IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v39y2019i10p2119-2126.html
   My bibliography  Save this article

Risk and the Five Hard Problems of Cybersecurity

Author

Listed:
  • Natalie M. Scala
  • Allison C. Reilly
  • Paul L. Goethals
  • Michel Cukier

Abstract

This perspectives article addresses risk in cyber defense and identifies opportunities to incorporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary research in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy‐governed secure collaboration; (3) security‐metrics–driven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to address these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describing, quantifying, working with, and mitigating risk.

Suggested Citation

  • Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
  • Handle: RePEc:wly:riskan:v:39:y:2019:i:10:p:2119-2126
    DOI: 10.1111/risa.13309
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.13309
    Download Restriction: no

    File URL: https://libkey.io/10.1111/risa.13309?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Joost R. Santos & Yacov Y. Haimes & Chenyang Lian, 2007. "A Framework for Linking Cybersecurity Metrics to the Modeling of Macroeconomic Interdependencies," Risk Analysis, John Wiley & Sons, vol. 27(5), pages 1283-1297, October.
    2. M.‐Elisabeth Paté‐Cornell & Marshall Kuypers & Matthew Smith & Philip Keller, 2018. "Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 226-241, February.
    3. Frederiks, Elisha R. & Stenner, Karen & Hobman, Elizabeth V., 2015. "Household energy use: Applying behavioural economics to understand consumer decision-making and behaviour," Renewable and Sustainable Energy Reviews, Elsevier, vol. 41(C), pages 1385-1394.
    4. Kim Kaivanto, 2014. "The Effect of Decentralized Behavioral Decision Making on System‐Level Risk," Risk Analysis, John Wiley & Sons, vol. 34(12), pages 2121-2142, December.
    5. Matthew H. Henry & Yacov Y. Haimes, 2009. "A Comprehensive Network Security Risk Model for Process Control Networks," Risk Analysis, John Wiley & Sons, vol. 29(2), pages 223-248, February.
    6. J. S. Busby & B. Green & D. Hutchison, 2017. "Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk," Risk Analysis, John Wiley & Sons, vol. 37(7), pages 1298-1314, July.
    7. Hulisi Öğüt & Srinivasan Raghunathan & Nirup Menon, 2011. "Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection," Risk Analysis, John Wiley & Sons, vol. 31(3), pages 497-512, March.
    8. Casey Inez Canfield & Baruch Fischhoff, 2018. "Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk," Risk Analysis, John Wiley & Sons, vol. 38(4), pages 826-838, April.
    9. Daniel DiMase & Zachary A. Collier & Jinae Carlson & Robin B. Gray & Igor Linkov, 2016. "Traceability and Risk Analysis Strategies for Addressing Counterfeit Electronics in Supply Chains for Complex Systems," Risk Analysis, John Wiley & Sons, vol. 36(10), pages 1834-1843, October.
    10. Rebecca R. Thompson & Dana Rose Garfin & Roxane Cohen Silver, 2017. "Evacuation from Natural Disasters: A Systematic Review of the Literature," Risk Analysis, John Wiley & Sons, vol. 37(4), pages 812-839, April.
    11. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    12. Eva Andrijcic & Barry Horowitz, 2006. "A Macro‐Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property," Risk Analysis, John Wiley & Sons, vol. 26(4), pages 907-923, August.
    13. Ginger Davis & Alfredo Garcia & Weide Zhang, 2009. "Empirical Analysis of the Effects of Cyber Security Incidents," Risk Analysis, John Wiley & Sons, vol. 29(9), pages 1304-1316, September.
    14. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    15. Woods, David D., 2015. "Four concepts for resilience and the implications for the future of resilience engineering," Reliability Engineering and System Safety, Elsevier, vol. 141(C), pages 5-9.
    16. Jun Zhuang & Vicki M. Bier, 2010. "Reasons for Secrecy and Deception in Homeland‐Security Resource Allocation," Risk Analysis, John Wiley & Sons, vol. 30(12), pages 1737-1743, December.
    17. Jason R. W. Merrick & Philip Leclerc, 2016. "Modeling Adversaries in Counterterrorism Decisions Using Prospect Theory," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 681-693, April.
    18. Meilin He & Laura Devine & Jun Zhuang, 2018. "Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 215-225, February.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Fazal Raheman, 2022. "The Future of Cybersecurity in the Age of Quantum Computers," Future Internet, MDPI, vol. 14(11), pages 1-12, November.
    2. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    3. Todor Tagarev, 2020. "Towards the Design of a Collaborative Cybersecurity Networked Organisation: Identification and Prioritisation of Governance Needs and Objectives," Future Internet, MDPI, vol. 12(4), pages 1-19, March.
    4. Alessandro Mazzoccoli & Maurizio Naldi, 2022. "An Overview of Security Breach Probability Models," Risks, MDPI, vol. 10(11), pages 1-29, November.
    5. Reilly, Allison C. & Baroud, Hiba & Flage, Roger & Gerst, Michael D., 2021. "Sources of uncertainty in interdependent infrastructure and their implications," Reliability Engineering and System Safety, Elsevier, vol. 213(C).
    6. Alessandro Mazzoccoli, 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis," Risks, MDPI, vol. 11(9), pages 1-14, August.
    7. Schmidt, Adam & Albert, Laura A. & Zheng, Kaiyue, 2021. "Risk management for cyber-infrastructure protection: A bi-objective integer programming approach," Reliability Engineering and System Safety, Elsevier, vol. 205(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. J. S. Busby & B. Green & D. Hutchison, 2017. "Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk," Risk Analysis, John Wiley & Sons, vol. 37(7), pages 1298-1314, July.
    2. Gregory Levitin & Liudong Xing & Hong‐Zhong Huang, 2019. "Security of Separated Data in Cloud Systems with Competing Attack Detection and Data Theft Processes," Risk Analysis, John Wiley & Sons, vol. 39(4), pages 846-858, April.
    3. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    4. Edward J. Oughton & Daniel Ralph & Raghav Pant & Eireann Leverett & Jennifer Copic & Scott Thacker & Rabia Dada & Simon Ruffle & Michelle Tuveson & Jim W Hall, 2019. "Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks," Risk Analysis, John Wiley & Sons, vol. 39(9), pages 2012-2031, September.
    5. Alexander A. Ganin & Phuoc Quach & Mahesh Panwar & Zachary A. Collier & Jeffrey M. Keisler & Dayton Marchese & Igor Linkov, 2020. "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management," Risk Analysis, John Wiley & Sons, vol. 40(1), pages 183-199, January.
    6. Andjelka Kelic & Zachary A. Collier & Christopher Brown & Walter E. Beyeler & Alexander V. Outkin & Vanessa N. Vargas & Mark A. Ehlen & Christopher Judson & Ali Zaidi & Billy Leung & Igor Linkov, 2013. "Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks," Environment Systems and Decisions, Springer, vol. 33(4), pages 544-560, December.
    7. Tania Wallis & Rafał Leszczyna, 2022. "EE-ISAC—Practical Cybersecurity Solution for the Energy Sector," Energies, MDPI, vol. 15(6), pages 1-23, March.
    8. Alessandro Mazzoccoli, 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis," Risks, MDPI, vol. 11(9), pages 1-14, August.
    9. Wei Wang & Francesco Di Maio & Enrico Zio, 2019. "Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks," Risk Analysis, John Wiley & Sons, vol. 39(12), pages 2766-2785, December.
    10. Kjell Hausken & Jonathan W. Welburn & Jun Zhuang, 2024. "A Review of Attacker–Defender Games and Cyber Security," Games, MDPI, vol. 15(4), pages 1-27, August.
    11. Sellevåg, Stig Rune, 2021. "Changes in inoperability for interdependent industry sectors in Norway from 2012 to 2017," International Journal of Critical Infrastructure Protection, Elsevier, vol. 32(C).
    12. Deborah F Coldwell & Karl L Evans, 2017. "Contrasting effects of visiting urban green-space and the countryside on biodiversity knowledge and conservation support," PLOS ONE, Public Library of Science, vol. 12(3), pages 1-18, March.
    13. Yao He & Yongchun Yang & Meimei Wang & Xudong Zhang, 2022. "Resilience Analysis of Container Port Shipping Network Structure: The Case of China," Sustainability, MDPI, vol. 14(15), pages 1-17, August.
    14. Daniel Woods & Mustafa Abdallah & Saurabh Bagchi & Shreyas Sundaram & Timothy Cason, 2022. "Network defense and behavioral biases: an experimental study," Experimental Economics, Springer;Economic Science Association, vol. 25(1), pages 254-286, February.
    15. Jihyo Kim & Suhyeon Nam, 2021. "Do Household Time, Risk, and Social Preferences Affect Home Energy Retrofit Decisions in Korea?," Sustainability, MDPI, vol. 13(8), pages 1-18, April.
    16. Xu, Xiaojing & Chen, Chien-fei, 2019. "Energy efficiency and energy justice for U.S. low-income households: An analysis of multifaceted challenges and potential," Energy Policy, Elsevier, vol. 128(C), pages 763-774.
    17. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    18. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    19. Maria Polorecka & Jozef Kubas & Pavel Danihelka & Katarina Petrlova & Katarina Repkova Stofkova & Katarina Buganova, 2021. "Use of Software on Modeling Hazardous Substance Release as a Support Tool for Crisis Management," Sustainability, MDPI, vol. 13(1), pages 1-15, January.
    20. Anna Borawska & Mariusz Borawski & Małgorzata Łatuszyńska, 2022. "Effectiveness of Electricity-Saving Communication Campaigns: Neurophysiological Approach," Energies, MDPI, vol. 15(4), pages 1-19, February.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:39:y:2019:i:10:p:2119-2126. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.