Understanding Cyber-risk by Investigating the Behaviour of Defender and Threat Agent Organisations: Why a Complex Adaptive Systems Perspective Contributes to Further Understanding Cyber-risk

Cyber-attacks have become inevitable in modern day society. Therefore, the occurrence of cyber-attacks is increasingly seen as a risk in an organisation. This has increased the interest in risk analysis methods since these try to better understand this so-called cyber-risk. However, these methods fall short since they do not sufficiently take into account the behaviour of defender organisations, which can be public or private organisations, and the behaviour of threat agent organisations, those who perform cyber-attacks. These are important determinants of cyber-risk. In this paper, a complex adaptive systems (CAS) perspective is used for cyber-risk analysis. Performing cyber-risk analysis through this perspective creates increased understanding in the relationship between the defender and threat agent behaviour and cyber-risk. In order to generate these insights, an agent-based model (ABM) is constructed. I will show that new insights, regarding the cyber-risk that is carried by a defender organisation, are generated by this novel combination of cyber-risk and CAS. The novelty of these insights must encourage scholars in the field of cyber-risk to embrace the CAS-perspective in cyber-risk analysis so that the understanding of cyber-risk can be further increased.

[1]  Kathleen M. Carley,et al.  Balancing the criticisms: Validating multi-agent models of social systems , 2008, Simul. Model. Pract. Theory.

[2]  Terje Aven,et al.  On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and Resilience , 2011, Risk analysis : an official publication of the Society for Risk Analysis.

[3]  Sandro Etalle,et al.  IT confidentiality risk assessment for an architecture-based approach , 2008, 2008 3rd IEEE/IFIP International Workshop on Business-driven IT Management.

[4]  Wolter Pieters,et al.  Calculating Adversarial Risk from Attack Trees: Control Strength and Probabilistic Attackers , 2015, DPM/SETOP/QASA.

[5]  Quanyan Zhu,et al.  Robust and resilient control design for cyber-physical systems with an application to power systems , 2011, IEEE Conference on Decision and Control and European Control Conference.

[6]  Igor Nikolic,et al.  Agent-Based Modelling of Socio-Technical Systems , 2012, Agent-Based Social Systems.

[7]  J. Tukey,et al.  Variations of Box Plots , 1978 .

[8]  Till Grüne-Yanoff Paradoxes of Rational Choice Theory , 2012 .

[9]  Robert Biddle,et al.  Stop Clicking on "Update Later": Persuading Users They Need Up-to-Date Antivirus Protection , 2014, PERSUASIVE.

[10]  Arjen K. Lenstra,et al.  Information Security Risk Assessment, Aggregation, and Mitigation , 2004, ACISP.

[11]  Rachel Rue,et al.  A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making , 2007, WEIS.

[12]  Chris Hankin,et al.  Game Theory Meets Information Security Management , 2014, SEC.

[13]  Giovanni Vigna,et al.  Using Hidden Markov Models to Evaluate the Risks of Intrusions , 2006, RAID.

[14]  Kenneth J. Arrow,et al.  Economic Theory and the Hypothesis of Rationality , 1990 .

[15]  Wolter Pieters,et al.  Defining "The Weakest Link" Comparative Security in Complex Systems of Systems , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[16]  Russell K. Standish,et al.  Emergent Effective Collusion in an Economy of Perfectly Rational Competitors , 2004 .

[17]  Monica Lagazio,et al.  A multi-level approach to understanding the impact of cyber crime on the financial sector , 2014, Comput. Secur..

[18]  Zhu Han,et al.  Bad Data Injection Attack and Defense in Electricity Market Using Game Theory Study , 2012, IEEE Transactions on Smart Grid.

[19]  Rajan Nagia The Transnational Dimension of Cyber Crime and Terrorism , 2010 .

[20]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[21]  Osman Balci Validation, verification, and testing techniques throughout the life cycle of a simulation study , 1994, WSC '94.

[22]  Branda Nowell,et al.  Putting the system back into systems change: a framework for understanding and changing organizational and community systems , 2007, American journal of community psychology.

[23]  Wei T. Yue,et al.  Intrusion Prevention in Information Systems: Reactive and Proactive Responses , 2007, J. Manag. Inf. Syst..

[24]  Martin C. Libicki,et al.  The Defender's Dilemma: Charting a Course Toward Cybersecurity , 2015 .

[25]  Yacov Y Haimes,et al.  On the Definition of Vulnerabilities in Measuring Risks to Infrastructures , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[26]  Deepa Kundur,et al.  Towards modelling the impact of cyber attacks on a smart grid , 2011, Int. J. Secur. Networks.

[27]  Wolter Pieters,et al.  Reconciling Malicious and Accidental Risk in Cyber Security , 2014, J. Internet Serv. Inf. Secur..

[28]  Sheldon M. Ross,et al.  Introduction to probability models , 1975 .

[29]  Robin A. Gandhi,et al.  Dimensions of Cyber-Attacks: Cultural, Social, Economic, and Political , 2011, IEEE Technology and Society Magazine.

[30]  Kelly Rae Chi,et al.  A systems approach. , 2010, Nature.

[31]  D. Spurrett Complexity and Post-modernism , 1999 .

[32]  Yacov Y. Haimes,et al.  Are we forgetting the risks of information technology? , 2000, Computer.

[33]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..