Conference PaperPDF Available

SEConomy: A Framework for the Economic Assessment of Cybersecurity

Authors:

Figures

Content may be subject to copyright.
SEConomy: a Framework for the
Economic Assessment of Cybersecurity
Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
Communication Systems Group CSG, Department of Informatics IfI
University of Zurich UZH, Binzm¨uhlestrasse 14, CH-8050 Z¨urich, Switzerland
E-mail: [rodrigues,franco,parangi,stiller]@ifi.uzh.ch
Abstract. Cybersecurity concerns are one of the significant side effects
of an increasingly interconnected world, which inevitably put economic
factors into perspective, either directly or indirectly. In this context, it
is imperative to understand the significant dependencies between com-
plex and distributed systems (e.g., supply-chain), as well as security and
safety risks associated with each actor. This paper proposes SEConomy,
a strictly step-based framework to measure economic impact of cyberse-
curity activities in a distributed ecosystem with several actors. Through
the mapping of actors, responsibilities, inter-dependencies, and risks, it
is possible to develop specific economic models, which can provide in a
combined manner an accurate picture of cybersecurity economic impacts.
Keywords: Cybersecurity ·Threats ·Economics ·Assessment
1 Introduction
The technological evolution and the rapid growth of the Internet have built a
digital networked society, which today is an indispensable tool for communica-
tion and interaction on a planetary scale. As the number of devices (stationary or
portable) increases, the complexity of systems that provide content or commu-
nication infrastructure also increases, especially to support the growing volume
of traffic. As a result, these complex distributed systems are subject not only
to several types of failures, but also to different types of cyber threats that can
compromise CIA (Confidentiality, Integrity and Availability) aspects impairing,
for example, entire societies whose Critical National Infrastructures (CNI) are
connected to the Internet [8, 14].
It is imperative to understand the economics behind cybersecurity activities.
For example, the United States of America (U.S.A.) released in 2018 an estimate
of costs related to malicious cyber activities of around 57 and 109 billion USD
for incidents appearing only in 2016 [27]. These numbers involve not only losses
at the initial target and economically linked firms derived from attacks, but also
incurs in costs involving the maintenance and improvement of systems security.
Further, Gartner [16] corroborates with the U.S.A. estimate, predicting in 2018
a cost of 114 and 124 billion USD in 2019, representing an increase of 8% for one
country only. While cost numbers are not precise on a global scale, there exist
2 Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
estimates, such as [18], that predict costs related to cybersecurity activities to
exceed 1 trillion USD cumulatively for the five years from 2017-2021, taking into
account the growing number of Internet of Things (IoT) devices.
Systems often fail because organizations do not take into account the full
costs of failure, which includes two critical categories: security (prevention of
malicious activities) and safety (prevention of accidents or faults) [17]. Further,
system failures often leads to business being offline (i.e., security is when a
conscious attack is part of the game while safety is when something fails by
itself). Security investments are typically complex, because malicious activities
typically expose externalities as a result of underinvestment in cybersecurity,
i.e., they usually exploit vulnerabilities unforeseen in the design space. Safety,
however, originates from requirements, which take systems failures due to un-
expected events (i.e., natural disaster and/or human failures) into account to
prevent the loss of lives.
In a scenario where major actors desire to minimize costs while maximizing
security and safety aspects [17, 21], it is essential to understand all key cyber-
security risks, impacts, and mitigation measures (or the lack thereof) within an
individually determined ecosystem economy [2]. Further, it is necessary to gain
insight, into the uncertainty behind security investments. This paper contributes
to the field of cybersecurity modeling with a framework allowing for an approx-
imation of estimates and enabling the economic analysis of a given ecosystem’s
dimension concerning responsibilities and roles, while mapping systems and pro-
cesses and their correlations as well as related costs. Thus, it is expected an
understanding in detail how the economy is affected by cyber (in)security.
This paper is organized as follows. Section 2 provides the background, and
related work providing an overview of how cybersecurity risks and threats are
mapped into economics. Section 3 presents the Cybersecurity Economy Assess-
ment framework and its stages, followed by a discussion and future work in
Section 4.
2 Background and Related Work
Although reasons behind cyber attacks can be widely diverse, ranging from iden-
tity phishing and information security breaches to the exploiting of vulnerabili-
ties on Critical National Infrastructures (CNI), it is notorious that these attacks
have become increasingly driven by financial motives. Thus, related work focus
on models analyzing economic aspects behind cyber attacks. For this reason, the
U.S. Department of Defense (DoD) declares the cyberspace as the fifth dimen-
sion of defense areas, complementing the traditional land, water, sea, air warfare
dimensions [15].
2.1 Cybersecurity Economics
A purely economic analysis was released in 2018 by the U.S. White House [27]
revealing estimates of economic impacts in the year of 2016 (cf. Section 1), the
SEConomy: a Framework for the Economic Assessment of Cybersecurity 3
year in which one of the largest Distributed Denial-of-Service (DDoS) attack was
launched on the content provider Dyn-DNS, which interrupted the delivery of
content for significant Internet services (such as Twitter, PayPal, and Spotify)
for a few hours. These numbers corroborate with the influence of cyber attacks
in the economy (whether it is a nation or large private organizations).
[10] presented one of the fundamental models aiming to determine an optimal
cost/benefit relation to cybersecurity investments. The Gordon Loeb (GL) model
is intended for investments related to various information security goals (in terms
of Confidentiality, Integrity, and Availability - CIA). However, although the GL
model is considered a baseline for cost optimization in the cybersecurity, it is
not able to handle dynamic ecosystems, i.e., mapping decisions and outcomes
in a single period, and not considering the time factor.
[4] builds upon [10] providing a systematic analysis on how to compare exist-
ing security investment models and metrics. While [10] defined a general security
probabilistic function, the high abstraction level of its model neglects the differ-
ent security levels discussed by B¨ohme. In this sense, [4] offers a guideline toward
building an economics assessment through its systematic approach decomposing
costs of security into security levels and further associating with its benefits.
[24] describes one of the approaches cited by [4], the Return Over Secu-
rity Investments (ROSI). This work offers a benchmark method to evaluate the
cost/benefit relation of security investments, as well as how to obtain/measure
security values used in their method. However, the authors state that it is very
difficult to obtain data about the true cost of a security incident once companies
often do not disclose data about security breaches or vulnerabilities. Nonethe-
less, similarly to [10], the work does not deepen in detail the complexities of
calculating security investments/expenses.
Concerning the large degree of uncertainty in security investments, the fuzzy
logic becomes the appropriate method to support the decision-making process
[4]. Thus, the [25] fuzzy method translates non-linear local state spaces into
linear models, i.e., helping to define security cost classes in which threats can be
classified and translated in a cost described by a function. Thus, modeling based
on ROSI [24] and a fuzzy mapping [25, 26] will be able to deal with uncertainties
of security investments.
[17] discusses under economic directions impacts of cyber attacks in a national
context. He bases the analysis of attacks on CNIs that could harm or collapse
its economy. Also, [17] puts those principles into perspective, which motivate
these attacks and policy options to prevent or respond to attacks. Thus, he
proposes regulatory options to overcome barriers in cybersecurity, such as safety
regulation, post liability, and others. According to the knowledge of the authors,
economically-driven frameworks for a suitable and detailed assessment are not
yet in place.
4 Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
2.2 Mapping of Risks and Threats
The AFCEA1presented a discussion on cybersecurity economics in a practical
framework [1]. The framework guides private organizations and the U.S. govern-
ment highlighting principles to guide investments mapping risks their associated
economic impacts. Threats are categorized according to its complexity i.e., so-
phisticated or not, and its mission criticality i.e., define how specific vulnerability
could impair a service/process.
Concerning the mapping of risks and threats (without a direct analysis of
economic impacts), the National Institute for Standards and Technology (NIST)
developed a model for guiding the investment in cybersecurity countermeasures.
Specifically, NIST’s Special Publication 800-37 [20] and 800-53 [19] define the
Cybersecurity Risk Management Framework (RMF) including a method for as-
sessing the implementation of controls to mitigate risk. Although 800-37 and
800-53 do not present an analysis directly related to economic aspects, the NIST
framework to classify risks, as well as the AFCEA mapping of risks, allows for
the establishment of economic models based on threats. Although 800-37 and
800-53 do not present an analysis directly related to economic aspects, the NIST
framework (as well as the AFCEA) to classify risks, allows for the establishment
of economic models based on threats.
Also, specific guides/frameworks exists for the different cyber systems and
applications. For example, while NIST guides focus on the overall risks of an
organization, STRIDE [9], LINDDUN [28], or DREAD [23], map each specific
type of threat as well as their mitigation actions. For instance, STRIDE (Spoof-
ing, Tampering, Repudiation, Information (disclosure), Denial-of-Service, and
Elevation of Privilege) is an industrial-level methodology that comes bundled
with a catalog of security threat tree patterns that can be readily instantiated
[9]. DREAD is a mnemonic (Damage potential, Reproducibility, Exploitability,
Affected users, Discoverability), which, although similar, represents a different
approach for assessing threats [23]. LINDDUN builds upon STRIDE to provide
a comprehensive privacy threat modeling [28].
Aiming at the evaluation of economic risks, [21] proposes a proactive model
to simulate economic risks of CNI’s with integrated operations, i.e.,, that links
many vendors, suppliers into the same ecosystem. The authors seek to map
inter-dependencies amongst actors to establish a causal relation, which can then
be used to estimate economic risk under various scenarios. However, despite
providing a view on the inter-dependencies between the actors, the proposed
model does not consider problems that may later occur because of a rush to
attain initial economic gains.
For an effective mapping of factors influencing the safety and security of
an ecosystem, it is necessary to have an accurate idea of its threats, and risks.
SEConomy relies on these mappings, which, for example, can be guided by the
frameworks described. Further, it is necessary to understand the interdependence
between systems/subsystems, which can trigger cascade failures.
1Non-profit organization serving military, government, industry, and academia.
SEConomy: a Framework for the Economic Assessment of Cybersecurity 5
3 SEConomy Framework
In ecosystems involving different actors ensuring certain security/safety levels
is not a straightforward task. Due to the number of participants potentially
managing sensitive information or critical tasks, the risk assessment of a supply
chain, for example, becomes complicated [2, 7]. The framework proposed (cf.
Figure 1) takes into consideration the economic analysis of complex systems by
structuring to five stages of mapping and modeling, allowing the creation of
economic models with fine-grained estimates.
Fig. 1. SEConomy Framework
Stage 1 is concerned with the definition of actors and their functions, whose
interactions should be mapped as well as which critical functions should be
specified. Stage 2 to determines which systems/components and processes are
performed by these actors and their legal implications for an initial attribution
of investment and operating costs. Based on the mapping of actors, systems, and
processes, Stage 3 is responsible for the production of risk models and possible
impacts as well as preventive and training measures based, for example, on NIST
risk assessment guides 800-37 and 800-53 [20, 19]. Stage 4 takes into consideration
this risk analysis to map costs in a fine-grained manner, i.e., for each risk of each
task performed by each actor previously mapped. Lastly, Stage 5 gathers outputs
of Stage 4 to a produce general feedback in terms of overall economic impacts,
the determination of improvement actions, and best practices.
3.1 Definition of Actors and Roles
It is possible to consider as input, for example, the production chain of an air-
craft system as a complex ecosystem that requires an assurance of security and
safety levels based on a detailed risk analysis of all its major control components.
A comparative between Airbus and Boeing supply-chains [11] have shown, for
6 Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
Fig. 2. SEConomy entity-relation model between stages
example, that the manufacture of the wide-body Airbus A380 and Boeing 787
aircraft involves multiple suppliers from 30 and 67 countries, respectively. Hence,
it is essential in Stage 1 to identify all actors involved in the supply chain, and
their roles (and determination of which tasks/functions are critical). Figure 2
shows as a first step the identification of actors involved (e.g., producers of flight
control systems, software for engines) as well as their obligations and interac-
tions with other actors. In this regard, Boeing and NIST defined a guideline on
cybersecurity supply-chain risk management [22], where the organizations that
provide software for their aircrafts must undergo a rigorous inspection process.
It should be noted, however, that even the most rigorous processes are subject
to failures as recently observed in the Boeing 737 Max accident [3].
SEConomy: a Framework for the Economic Assessment of Cybersecurity 7
3.2 Overview of Components and Processes
Among the actors’ obligations, it is necessary to identify the ones whose roles
involve critical processes/systems and components. In the case of the aviation
sector, these include producers of navigation and communication systems, traf-
fic collision avoidance, and Fly-By-Wire (FBW) systems [22]. The mapping of
systems and components is crucial for the analysis of risk, which involves not
only technical, but also human aspects. For example, critical systems require not
only a guarantee of safety and security aspects, but also whether actors oper-
ating these systems can monitor and react. Also, these systems should comply
with security and safety regulations/recommendations, which measurably leads
to implications of Capital or Operational Expenditures (CAPEX/OPEX). For
example, the Airbus A320 FBW system uses five different computers running
four flight control software packages to ensure reliability/availability [13], com-
plying with the U.S.A. Federal Aviation Administration agency requirements for
safety matters in the design of FBW systems.
3.3 Modeling Risks, Impacts, and Prevention Measures
As presented in Figure 2, each system requires an analysis of its potential se-
curity/safety threats, and measures to respond to these threats. A rational ap-
proach in defining what is ”appropriate” involves (a) identification of risks by
examining potential vulnerabilities and their chances of a successful exploita-
tion, (b) the cost of these results if vulnerabilities are exploited, and (c) the cost
of mitigating vulnerabilities. The risk analysis is the fundamental stage toward
mapping costs associated with cybersecurity. It is responsible for determining,
proactively or reactively, possible vulnerabilities/threats (i.e., probabilities) that
may occur as a function of time as well as their associated counter-measures.
Risk/Threat Assessment. SEConomy require as input the analysis of threats
and risks, which can be based, for example, on frameworks such as the NIST
800-37/800-53 [20, 19], and different frameworks (cf. Section 2), such as STRIDE
[9], LINDDUN [28] or DREAD [23], which provide a mapping of threats into
categories and their respective mitigation measures.
Mapping Dependencies (MD). The challenge is, however, to translate in
a quantifiable manner risks and associated security measures in terms of costs,
which includes not only estimating the probability of a threat to be successfully
exploited, but also the mapping of interdependence between failures. Correla-
tions can be mapped as the correlation between two Bernoulli random variables
(A, B) as defined in [6]:
MD(A, B) = pA(pApB)
ppA(1 pA)pB(1 pB)(1)
8 Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
pAand pBdenotes the probability of failure in a system Aand B, respectively.
These probabilities, as defined in [10], are described in values between p(0 p
1), representing the probability of breaches to occur under current conditions.
The inter-dependence, given in Eqn. (1), denotes a failure probability pX, where
pAmay lead to a failure in pB,i.e., failures or vulnerabilities in a component
(pA) under certain conditions can compromise the related components pB.
3.4 Modeling Costs and Attributes
This stage determines measures to be taken in response to each threat and
their associated costs. For example, the ROI (Return On Investment) of proac-
tive approaches (education/training of personnel, prevention, and redundancy of
critical systems) is a better economic alternative than reactive approaches (ac-
tive monitoring and recovery). However, the remaining difficulty is to efficiently
determine cost thresholds for CAPEX and OPEX.
Threat Exposure Cost (TEC). The SECeconomy approach is based on the
ROSI (Return On Security Investment) model that determines the cost/benefit
ratio related to security strategies [24, 5]: Single threat exposure costs in Eqn.
(2) estimate the total cost of vulnerabilities given their probable occurrences
within a time frame ∆T prob(Noccurrences )
time :
T EC (A, B) = ∆T
NT hreats
X
i=1
T hreatC ost M D(A, B)
(2)
There are two significant challenges to quantify vulnerability costs in Eqn.
(2): (a) economic impacts of vulnerabilities identified (T hreatCost) and (b) po-
tential impacts given by MD(A, B) on the Kdependent systems. However,
impacts on dependencies are equally not straightforward to be estimated, be-
cause the failure of one component may not always lead to the failure of another
dependent system (e.g., the use of a layered defense or a ”sufficient” redundancy
level may reduce such risks). For example, a failure in a fuel control subsystem
may not always impair an aircraft’s turbine, because a redundancy level of com-
puters exists to provide input for the FBW and, typically, more than one turbine
is used in a commercial wide/narrow-body aircraft.
Proactive Mitigation Cost (PMC). These costs are mapped based on proac-
tive and reactive measures [12]. The P MC presented in Eqn. (3) is relatively
simpler than the reactive costs. This is because the risk vector is foreseen in as-
sessment guides/frameworks, and their mitigation actions and associated PMCs
are taken into account at system design time. Additionally, it is possible to
include an InsuranceCost that allows the recovery of unforeseen costs.
P M C(A) =
NT hreat
X
i=1
∆T (P roactiveC ost +InsuranceCost) (3)
SEConomy: a Framework for the Economic Assessment of Cybersecurity 9
Reactive Mitigation Cost (RMC). RMC are challenging to be estimated,
since these failures or vulnerabilities are typically originated from unforeseen
design aspects, implying on a ReactiveC ost to mitigate the threat and its con-
sequences on potentially connected systems. However, the cost of reactive miti-
gation do not always present a linear relation with time, i.e., the longer the time
to perform a reactive measure not always mean that its cost will be higher. For
example, in case of a vulnerability in which an attacker gains privileged access
to a private network, this does not always imply that the longer time, the higher
the victim’s monetary loss. However, in case of a DDoS attack, there is a tem-
poral relation taking into account that the greater the time a content provider
do not provide service, the greater will be the economic damage on the victim.
Time
Cost
C1T1 CiT1
CiTjC1Tj
C1T2
C1T3
... ... ... ... ...
C2T1 C3T1 C4T1 ...
C2T2 C3T2 C4T2 ...
C2T3 C3T3 C4T3 ...
CiT2
CiT3
C2Tj C3Tj C4Tj ...
Cost Class
[Cn,...,Cm]
Time Interval
[Tn,...,Tm]
Fig. 3. MTC matrix describing time-cost classes, where CiTjclasses represent a cost
function f(x, y)
As described in Sec. 2, [25] proposed a type of fuzzy model, which translates
local dynamics in different state space regions represented by linear models.
Based on their proposal, it is defined in SEConomy different classes of RMC
costs Ciin function of time Tj, whereas each class has its own cost function.
Similarly to P Mcosts, there is also the alternative to adopt an insurance model
to cover potential impacts of subsystems or directly connected systems. Further,
the cost of a reactive measure (and potential effects dependent systems) can be
mapped in the M T C matrix (cf. Figure 3). On the one hand, data breaches are
not time-sensitive, but may incur in high costs depending on how sensitive is
the exposed information. Hence, a data breach could occur in a time T1 with a
10 Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
cost Ci, in which iwould define the relevance of the exposed information. On
the other hand, a DDoS attack is time-sensitive meaning that the longer is the
time without providing services (i.e., higher T j imply in higher Ci), the higher
is the economic damage expressed by the time-cost category function.
In detail, a typical fuzzy rule defined by [25] is expressed by an Event-
Condition-Action (ECA) rule, where the action is expressed by a function:
If x is C and y is T Then Z =f(x, y) (4)
C and T are defined, respectively, in terms of cost and time, in which CiTj
classes are associated with a linear cost function in the M T C matrix [26]. Cost
classes are defined as Ci = [Cn, ..., Cm], where nand mbelongs to R0and
Time Cz, ..., Cw, where zand wcorrespond to a class time interval defined in N.
For example, a RM C that happened during a time interval ”T1”, can be asso-
ciated, depending on the involved systems, with a cost category C1 defined as
”low cost”. Thus, a C1T1 is associated with a cost function of z=F(C1, T 1),
which describes a price category. As previously mentioned, a CiT 1 category
could express, for example, a data breach. Thus, based on [25], time-cost rela-
tions can be expressed in terms classes of cost functions mapped in the M T C
matrix. However, to foretell the economic impact on dependent systems, which
relies on the probabilistic dependence of Eqn. (1), it is necessary to consider
failures/vulnerabilities which can trigger cascading failures on correlated sys-
tems/subsystems potentially impairing the functioning of the entire system, cf.
Eqn. (5).
RM C(A, B ) =
NSystem
X
i=1
NT hreat
X
i=1
MD(A, B)
| {z }
Probability of
Cascade Failures
Cost Function
f(x,y)
z }| {
M T C[Ci][Tj]
(5)
ROSI. To benchmark the security investments is necessary to take into account
initial investments in security (i.e., P M C proactive measures) of a system in a
given time-frame ∆T (e.g., monthly), multiplied by the risks, threats which the
system is exposed (Tcost) considering its probable occurrence (RMC). Finally,
Eqn. (6) calculates ROSI for a single system taking as input the threat vector
(Tcost), mitigation costs (RM C), and initial investments in security (PM C ).
ROSI =∆T
NSystem
X
i=1
(Tcosts RM C)P M C
P M C (6)
3.5 Overall Economic Assessment
In the last stage, it is necessary to calculate the overall economic impact based
on ROSI from all Ssystems, required by Rroles of Aactors. Therefore, as
illustrated in Figure 2, the N economic models will define an overall estimate of
costs for the entire ecosystem, as illustrated by Algorithm 1.
SEConomy: a Framework for the Economic Assessment of Cybersecurity 11
Algorithm 1: Overall Economic Assessment (OEA)
1begin
2for each Actor Ecosystem:
3for each Role Actor:
4for each S ystem Role:
/* Correlation between linked systems in Equation 1 */
5p(x)dependence(Sy stem, linkedSystems)
/* Estimate exposure costs in Equation 2 */
6threatcosts Tcosts (A, p(x))
/* Estimate mitigation (Proactive and Reactive) costs
in Equation 3 */
7mitigationcosts P M Ccosts(A)
8mitigationcosts RM Ccosts(A, p(x))
/* Get Overal Economic Assessment (OEA) in Equation 4
*/
9OEA ROSI(threatcosts, mitigationcosts , InitS ecCost)
4 Discussion and Future Work
The SEConomy proposes a framework to detail economic estimates for security
measures in complex distributed systems. Despite providing estimates based on
historical events and probabilities, failures and vulnerabilities in critical systems
typically result in failures of sub-components or related systems, impacting the
overall costs. Hence, it is also imperative to react on threats through reactive
mitigation actions, and although its associated costs are not straightforward to
be calculated, it is possible to map them into categories as proposed in the
SEConomy.
For example, despite all recent technological advances, the introduction of a
new warning component in the Boeing 737 Max caused two accidents with hun-
dreds of fatalities [3]. Specialists stated that a software failure (i.e., not properly
implemented/tested) in the ”Angle-Of-Attack (AOA)” sensors were triggering
the flight control system to push the nose of the aircraft down repeatedly. In
this regard, the calculation of risks through mutual vulnerability exposure along
with other horizontal (i.e., subsystems of a system) and vertical (i.e., systems
of another actor relations) is a complex task of potential security and safety
consequences.
Thus, the presented SEConomy is a novel framework for estimating costs
in complex distributed systems, which provide models for cost estimations and
the mapping of relations between interdependent systems and their components.
Thus, the need to refine these models especially for cybersecurity defense mech-
anisms becomes visible. Future work will run this refinement as well as the
proposal of cyber-insurance models capable of covering the mitigation of threats
not foreseen during design. Also, SEConomy will be applied for in-depth evalua-
tions in different use cases such as Finance and e-Health sectors, while applying
specific models from each sector for their respective economic estimates.
12 Bruno Rodrigues, Muriel Franco, Geetha Parangi and Burkhard Stiller
Acknowledgements
This paper was supported partially by (a) the University of Z¨urich UZH, Switzer-
land and (b) the European Union’s Horizon 2020 Research and Innovation Pro-
gram under grant agreement No. 830927, the Concordia project.
References
1. AFCE: The Economics of Cybersecurity: A Practical Framework
for Cybersecurity Investment. The AFCE Cyber Committee , 2013,
https://www.afcea.org/committees/cyber/documents/cybereconfinal.pdf
2. J. Bauer, M. Van Eeten: Introduction to the Economics of Cybersecurity. Commu-
nications and Strategies, vol. 81, pp. 13–22, 2011
3. BBC: Boeing Admits It ’Fell Short’ on Safety Alert for 737. BBC News. pp. 1–3,
2019, https://www.bbc.com/news/business-48461110
4. R. B¨ohme: Security Metrics and Security Investment Models. In: International
Workshop on Security. Springer, 2010, pp. 10–24
5. M. Brecht, T. Nowey: A Closer Look at Information Security Costs. In: The Eco-
nomics of Information Security and Privacy, pp. 3–24. Springer, 2013
6. P. Y. Chen, G. Kataria, R. Krishnan: Correlated Failures, Diversification, and
Information Security Risk Management. MIS quarterly pp. 397–422, 2011
7. S. Dynes, E. Goetz, M. Freeman: Cyber Security: Are Economic Incentives Ade-
quate? In: E. Goetz, S. Shenoi (eds.) Critical Infrastructure Protection. Springer
US, Boston, MA, 2008, pp. 15–27
8. M. Felici, N. Wainwright, S. Cavallini, F. Bisogni: What’s New in the Economics
of Cybersecurity? IEEE Security and Privacy, vol. 14, pp. 11–13, may 2016.
https://doi.org/10.1109/MSP.2016.64
9. P. Garg, L. Kohnfelder: The Threat to Our Products. Microsoft pp. 1–8, 1999,
https://adam.shostack.org/microsoft/The-Threats-To-Our-Products.docx
10. L. A. Gordon, M. P. Loeb: The Economics of Information Security Investment.
ACM Transactions on Information Systems Security, vol. 5, pp. 438–457, Nov
2002. https://doi.org/10.1145/581271.581274
11. T. C. Horng: A Comparative Analysis of Supply Chain Management Practices
by Boeing and Airbus: Long-term Strategic Implications. Master Thesis, Mas-
sachusetts Institute of Technology (MIT) , 2006
12. N. Jentzsch: State-of-the-Art of the Economics of Cyber-Security and Privacy.
IPACSO Deliverable D4.1, vol. 4, 2016
13. A. J. Kornecki, K. Hall: Approaches to Assure Safety in Fly-By-Wire Systems:
Airbus vs. Boeing. In: IASTED Conf. on Software Engineering and Applications,
2004
14. L. A. Maglaras, K. H. Kim, H. Janicke, M. A. Ferrag, S. Rallis, P. Fragkou, A.
Maglaras, T. J. Cruz: Cyber Security of Critical Infrastructures. ICT Express, vol.
4, pp. 42 – 45, 2018. https://doi.org/https://doi.org/10.1016/j.icte.2018.02.001,
http://www.sciencedirect.com/science/article/pii/S2405959517303880, sI: CI and
Smart Grid Cyber Security
15. C. McGuffin, P. Mitchell: On domains: Cyber and the Practice of Warfare. Interna-
tional Journal: Canadas Journal of Global Policy Analysis, vol. 69, pp. 394–412,
2014
SEConomy: a Framework for the Economic Assessment of Cybersecurity 13
16. S. Moore: Gartner Forecasts Worldwide Information Security Spending to Exceed
124 Billion in 2019. Gartner , 2018, https://www.gartner.com/en/newsroom/press-
releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-
to-exceed-124-billion-in-2019
17. T. Moore: The Economics of Cybersecurity: Principles and Policy Options.
International Journal of Critical Infrastructure Protection (IJCNIP), vol. 3,
pp. 103 – 117, 2010. https://doi.org/https://doi.org/10.1016/j.ijcip.2010.10.002,
http://www.sciencedirect.com/science/article/pii/S1874548210000429
18. S. Morgan: 2019 Official Annual Cybercrime Report. Herjavec Group , 2019,
https://bit.ly/2TouUT2
19. NIST: Security and Privacy Controls for Federal Information Systems and Orga-
nizations. National Institute of Standards and Technology (NIST) Special Publi-
cation, vol. 800, pp. 8–13, 2013
20. NIST: Guide for Applying the Risk Management Framework to Federal Informa-
tion Systems: A Security Life Cycle Approach. Tech. rep., National Institute of
Standards and Technology (NIST), 2014
21. E. Rich, J. J. Gonzalez, Y. Qian, F. O. Sveen, J. Radianti, S. Hillen: Emergent
Vulnerabilities in Integrated Operations: A Proactive Simulation Study of Eco-
nomic Risk. International Journal of Critical Infrastructure Protection, vol. 2,
pp. 110 – 123, 2009. https://doi.org/https://doi.org/10.1016/j.ijcip.2009.07.002,
http://www.sciencedirect.com/science/article/pii/S1874548209000183
22. S. Robert, T. Vijay, Z. Tim: Best Practices in Cyber Supply Chain Risk Manage-
ment. US Resilience Project pp. pp. 1–14, 2016
23. A. Shostack: Experiences Threat Modeling at Microsoft. Microsoft pp. 1–
11, 2008, https://adam.shostack.org/modsec08/Shostack-ModSec08-Experiences-
Threat-Modeling-At-Microsoft.pdf
24. W. Sonnenreich, J. Albanese, B. Stout, et al.: Return On Security Investment
(ROSI)- A Practical Quantitative Model. Journal of Research and practice in In-
formation Technology, vol. 38, pp. 45–52, 2006
25. T. Takagi, M. Sugeno: Fuzzy Identification of Systems and its Applications to
Modeling and Control. In: Readings in Fuzzy Sets for Intelligent Systems, pp. pp.
387–403. Elsevier, 1993
26. H. O. Wang, K. Tanaka, M. F. Griffin: An Approach to Fuzzy Control of Nonlinear
Systems: Stability and Design Issues. IEEE Transactions on Fuzzy Systems, vol.
4, 14–23, 1996
27. WhiteHouse: The Cost of Malicious Cyber Activity to the U.S. Economy. White
House , 2018, https://www.whitehouse.gov/wp-content/uploads/2018/03/The-
Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf
28. K. Wuyts, R. Scandariato, W. Joosen, M. Deng, B. Preneel: LIND-
DUN: A Privacy Threat Analysis Framework. DistriNet pp. 1–23, 2019,
https://people.cs.kuleuven.be/ kim.wuyts/LINDDUN/LINDDUN.pdf
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Modern Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and managing electric power generation, transmission and distribution. In the age of the Internet of Things, SCADA has evolved into big, complex and distributed systems that are prone to be conventional in addition to new threats. Many security methods can be applied to such systems, having in mind that both high efficiency, real time intrusion identification and low overhead are required. © 2018 The Korean Institute of Communications Information Sciences
Article
Full-text available
Cyberactors are increasingly adopting traditional and innovative security measures to protect valuable information in the cyberworld. Information-and any aspect of it, such as its abundance, distortion, misuse, and value-governs the cyberworld. In this context, new actors are emerging alongside traditional ones with an essential role for intermediaries, who aim to systematically identify, handle, filter, monitor, and disseminate information. Cyberactors' changing roles highlight how interaction approaches, business models, and organizational practices relate to cybersecurity economics.
Article
Full-text available
The protection of critical infrastructure requires an understanding of the effects of change on current and future safety and operations. Vulnerabilities may emerge during the rollout of updated techniques and integration of new technology with existing work practices. Managers need to understand how their decisions, often focused on economic priorities, affect the dynamics of vulnerability over time. Such understanding is difficult to obtain, as the historical data typically used for decision support, prediction and forecasting may not be available.
Article
Full-text available
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
Chapter
Economic aspects of information security are of growing interest to researchers and to decision-makers in IT-dependent companies. From a business-perspective, cost-benefit justifications for information security investments are in focus. While previous research has mostly focused on economic models for security investments, or on how to quantify the benefits of information security, this chapter aims to take a closer look at the costs of information security. After providing the reader with basic knowledge and motivation for the topic, we identify and describe the problems and difficulties in quantifying an enterprise’s cost for information security in a comprehensive and comparable way. Of these issues, the lack of a common model of costs of information security is the most prominent one. This chapter also discusses four approaches to categorize and determine the costs of information security in an enterprise. Starting with the classic approach frequently used in surveys, we continue by describing three alternative approaches. To support research on the costs of information security we propose two metrics. We conclude with input for future research, especially for an empirical analysis of the topic.
Article
A mathematical tool to build a fuzzy model of a system where fuzzy implications and reasoning are used is presented. The premise of an implication is the description of fuzzy subspace of inputs and its consequence is a linear input-output relation. The method of identification of a system using its input-output data is then shown. Two applications of the method to industrial processes are also discussed: a water cleaning process and a converter in a steel-making process.
Conference Paper
Protecting national critical infrastructure assets from cyber incidents is an important challenge. One facet of this challenge is that the vast majority of the owners and operators of critical infrastructure components are public or private companies. This paper examines the threats faced by for-profit critical infrastructure entities, the incentives and drivers that influence investment in cyber security measures, and how policy initiatives might influence cyber preparedness in critical infrastructure entities. Keywords: Information security, economic incentives, government policy
Article
The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by arm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.
Article
Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failures, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we examine the economic challenges that plague cybersecurity: misaligned incentives, information asymmetries, and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and providing them to the World Trade Organization (WTO).