A Framework for Linking Cybersecurity Metrics to the Modeling of Macroeconomic Interdependencies

Hierarchical decision making is a multidimensional process involving management of multiple objectives (with associated metrics and tradeoffs in terms of costs, benefits, and risks), which span various levels of a large‐scale system. The nation is a hierarchical system as it consists multiple classes of decisionmakers and stakeholders ranging from national policymakers to operators of specific critical infrastructure subsystems. Critical infrastructures (e.g., transportation, telecommunications, power, banking, etc.) are highly complex and interconnected. These interconnections take the form of flows of information, shared security, and physical flows of commodities, among others. In recent years, economic and infrastructure sectors have become increasingly dependent on networked information systems for efficient operations and timely delivery of products and services. In order to ensure the stability, sustainability, and operability of our critical economic and infrastructure sectors, it is imperative to understand their inherent physical and economic linkages, in addition to their cyber interdependencies. An interdependency model based on a transformation of the Leontief input‐output (I‐O) model can be used for modeling: (1) the steady‐state economic effects triggered by a consumption shift in a given sector (or set of sectors); and (2) the resulting ripple effects to other sectors. The inoperability metric is calculated for each sector; this is achieved by converting the economic impact (typically in monetary units) into a percentage value relative to the size of the sector. Disruptive events such as terrorist attacks, natural disasters, and large‐scale accidents have historically shown cascading effects on both consumption and production. Hence, a dynamic model extension is necessary to demonstrate the interplay between combined demand and supply effects. The result is a foundational framework for modeling cybersecurity scenarios for the oil and gas sector. A hypothetical case study examines a cyber attack that causes a 5‐week shortfall in the crude oil supply in the Gulf Coast area.

[1]  Eric O'N. Fisher,et al.  The Structure of the American Economy , 2008 .

[2]  Joost R. Santos,et al.  INOPERABILITY INPUT-OUTPUT MODEL 2 . 1 . Background : Leontief Input-Output Model , 2005 .

[3]  James H. Lambert,et al.  Inoperability Input-Output Model for Interdependent Infrastructure Sectors. I: Theory and Methodology , 2005 .

[4]  James H. Lambert,et al.  Inoperability Input-Output Model for Interdependent Infrastructure Sectors. II: Case Studies , 2005 .

[5]  Adam L. Turk,et al.  [Simulated nation-wide consequence of disruptions to the petroleum industry in the western U.S. gulf coast]. , 2005 .

[6]  A. Rose,et al.  Modeling Regional Economic Resilience to Disasters: A Computable General Equilibrium Analysis of Water Service Disruptions , 2005 .

[7]  Douglas S. Meade,et al.  Wassily Leontief and Input -- Output Economics , 2005 .

[8]  Joost R. Santos,et al.  Modeling the Demand Reduction Input‐Output (I‐O) Inoperability Due to Terrorism of Interconnected Infrastructures * , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[9]  Rae Zimmerman,et al.  Digital infrastructures : enabling civil and environmental systems through information technology , 2004 .

[10]  Richard Mesic,et al.  Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology , 2004 .

[11]  A. Jones,et al.  A PERSPECTIVE ON CYBERSECURITY RESEARCH IN THE UNITED STATES. IN: TERRORISM. REDUCING VULNERABILITIES AND IMPROVING RESPONSES. U.S.-RUSSIAN WORKSHOP PROCEEDINGS. , 2004 .

[12]  A. Rose Economic Principles, Issues, and Research Priorities in Hazard Loss Estimation , 2004 .

[13]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[14]  David Bailey,et al.  Practical SCADA for industry , 2003 .

[15]  Ilhan Kubilay Geçkil,et al.  Northeast Blackout Likely to Reduce US Earnings by $6.4 Billions , 2003 .

[16]  Yacov Y. Haimes,et al.  Roadmap for Modeling Risks of Terrorism to the Homeland , 2002 .

[17]  Yacov Y Haimes,et al.  Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[18]  Y. Haimes,et al.  Leontief-Based Model of Risk in Complex Interconnected Infrastructures , 2001 .

[19]  Masanobu Shinozuka,et al.  Integrating Transportation Network and Regional Economic Models to Estimate the Costs of a Large Urban Earthquake , 2001 .

[20]  Michael L. Lahr,et al.  Input-output analysis: frontiers and extensions , 2001 .

[21]  Christopher J. Alberts,et al.  Improving the Security of Networked Systems , 2000 .

[22]  Niall M. Fraser,et al.  The modified star graph and the petal diagram: two new visual aids for discrete alternative multicriteria decision making , 1998 .

[23]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[24]  R. M. Beemiller,et al.  Regional multipliers: A user handbook for the regional input-output modeling system (RIMS II). Second edition , 1992 .

[25]  W. Leontief Input-output economics , 1967 .

[26]  L. Rostas,et al.  The Structure of American Economy, 1919-1939: An Empirical Application of Equilibrium Analysis , 1943 .

[27]  T. Tidwell,et al.  Modeling Internet Attacks , 2022 .