Modeling the Ripple Effects of IT‐Based Incidents on Interdependent Economic Systems

The information technology IT sector is one of the most critically utilized infrastructures within the U.S. economic system. The IT sector is vulnerable to man-made attacks and it is challenging to assess the consequences of disruptions to the production and delivery of essential IT services to other economic systems. In this paper, we developed a dynamic model based on economic input-output analysis to assess time-varying disruptions on the IT sector over multiple periods. The model is applied in an ex post analysis of an actual denial-of-service DoS attack scenario on the IT infrastructure to estimate the consequences propagated to interdependent economic systems. The model uses Bureau of Economic Analysis data to simulate the effects of IT-based incidents and subsequently identify the critically affected economic sectors. Key results of the case study include assessments of ripple effects to vulnerable sectors in the form of inoperability and economic loss measures. An investigation of the DoS attack in year 2000 using the proposed dynamic model revealed significant losses that are consistent with the magnitude of losses from previous studies. Furthermore, the model is capable of depicting the breakdown of losses across various economic sectors, which is a significant improvement relative to previously published results. This research also extends into a multiyear trend analysis 1999-2009 to aid in developing policies for reducing the effects of IT risks across the interdependent sectors of the U.S. economy.

[1]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[2]  Bernhard Plattner,et al.  An economic damage model for large-scale Internet attacks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[3]  Joost R. Santos,et al.  An integrated approach to customer elicitation for the aerospace sector , 2006 .

[4]  Joost R Santos,et al.  Multiobjective Prioritization Methodology and Decision Support System for Evaluating Inventory Enhancement Strategies for Disrupted Interdependent Sectors , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[5]  J. Ali,et al.  Framework for evaluating economic impact of IT based disasters on the interdependent sectors of the US economy , 2012, 2012 IEEE Systems and Information Engineering Design Symposium.

[6]  Barry M. Horowitz,et al.  An architectural systems engineering methodology for addressing cyber security , 2011, Syst. Eng..

[7]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[8]  Yacov Y. Haimes,et al.  Managing the risk of terrorism to interdependent infrastructure systems through the dynamic inoperability input–output model , 2006 .

[9]  Yacov Y. Haimes,et al.  Uncertainty Analysis of Interdependencies in Dynamic Infrastructure Recovery: Applications in Risk-Based Decision Making , 2009 .

[10]  Chris Verhoef,et al.  Enabling system evolution through configuration management on the hardware-software boundary , 2009 .

[11]  James H. Lambert,et al.  ASSESSING AND MANAGING RISK OF TERRORISM TO VIRGINIA'S INTERDEPENDENT TRANSPORTATION SYSTEMS , 2004 .

[12]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[13]  Andrew B. Whinston,et al.  Economic issues in distributed computing , 2007 .

[14]  Joost R. Santos,et al.  Extreme Risk Analysis of Interdependent Economic and Infrastructure Sectors , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[15]  Hiromitsu Kumamoto,et al.  Probabilistic Risk Assessment and Management for Engineers and Scientists , 1996 .

[16]  Stephanie E. Chang,et al.  Infrastructure failure interdependencies in extreme events: power outage consequences in the 1998 Ice Storm , 2007 .

[17]  Makarand Hastak,et al.  Disaster impact analysis based on inter‐relationship of critical infrastructure and associated industries , 2010 .

[18]  Yacov Y. Haimes,et al.  Total Risk Management , 1991 .

[19]  Yacov Y. Haimes,et al.  Risks of Terrorism to Information Technology and to Critical Interdependent Infrastructures , 2004 .

[20]  Andrew B. Whinston,et al.  Defeating distributed denial of service attacks , 2000 .

[21]  Hideyuki Tanaka Quantitative analysis of information security interdependency between industrial sectors , 2009, ESEM 2009.

[22]  E. Andrijcic,et al.  A Macro‐Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[23]  Mark A. Turnquist,et al.  Assessing the performance of interdependent infrastructures and optimising investments , 2005, Int. J. Crit. Infrastructures.

[24]  Yacov Y Haimes,et al.  Systemic Valuation of Strategic Preparedness Through Application of the Inoperability Input‐Output Model with Lessons Learned from Hurricane Katrina , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[25]  Muthuprasanna Muthusrinivasan,et al.  A composable approach to design of newer techniques for large-scale denial-of-service attack attribution , 2011 .

[26]  Fabio Bisogni,et al.  Assessing the Economic Loss and Social Impact of Information System Breakdowns , 2010, Critical Infrastructure Protection.

[27]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[28]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[29]  Edouard Kujawski Multi-period model for disruptive events in interdependent systems , 2006 .

[30]  Yacov Y. Haimes,et al.  Hierarchical Holographic Modeling , 1981, IEEE Transactions on Systems, Man, and Cybernetics.

[31]  Yacov Y Haimes,et al.  Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[32]  Joost R. Santos,et al.  Modeling the Demand Reduction Input‐Output (I‐O) Inoperability Due to Terrorism of Interconnected Infrastructures * , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[33]  Y. Haimes,et al.  Leontief-Based Model of Risk in Complex Interconnected Infrastructures , 2001 .

[34]  M. Eric Johnson,et al.  Economic costs of firm‐level information infrastructure failures: Estimates from field studies in manufacturing supply chains , 2007 .

[35]  Yacov Y. Haimes,et al.  Journal of Homeland Security and Emergency Management A Roadmap for Quantifying the Efficacy of Risk Management of Information Security and Interdependent , 2011 .

[36]  Ashish Garg,et al.  The Financial Impact of IT Security Breaches: What Do Investors Think? , 2003, Inf. Secur. J. A Glob. Perspect..