not occur in isolation Project Manager should understand Big Picture of the project.
Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.

Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.
1 The Individual Knowledge & Experience Check List = World Class Performance Critical Success Steps The Executive Systems, Processes, & Fundamentals The.

1 The Individual Knowledge & Experience Check List = World Class Performance Critical Success Steps The Executive Systems, Processes, & Fundamentals The.
Chapter 27 Software Change.

Chapter 27 Software Change.
IGF Hyderabad 2008 Dimensions of Cyber Security & Cyber Crime Michael Lewis, Carnegie Mellon University & Deputy Director, Q-CERT.

IGF Hyderabad 2008 Dimensions of Cyber Security & Cyber Crime Michael Lewis, Carnegie Mellon University & Deputy Director, Q-CERT.
SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.

SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.
ITU-T Workshop on Security Seoul (Korea), 13-14 May 2002 Telecommunication network reliability Dr. Chidung LAC.

ITU-T Workshop on Security Seoul (Korea), May 2002 Telecommunication network reliability Dr. Chidung LAC.
Year 6 mental test 15 second questions Numbers and number system Numbers and the number system, Measures and Shape.

Year 6 mental test 15 second questions Numbers and number system Numbers and the number system, Measures and Shape.
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 £1 Million £500,000 £250,000 £125,000 £64,000 £32,000 £16,000 £8,000 £4,000 £2,000 £1,000 £500 £300 £200 £100 Welcome.

£1 Million £500,000 £250,000 £125,000 £64,000 £32,000 £16,000 £8,000 £4,000 £2,000 £1,000 £500 £300 £200 £100 Welcome.
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 £1 Million £500,000 £250,000 £125,000 £64,000 £32,000 £16,000 £8,000 £4,000 £2,000 £1,000 £500 £300 £200 £100 Welcome.

£1 Million £500,000 £250,000 £125,000 £64,000 £32,000 £16,000 £8,000 £4,000 £2,000 £1,000 £500 £300 £200 £100 Welcome.
Welcome to Who Wants to be a Millionaire

Welcome to Who Wants to be a Millionaire
Welcome to Who Wants to be a Millionaire

Welcome to Who Wants to be a Millionaire
Welcome to Who Wants to be a Millionaire

Welcome to Who Wants to be a Millionaire
Chapter 7 Work Design. Copyright © 2006 by Thomson Delmar Learning. ALL RIGHTS RESERVED. 2 Purpose and Overview Purpose –Provide a framework for jobs.

Chapter 7 Work Design. Copyright © 2006 by Thomson Delmar Learning. ALL RIGHTS RESERVED. 2 Purpose and Overview Purpose –Provide a framework for jobs.
Analysis grid superimposed 2D Street Grid Calculating Travel-Time …vector to raster conversion Note that a 100 row by 100 column analysis grid (10,000.

Analysis grid superimposed 2D Street Grid Calculating Travel-Time …vector to raster conversion Note that a 100 row by 100 column analysis grid (10,000.
Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.

Abstract To provide efficient and effective access to enterprise information that meets stakeholder needs and supports mission success, NASA is implementing.
Fifth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.

Fifth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.
Managing Technology and Innovation Chapter 17 Copyright © 2011 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Managing Technology and Innovation Chapter 17 Copyright © 2011 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Similar presentations

Ads by Google