Research Proposal

Using Statistics to Measure Cyber Attack and Defense

To read the full-text of this research, you can request a copy directly from the author.


This paper explores a proposed framework to evaluate technology implemented across the enterprise and considers several metrics to identify false negatives and positives, ensuring adequate statistical analysis of vulnerability data. The outcomes provide better awareness and defense, also guaranteeing knowledge of the limitations of the tools. This awareness helps to protect high-value assets from attack by implementing better security controls.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

ResearchGate has not been able to resolve any citations for this publication.
Purpose An action is utilitarian when it is both useful and practical. In this paper we examine a number of traditional information security management practices in order to ascertain their utility. That analysis is performed according to the particular set of challenges and requirements experienced by very large organizations. Examples of such organizations include multinational corporations, the governments of large nations, and global investment banks. Design/methodology/approach We perform a gap analysis of a number of security management practices. Our examination is focused on the question of whether these practices are both useful and practical when employed within very large organizations. Findings We identify a number of information security management practices that are considered to be “best practice” in the general case but that are suboptimal at the margin represented by very large organizations. A number of alternative management practices are proposed that compensate for the identified weaknesses. Originality/value Quoting from the conclusion of the paper: We have seen in our analysis within this paper that some best practices can experience what economists refer to as diminishing marginal utility. As the target organization drifts from the typical use-case the amount of value-added declines and can potentially enter negative territory. We have also examined the degree of innovation in the practice of security management and the extent to which the literature can support practical, real-world activities. In both areas we have identified a number of opportunities to perform further work.
Purpose The empirical record of cyberattacks features much computer crime, espionage and hacktivism, but none of the major damage feared in prevalent threat narratives. The purpose of this article is to explain the absence of serious adverse consequences to date and the durability of this trend. Design/methodology/approach This paper combines concepts from international relations theory and new institutional economics to understand cyberspace as a complex global institution with contracts embodied in both software code and human practice. Constitutive inefficiencies (market and regulatory failure) and incomplete contracts (generative features and unintended flaws) create the vulnerabilities that hackers exploit. Cyber conflict is a form of cheating within the rules, rather than an anarchic struggle, more like an intelligence-counterintelligence contest than traditional war. Findings Cyber conflict is restrained by the collective sociotechnical constitution of cyberspace, where actors must cooperate to compete. Maintenance of common protocols and open access is a condition for the possibility of attack, and successful deceptive exploitation of these connections becomes more difficult in politically sensitive situations as defense and deterrence become more feasible. The distribution of cyber conflict is, thus, bounded vertically in severity but unbounded horizontally in the potential for creative exploitation. Originality/value Cyber conflict can be understood with familiar political economic concepts applied in fresh ways. This application provides counterintuitive insights at odds with prevalent threat narratives about the likelihood and magnitude of cyber conflict. It also highlights the important advantages of strong states over the weaker non-state actors widely thought to be empowered by cyberspace.
Purpose This paper aims to provide an overview of the main research topics in the emerging fields of cyber risk and cyber risk insurance. The paper also illustrates future research directions, from both academic and practical points of view. Design/methodology/approach The authors conduct a literature review on cyber risk and cyber risk insurance using a standardized search and identification process that has been used in various academic articles. Based upon this selection process, a database of 209 papers is created. The main research results findings are extracted and organized in seven clusters. Findings The results illustrate the immense difficulties to insure cyber risk, especially due to a lack of data and modelling approaches, the risk of change and incalculable accumulation risks. The authors discuss various ways to overcome these insurability limitations, such as mandatory reporting requirements, pooling of data or public–private partnerships in which the government covers parts of the risk. Originality/value Despite its increasing relevance for businesses at present, research on cyber risk is limited. Many papers can be found in the IT domain, but relatively little research has been done in the business and economics literature. The authors illustrate where research stands currently and outline directions for future research.
Criminal law and economics rests on the expectation that deterrence incentives can be employed to reduce crime. Prison survey evidence however suggests that a majority of criminals are biased and may not react to deterrence incentives. This study employs an extra-laboratory experiment with criminals in a German prison to test the effectiveness of deterrence and compares it with data of student subjects. Subjects either face potential punishment when stealing, or they can steal without deterrence. We confirm Gary Becker’s deterrence hypothesis that deterrence works for criminals (and similarly for students). We observe significantly more risk-seeking criminals than students, although the vast majority (80.77 %) of criminals behaves risk-neutral or risk-averse.
Developing standard exercises and statistics to measure the impact of cyber defenses (Master's thesis). Retrieved from Naval Postgraduate School
  • M Berninger
Berninger, M. (2014). Developing standard exercises and statistics to measure the impact of cyber defenses (Master's thesis). Retrieved from Naval Postgraduate School, Dudley Knox Library. (UMI No. 756786)
Essentials of business analytics
  • J D Camm
  • J J Cochran
  • J M Fry
  • J W Phlmann
  • D R Anderson
  • D J Sweeney
  • T A Williams
Camm, J. D., Cochran, J. J., Fry, J. M., Phlmann, J. W., Anderson, D. R., Sweeney, D. J., & Williams, T. A. (2015). Essentials of business analytics. Cengage Learning.
What is an Externality?
  • Cfi
CFI. (n.d.). What is an Externality? Retrieved from
Cybersecurity in accounting research
  • E Haapamäki
  • J Sihvonen
Haapamäki, E., & Sihvonen, J. (2019). Cybersecurity in accounting research. Managerial Auditing Journal, 34(7), 808-834. doi:
The Literature Review: Six Steps to Success (3 rd Ed
  • L A Machi
  • B T Mcenvoy
Machi, L. A. & McEnvoy, B. T. (2016). The Literature Review: Six Steps to Success (3 rd Ed.) Thousand Oaks, CA: Sage.
Simple CISSP [Audible audiobook
  • P Martin
Martin, P. (2017). Simple CISSP [Audible audiobook]. Retrieved from
Essential Cissp Exam Guide: Updated for the 2018 Cissp Body of Knowledge
  • P Martin
Martin, P. (2018). Essential Cissp Exam Guide: Updated for the 2018 Cissp Body of Knowledge [Audible audiobook]. Retrieved from
Gordon-Loeb model for cybersecurity investments
  • Smithbusinessschool
SmithBusinessSchool. (2015, December 16). Gordon-Loeb model for cybersecurity investments [Video].
Discerning novel value chains in financial malware
  • R S Van Wegberg
  • A J Klievink
  • E Van
Van Wegberg, R.S., Klievink, A. J., & M J G van, E. (2017). Discerning novel value chains in financial malware. European Journal on Criminal Policy and Research, 23(4), 575-594. doi: