Framework for evaluating economic impact of IT based disasters on the interdependent sectors of the US economy

The US economic system has become highly dependent on the Information Technology (IT) sector in the past several years and classified it as one of the critical infrastructures. The IT sector is a conglomerate of Internet services, Software industry, Computer design based infrastructures, and Information and data processing systems. Like every economic sector it is susceptible to natural and man-made disasters that cause disruptions to the production and delivery of services essential to other economic sectors, which are interdependent on each other within this economic system. This paper focuses on such perturbations caused by Denial-of-Service (DoS) attacks on Information Technology infrastructure, and their consequences propagated in the form of inoperability and amplified losses as a result of these economic sector interdependencies. It analyzes the effects of such a scenario on the recovery behavior and indirect economic losses to other sectors of the economy. The Dynamic Inoperability Input Output model (DIIM) is utilized to identify the highly affected economic sectors based on two parameters: 1) the overall daily average economic loss, and 2) the average inoperability within the sectors. A modification to the model is proposed to accommodate variable inoperability over multiple periods. The paper utilizes Bureau of Economic Analysis (BEA) statistics to simulate the effects of an IT disaster scenario using a DoS attack example. This research provides policymakers a framework for estimating the consequences to the US economy of disruptions to the IT sector through a decision tool they can use for strategic planning, resilience management, and risk mitigation strategies across the economic sectors dependent on Information technology.

[1]  Joost R. Santos,et al.  INOPERABILITY INPUT-OUTPUT MODEL 2 . 1 . Background : Leontief Input-Output Model , 2005 .

[2]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[3]  E. Andrijcic,et al.  A Macro‐Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[4]  Joost R. Santos,et al.  An integrated approach to customer elicitation for the aerospace sector , 2006 .

[5]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[6]  Joost R. Santos,et al.  Modeling the Demand Reduction Input‐Output (I‐O) Inoperability Due to Terrorism of Interconnected Infrastructures * , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[7]  Joost R. Santos,et al.  A Framework for Linking Cybersecurity Metrics to the Modeling of Macroeconomic Interdependencies , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[8]  Yacov Y. Haimes,et al.  Hierarchical Holographic Modeling , 1981, IEEE Transactions on Systems, Man, and Cybernetics.

[9]  Wassily Leontief Input-Output Economics , 1966 .

[10]  Fabio Bisogni,et al.  Assessing the Economic Loss and Social Impact of Information System Breakdowns , 2010, Critical Infrastructure Protection.

[11]  Edouard Kujawski Multi-period model for disruptive events in interdependent systems , 2006 .

[12]  Yacov Y. Haimes,et al.  Risks of Terrorism to Information Technology and to Critical Interdependent Infrastructures , 2004 .

[13]  James H. Lambert,et al.  ASSESSING AND MANAGING RISK OF TERRORISM TO VIRGINIA'S INTERDEPENDENT TRANSPORTATION SYSTEMS , 2004 .

[14]  Yacov Y Haimes,et al.  Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[15]  M. Eric Johnson,et al.  Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data , 2006, WEIS.

[16]  Yacov Y Haimes,et al.  Systemic Valuation of Strategic Preparedness Through Application of the Inoperability Input‐Output Model with Lessons Learned from Hurricane Katrina , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[17]  Yacov Y. Haimes,et al.  Risk modeling, assessment, and management , 1998 .

[18]  Joost R. Santos,et al.  Extreme Risk Analysis of Interdependent Economic and Infrastructure Sectors , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[19]  Yacov Y. Haimes,et al.  Journal of Homeland Security and Emergency Management A Roadmap for Quantifying the Efficacy of Risk Management of Information Security and Interdependent , 2011 .

[20]  Yacov Y. Haimes,et al.  Managing the risk of terrorism to interdependent infrastructure systems through the dynamic inoperability input–output model , 2006 .

[21]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[22]  Mark A. Turnquist,et al.  Assessing the performance of interdependent infrastructures and optimizing investments , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[23]  Yacov Y. Haimes,et al.  Uncertainty Analysis of Interdependencies in Dynamic Infrastructure Recovery: Applications in Risk-Based Decision Making , 2009 .

[24]  Hideyuki Tanaka Quantitative analysis of information security interdependency between industrial sectors , 2009, ESEM 2009.

[25]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[26]  Y. Haimes,et al.  Leontief-Based Model of Risk in Complex Interconnected Infrastructures , 2001 .

[27]  A. Rosenfeld,et al.  IEEE TRANSACTIONS ON SYSTEMS , MAN , AND CYBERNETICS , 2022 .