Prioritizing investment in military cyber capability using risk analysis

Rowe, Cayt; Zadeh, Hossein Seif; Garanovich, Ivan L.; Jiang, Li; Bilusich, Daniel; Nunes-Vaz, Rick; Ween, A.

doi:10.1177/1548512917707077

Cited by 6 publications

(6 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite their argument that scenario-based modeling may be inadequate for cyber warfare applications, Rowe et al [99] employed Monte Carlo sampling to estimate the proportion of different types of attacks that were expected to be successful.…”

Section: A Uncertaintymentioning

confidence: 99%

“…Filinkov and Dortmans [101] stated that scenario-based analyses tend to focus on generic conflicts that may arise, but would likely be better focused on identifying and mitigating the conditions that give rise to these conflicts. Rowe et al [99] argued that scenario-based modeling isn't well suited to address cyber warfare problems and proposed risk-based analysis as a suitable alternative. Despite these criticisms, scenario-based approaches are by far the most common approach to address uncertainty.…”

Section: A Uncertaintymentioning

confidence: 99%

See 1 more Smart Citation

Portfolio Optimization for Defence Applications

et al. 2020

View full text Add to dashboard Cite

The problem of designing an effective future defense force is quite complex and challenging. One methodology that is often employed in this domain is portfolio optimization, whereby the objective is to select a diverse set of assets that maximize the return on investment. In the defense context, the return on investment is often measured in terms of the capabilities that the investments will provide. While the field of portfolio optimization is well established, applications in the defense sector pose unique challenges not seen in other application domains. However, the literature regarding portfolio optimization for defense applications is rather sparse. To this end, this paper provides a structured review of recent applications and identifies a number of areas that warrant further investigation.

show abstract

Section: A Uncertaintymentioning

confidence: 99%

Section: A Uncertaintymentioning

confidence: 99%

Portfolio Optimization for Defence Applications

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Decision makers must decide, based on their particular organisation's threat profile, where it should invest including, of course, other considerations such as capital, training and ongoing maintenance costs etc. Refer to [44] for more details of this step.…”

Section: Security-in-depth For Managing Insider Threatsmentioning

confidence: 99%

“…In the remainder of the paper, we address these issues through the use of a risk-based framework called Security-in-Depth (SiD) [40]. SiD was originally developed to support investment decisions in the physical security domain [41], [42], but was then extended and applied to address all national security threat types [43] and more recently to explore Defence's needs in building cyber security capability [44].…”

Section: Introductionmentioning

confidence: 99%

There Is No Single Solution to the ‘Insider’ Problem but There Is a Valuable Way Forward

et al. 2018

Self Cite

View full text Add to dashboard Cite

The threat posed by insiders deliberately or inadvertently misusing their knowledge and access to sensitive information is a major security challenge. Finding effective, acceptable and affordable ways to manage the insider threat is non-trivial, involving the use of controls that range from technical to procedural. To make matters worse, insider activities range from inadvertent or accidental disclosure, through deliberate damage caused by disgruntled employees, to the pre-positioned mole who may undermine the organisation's viability or purpose. The same controls will have different levels of effectiveness for each of these insider types. Based on these factors, attempting to find a single, optimised, universal solution to insider threats is illogical. However, the literature still contains statements such as 'deterrence is the best approach for insiders'. There are dangers for security managers in drawing broad conclusions across the insider threat spectrum based on statements like these. Insider threats typically have a distribution of incidents where there are many of small consequence coexisting with a small number of incidents with very large consequences. This suggests that risk management techniques are a relevant, and arguably the most appropriate, framework for insider management. We have developed and applied a risk-based framework to model the spectrum of insider threat types, to enable the decision maker to determine the relative security effectiveness of alternative solutions. It allows decision makers to prioritise security investment to achieve the greatest benefit-cost using residual risk as the performance metric. Our framework provides a traceable and accountable method for organisations to balance their investments in controls, according to the complex spectrum of insider activity they are dealing with. They may also extend the approach, using robust analysis, to manage their uncertainties. Our framework supports security managers in customising security for their organisation based on its unique requirements.

show abstract

“…In the remainder of the paper, we address these issues using a risk-based framework which we have called Security-in-Depth (SiD) [46]. SiD was originally developed to support investment decisions in the physical security domain [47,48], but was then extended and applied to address all national security threat types [32] and to explore Defence's needs in building cyber security capabilities [49]. We begin by providing a brief introduction to the SiD approach, and then apply it to a case study example where we take the role of the security manager of a hypothetical organisation tasked with improving the security against insider threats with a limited budget.…”

Section: Introductionmentioning

confidence: 99%

A Risk-Based Framework to Inform Prioritisation of Security Investment for Insider Threats

Sektas-Bilusich¹,

Nunes-Vaz²,

Chim³

et al. 2020

IJSSE

View full text Add to dashboard Cite

Threats to information security from inside an organisation are difficult to manage as insiders, by definition, have legitimate access to the organisation's information, consistent with their roles. Impacts of insider threats range from minor information compromise perhaps through carelessness, to catastrophic financial and reputational damage. Security managers are required to continually upgrade security measures to reduce the risk posed by insider threats, however with so many security controls to choose from, finding optimal security solutions based on benefit-cost is challenging. We have developed a risk-based framework called Security-in-Depth (SiD) where residual risk is the metric that assists the security manager to make informed decisions on which security packages contribute more to the organisation's security objectives. We present a case study to illustrate the way our framework is applied, customised to manage a range of insider threats. Uncertainties about the future threat spectrum and the future effectiveness of controls are included in the framework to inform the decisionmaking process.

show abstract

Prioritizing investment in military cyber capability using risk analysis

Cited by 6 publications

References 8 publications

Portfolio Optimization for Defence Applications

Portfolio Optimization for Defence Applications

There Is No Single Solution to the ‘Insider’ Problem but There Is a Valuable Way Forward

A Risk-Based Framework to Inform Prioritisation of Security Investment for Insider Threats

Contact Info

Product

Resources

About