Litcius/Paper detail

A Multivariate Model to Quantify and Mitigate Cybersecurity Risk

Mark Bentley, Alec Stephenson, Peter Toscas, Zili Zhu

2020Risks21 citationsDOIOpen Access PDF

Abstract

The cost of cybersecurity incidents is large and growing. However, conventional methods for measuring loss and choosing mitigation strategies use simplifying assumptions and are often not supported by cyber attack data. In this paper, we present a multivariate model for different, dependent types of attack and the effect of mitigation strategies on those attacks. Utilising collected cyber attack data and assumptions on mitigation approaches, we look at an example of using the model to optimise the choice of mitigations. We find that the optimal choice of mitigations will depend on the goal—to prevent extreme damages or damage on average. Numerical experiments suggest the dependence aspect is important and can alter final risk estimates by as much as 30%. The methodology can be used to quantify the cost of cyber attacks and support decision making on the choice of optimal mitigation strategies.

Topics & Concepts

DamagesComputer scienceMultivariate statisticsRisk analysis (engineering)Computer securityCyber-attackBusinessMachine learningLawPolitical scienceInformation and Cyber SecuritySoftware Reliability and Analysis ResearchInfrastructure Resilience and Vulnerability Analysis