IDEAS home Printed from https://ideas.repec.org/a/inm/ordeca/v21y2024i4p215-234.html
   My bibliography  Save this article

Measuring and Mitigating the Risk of Advanced Cyberattackers

Author

Listed:
  • Amitai Gilad

    (Coller School of Management, Tel Aviv University, Tel Aviv 6997801, Israel)

  • Asher Tishler

    (Coller School of Management, Tel Aviv University, Tel Aviv 6997801, Israel)

Abstract

Sophisticated cyberattackers (commonly known as advanced persistent threats (APTs)) pose enormous risks to organizations such as financial institutions, industrial and commercial firms, government institutions, and power grids. This study presents a method and an index to measure the vulnerability of organizations to APT risk and shows why a one-size-fits-all solution to mitigate APT risk does not exist. Our vulnerability index is based on a model that describes the optimal behavior of a cyberattacker (APT) with research and development capabilities aspiring to attack a network that manages the organization and a network operator that deploys blocking and detection measures to protect its organization from the attack. We demonstrate how our vulnerability index, which accounts for the network’s structure and the APTs’ resources and strategy, can be used in realistic risk assessments and optimal resource allocation procedures and serve as a benchmark for organizations’ preparedness against APTs’ cyberattacks. We also propose that regulatory agencies of financial (and other) institutions provide the parameters that define an APT’s profile and request, as part of their periodic assessments of the organizations that they regulate, that our (or similar) vulnerability index will be reported to them by the regulated institutions. Finally, the viability of our index in modeling modern cybersecurity defense procedures shows that not only there is no silver bullet defense against all types of APTs, it is also imperative to account for APTs’ heterogeneity because detection and blocking measures can be complements, substitutes, or even degrade each other. For example, when the attacker’s (defender’s) budget is extremely large (small), the defender should deploy only detection measures, strongly advocating Zero Trust practices.

Suggested Citation

  • Amitai Gilad & Asher Tishler, 2024. "Measuring and Mitigating the Risk of Advanced Cyberattackers," Decision Analysis, INFORMS, vol. 21(4), pages 215-234, December.
    • Handle: RePEc:inm:ordeca:v:21:y:2024:i:4:p:215-234
    DOI: 10.1287/deca.2023.0072
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/deca.2023.0072
    Download Restriction: no
    File URL: https://libkey.io/10.1287/deca.2023.0072?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Taleb, Nassim Nicholas, 2007. "Black Swans and the Domains of Statistics," The American Statistician, American Statistical Association, vol. 61, pages 198-200, August.
    2. M.‐Elisabeth Paté‐Cornell & Marshall Kuypers & Matthew Smith & Philip Keller, 2018. "Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 226-241, February.
    3. F. M. Scherer, 1967. "Research and Development Resource Allocation Under Rivalry," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 81(3), pages 359-394.
    4. Alexander A. Ganin & Phuoc Quach & Mahesh Panwar & Zachary A. Collier & Jeffrey M. Keisler & Dayton Marchese & Igor Linkov, 2020. "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management," Risk Analysis, John Wiley & Sons, vol. 40(1), pages 183-199, January.
    5. Crosignani, Matteo & Macchiavelli, Marco & Silva, André F., 2023. "Pirates without borders: The propagation of cyberattacks through firms’ supply chains," Journal of Financial Economics, Elsevier, vol. 147(2), pages 432-448.
    6. Ali Pala & Jun Zhuang, 2019. "Information Sharing in Cybersecurity: A Review," Decision Analysis, INFORMS, vol. 16(3), pages 172-196, September.
    7. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    8. William L. England, 1988. "An Exponential Model Used for optimal Threshold selection on ROC Curues," Medical Decision Making, , vol. 8(2), pages 120-131, June.
    9. Alan Washburn & Kevin Wood, 1995. "Two-Person Zero-Sum Games for Network Interdiction," Operations Research, INFORMS, vol. 43(2), pages 243-251, April.
    10. Eviatar Matania & Eldad Tal-Shir, 2020. "Continuous terrain remodelling: gaining the upper hand in cyber defence," Journal of Cyber Policy, Taylor & Francis Journals, vol. 5(2), pages 285-301, May.
    11. Vineet M. Payyappalli & Jun Zhuang & Victor Richmond R. Jose, 2017. "Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2229-2245, November.
    12. Aniruddha Bagchi & Tridib Bandyopadhyay, 2018. "Role of Intelligence Inputs in Defending Against Cyber Warfare and Cyberterrorism," Decision Analysis, INFORMS, vol. 15(3), pages 174-193, September.
    13. James T. Moore & Jonathan F. Bard, 1990. "The Mixed Integer Linear Bilevel Programming Problem," Operations Research, INFORMS, vol. 38(5), pages 911-921, October.
    14. Rakes, Terry R. & Deane, Jason K. & Paul Rees, Loren, 2012. "IT security planning under uncertainty for high-impact events," Omega, Elsevier, vol. 40(1), pages 79-88, January.
    15. Hong, Sunghoon, 2011. "Strategic Network Interdiction," Climate Change and Sustainable Development 108252, Fondazione Eni Enrico Mattei (FEEM).
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Matteo Fischetti & Ivana Ljubić & Michele Monaci & Markus Sinnl, 2019. "Interdiction Games and Monotonicity, with Application to Knapsack Problems," INFORMS Journal on Computing, INFORMS, vol. 31(2), pages 390-410, April.
    2. Paul, Jomon A. & Zhang, Minjiao, 2021. "Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker," European Journal of Operational Research, Elsevier, vol. 291(1), pages 349-364.
    3. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    4. Kvasov, Dmitriy, 2015. "From Sabotage Games to Border Protection," CEI Working Paper Series 2015-2, Center for Economic Institutions, Institute of Economic Research, Hitotsubashi University.
    5. Leonardo Lozano & J. Cole Smith, 2017. "A Backward Sampling Framework for Interdiction Problems with Fortification," INFORMS Journal on Computing, INFORMS, vol. 29(1), pages 123-139, February.
    6. Fischetti, Matteo & Monaci, Michele & Sinnl, Markus, 2018. "A dynamic reformulation heuristic for Generalized Interdiction Problems," European Journal of Operational Research, Elsevier, vol. 267(1), pages 40-51.
    7. Gabriel Kuper & Fabio Massacci & Woohyun Shim & Julian Williams, 2020. "Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports," Risk Analysis, John Wiley & Sons, vol. 40(5), pages 1001-1019, May.
    8. Ali Yekkehkhany & Timothy Murray & Rakesh Nagi, 2021. "Stochastic Superiority Equilibrium in Game Theory," Decision Analysis, INFORMS, vol. 18(2), pages 153-168, June.
    9. William M. Kroshl & Shahram Sarkani & Thomas A Mazzuchi, 2015. "Efficient Allocation of Resources for Defense of Spatially Distributed Networks Using Agent‐Based Simulation," Risk Analysis, John Wiley & Sons, vol. 35(9), pages 1690-1705, September.
    10. Vicki M. Bier & Simon French, 2020. "From the Editors: Decision Analysis Focus and Trends," Decision Analysis, INFORMS, vol. 17(1), pages 1-8, March.
    11. O'Hanley, Jesse R. & Church, Richard L., 2011. "Designing robust coverage networks to hedge against worst-case facility losses," European Journal of Operational Research, Elsevier, vol. 209(1), pages 23-36, February.
    12. Aitor Couce-Vieira & David Rios Insua & Alex Kosgodagan, 2020. "Assessing and Forecasting Cybersecurity Impacts," Decision Analysis, INFORMS, vol. 17(4), pages 356-374, December.
    13. Khouzani, MHR. & Liu, Zhengliang & Malacaria, Pasquale, 2019. "Scalable min-max multi-objective cyber-security optimisation over probabilistic attack graphs," European Journal of Operational Research, Elsevier, vol. 278(3), pages 894-903.
    14. Kaur, Harpreet & Gupta, Mahima & Singh, Surya Prakash, 2024. "Integrated model to optimize supplier selection and investments for cyber resilience in digital supply chains," International Journal of Production Economics, Elsevier, vol. 275(C).
    15. Parrini, Alessandro, 2013. "Importance Sampling for Portfolio Credit Risk in Factor Copula Models," MPRA Paper 103745, University Library of Munich, Germany.
    16. Albert N. Link & John T. Scott, 2018. "Propensity to Patent and Firm Size for Small R&D-Intensive Firms," Review of Industrial Organization, Springer;The Industrial Organization Society, vol. 52(4), pages 561-587, June.
    17. Child, K. & Desta, G. & Douthwaite, B. & Haileslassie, Amare & van Rooyen, A. & Tamene, L. & Uhlenbrook, Stefan, 2021. "Impact tracking: a practitioner-developed approach to scaling agricultural innovation in Ethiopia," IWMI Books, Reports H050789, International Water Management Institute.
    18. M. Köppe & M. Queyranne & C. T. Ryan, 2010. "Parametric Integer Programming Algorithm for Bilevel Mixed Integer Programs," Journal of Optimization Theory and Applications, Springer, vol. 146(1), pages 137-150, July.
    19. Daniel Woods & Mustafa Abdallah & Saurabh Bagchi & Shreyas Sundaram & Timothy Cason, 2022. "Network defense and behavioral biases: an experimental study," Experimental Economics, Springer;Economic Science Association, vol. 25(1), pages 254-286, February.
    20. Xiang Li & Tianyu Zhang & Liang Wang & Hongguang Ma & Xiande Zhao, 2022. "A minimax regret model for the leader–follower facility location problem," Annals of Operations Research, Springer, vol. 309(2), pages 861-882, February.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ordeca:v:21:y:2024:i:4:p:215-234. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.