IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v41y2021i1p16-36.html
   My bibliography  Save this article

An Adversarial Risk Analysis Framework for Cybersecurity

Author

Listed:
  • David Rios Insua
  • Aitor Couce‐Vieira
  • Jose A. Rubio
  • Wolter Pieters
  • Katsiaryna Labunets
  • Daniel G. Rasines

Abstract

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.

Suggested Citation

  • David Rios Insua & Aitor Couce‐Vieira & Jose A. Rubio & Wolter Pieters & Katsiaryna Labunets & Daniel G. Rasines, 2021. "An Adversarial Risk Analysis Framework for Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 41(1), pages 16-36, January.
    • Handle: RePEc:wly:riskan:v:41:y:2021:i:1:p:16-36
    DOI: 10.1111/risa.13331
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.13331
    Download Restriction: no
    File URL: https://libkey.io/10.1111/risa.13331?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Schilling, Andreas & Werners, Brigitte, 2016. "Optimal selection of IT security safeguards from an existing knowledge base," European Journal of Operational Research, Elsevier, vol. 248(1), pages 318-327.
    2. Casey Rothschild & Laura McLay & Seth Guikema, 2012. "Adversarial Risk Analysis with Incomplete Information: A Level‐k Approach," Risk Analysis, John Wiley & Sons, vol. 32(7), pages 1219-1231, July.
    3. Jason Merrick & Gregory S. Parnell, 2011. "A Comparative Analysis of PRA and Intelligent Adversary Methods for Counterterrorism Risk Management," Risk Analysis, John Wiley & Sons, vol. 31(9), pages 1488-1510, September.
    4. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    5. Louis Anthony (Tony)Cox, 2008. "What's Wrong with Risk Matrices?," Risk Analysis, John Wiley & Sons, vol. 28(2), pages 497-512, April.
    6. Ross D. Shachter, 1986. "Evaluating Influence Diagrams," Operations Research, INFORMS, vol. 34(6), pages 871-882, December.
    7. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    8. Jorge González-Ortega & Vesela Radovic & David Ríos Insua, 2018. "Utility Elicitation," International Series in Operations Research & Management Science, in: Luis C. Dias & Alec Morton & John Quigley (ed.), Elicitation, chapter 0, pages 241-264, Springer.
    9. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    10. Luis C. Dias & Alec Morton & John Quigley, 2018. "Elicitation: State of the Art and Science," International Series in Operations Research & Management Science, in: Luis C. Dias & Alec Morton & John Quigley (ed.), Elicitation, chapter 0, pages 1-14, Springer.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Eric DuBois & Ashley Peper & Laura A. Albert, 2023. "Interdicting Attack Plans with Boundedly Rational Players and Multiple Attackers: An Adversarial Risk Analysis Approach," Decision Analysis, INFORMS, vol. 20(3), pages 202-219, September.
    2. William N. Caballero & Ethan Gharst & David Banks & Jeffery D. Weir, 2023. "Multipolar Security Cooperation Planning: A Multiobjective, Adversarial-Risk-Analysis Approach," Decision Analysis, INFORMS, vol. 20(1), pages 16-39, March.
    3. Anna Adamik & Michał Nowicki & Andrius Puksas, 2022. "Energy Oriented Concepts and Other SMART WORLD Trends as Game Changers of Co-Production—Reality or Future?," Energies, MDPI, vol. 15(11), pages 1-38, June.
    4. Muhammad Ejaz & Stephen Joe & Chaitanya Joshi, 2021. "Adversarial Risk Analysis for Auctions Using Mirror Equilibrium and Bayes Nash Equilibrium," Decision Analysis, INFORMS, vol. 18(3), pages 185-202, September.
    5. Ben Jabeur, Sami & Ballouk, Hossein & Ben Arfi, Wissal & Sahut, Jean-Michel, 2023. "Artificial intelligence applications in fake review detection: Bibliometric analysis and future avenues for research," Journal of Business Research, Elsevier, vol. 158(C).
    6. Ekin, Tahir & Naveiro, Roi & Ríos Insua, David & Torres-Barrán, Alberto, 2023. "Augmented probability simulation methods for sequential games," European Journal of Operational Research, Elsevier, vol. 306(1), pages 418-430.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    2. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    3. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    4. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    5. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    6. Petar Radanliev & David Roure & Max Kleek & Uchenna Ani & Pete Burnap & Eirini Anthi & Jason R. C. Nurse & Omar Santos & Rafael Mantilla Montalvo & La’Treall Maddox, 2021. "Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems: cyber risk at the edge," Environment Systems and Decisions, Springer, vol. 41(2), pages 236-247, June.
    7. David Rios Insua & David Banks & Jesus Rios, 2016. "Modeling Opponents in Adversarial Risk Analysis," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 742-755, April.
    8. J. S. Busby & B. Green & D. Hutchison, 2017. "Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk," Risk Analysis, John Wiley & Sons, vol. 37(7), pages 1298-1314, July.
    9. Charles Vlek, 2013. "How Solid Is the Dutch (and the British) National Risk Assessment? Overview and Decision‐Theoretic Evaluation," Risk Analysis, John Wiley & Sons, vol. 33(6), pages 948-971, June.
    10. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    11. Jorge González-Ortega & Refik Soyer & David Ríos Insua & Fabrizio Ruggeri, 2021. "An Adversarial Risk Analysis Framework for Batch Acceptance Problems," Decision Analysis, INFORMS, vol. 18(1), pages 25-40, March.
    12. González-Ortega, Jorge & Ríos Insua, David & Cano, Javier, 2019. "Adversarial risk analysis for bi-agent influence diagrams: An algorithmic approach," European Journal of Operational Research, Elsevier, vol. 273(3), pages 1085-1096.
    13. Roponen, Juho & Ríos Insua, David & Salo, Ahti, 2020. "Adversarial risk analysis under partial information," European Journal of Operational Research, Elsevier, vol. 287(1), pages 306-316.
    14. César Gil & David Rios Insua & Jesus Rios, 2016. "Adversarial Risk Analysis for Urban Security Resource Allocation," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 727-741, April.
    15. Martin (Dae Youp) Kang & Anat Hovav, 2020. "Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation," Information Systems Frontiers, Springer, vol. 22(1), pages 221-242, February.
    16. repec:cup:judgdm:v:1:y:2006:i::p:162-173 is not listed on IDEAS
    17. Fernandez del Pozo, J. A. & Bielza, C. & Gomez, M., 2005. "A list-based compact representation for large decision tables management," European Journal of Operational Research, Elsevier, vol. 160(3), pages 638-662, February.
    18. Els Hannes & Diana Kusumastuti & Maikel Espinosa & Davy Janssens & Koen Vanhoof & Geert Wets, 2012. "Mental maps and travel behaviour: meanings and models," Journal of Geographical Systems, Springer, vol. 14(2), pages 143-165, April.
    19. Bielza, Concha & Gómez, Manuel & Shenoy, Prakash P., 2011. "A review of representation issues and modeling challenges with influence diagrams," Omega, Elsevier, vol. 39(3), pages 227-241, June.
    20. Zitrou, Athena & Bedford, Tim & Walls, Lesley, 2010. "Bayes geometric scaling model for common cause failure rates," Reliability Engineering and System Safety, Elsevier, vol. 95(2), pages 70-76.
    21. Tan, Kim Hua & Zhan, YuanZhu & Ji, Guojun & Ye, Fei & Chang, Chingter, 2015. "Harvesting big data to enhance supply chain innovation capabilities: An analytic infrastructure based on deduction graph," International Journal of Production Economics, Elsevier, vol. 165(C), pages 223-233.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:41:y:2021:i:1:p:16-36. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.