Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.     

Some Limitations of Qualitative Risk Rating Systems

Qualitative systems for rating animal antimicrobial risks using ordered categorical labels such as “high,”“medium,” and “low” can potentially simplify risk assessment input requirements used to inform risk management decisions. But do they improve decisions? This article compares the results of qualitative and quantitative risk assessment systems and establishes some theoretical limitations on the extent to which they are compatible. In general, qualitative risk rating systems satisfying conditions found in real‐world rating systems and guidance documents and proposed as reasonable make two types of errors: (1) Reversed rankings, i.e., assigning higher qualitative risk ratings to situations that have lower quantitative risks; and (2) Uninformative ratings, e.g., frequently assigning the most severe qualitative risk label (such as “high”) to situations with arbitrarily small quantitative risks and assigning the same ratings to risks that differ by many orders of magnitude. Therefore, despite their appealing consensus‐building properties, flexibility, and appearance of thoughtful process in input requirements, qualitative rating systems as currently proposed often do not provide sufficient information to discriminate accurately between quantitatively small and quantitatively large risks. The value of information (VOI) that they provide for improving risk management decisions can be zero if most risks are small but a few are large, since qualitative ratings may then be unable to confidently distinguish the large risks from the small. These limitations suggest that it is important to continue to develop and apply practical quantitative risk assessment methods, since qualitative ones are often unreliable.     

Times Are Tough—Brother,Can You Paradigm?

Ten years ago, the National Academy of Science released its risk assessment/risk management (RA/RM) “paradigm” that served to crystallize much of the early thinking about these concepts. By defining RA as a four-step process, operationally independent from RM, the paradigm has presented society with a scheme, or a conceptually common framework, for addressing many risky situations (e.g., carcinogens, noncarcinogens, and chemical mixtures). The procedure has facilitated decision-making in a wide variety of situations and has identified the most important research needs. The past decade, however, has revealed that additional progress is needed. These areas include addressing the appropriate interaction (not isolation) between RA and RM, improving the methods for assessing risks from mixtures, dealing with “adversity of effect,” deciding whether “hazard” should imply an exposure to environmental conditions or to laboratory conditions, and evolving the concept to include both health and ecological risk. Interest in and expectations of risk assessment are increasing rapidly. The emerging concept of “comparative risk” (i.e., distinguishing between large risks and smaller risks that may be qualitatively different) is at a level comparable to that held by the concept of “risk” just 10 years ago. Comparative risk stands in need of a paradigm of its own, especially given the current economic limitations. “Times are tough; Brother, can you paradigm?”     

Risk and the Five Hard Problems of Cybersecurity

This perspectives article addresses risk in cyber defense and identifies opportunities to incorporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary research in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy‐governed secure collaboration; (3) security‐metrics–driven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to address these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describing, quantifying, working with, and mitigating risk.     

Risk Assessment Can Be a Game‐Changing Information Technology—But Too Often It Isn't

The printing press was a game‐changing information technology. Risk assessment could be also. At present, risk assessments are commonly used as one‐time decision aids: they provide justification for a particular decision, and afterwards usually sit on a shelf. However, when viewed as information technologies, their potential uses are much broader. Risk assessments: (1) are repositories of structured information and a medium for communication; (2) embody evaluative structures for setting priorities; (3) can preserve information over time and permit asynchronous communication, thus encouraging learning and adaptation; and (4) explicitly address uncertain futures. Moreover, because of their “what‐if” capabilities, risk assessments can serve as a platform for constructive discussion among parties that hold different values. The evolution of risk assessment in the nuclear industry shows how such attributes have been used to lower core‐melt risks substantially through improved templates for maintenance and more effective coordination with regulators (although risk assessment has been less commonly used in improving emergency‐response capabilities). The end result of this evolution in the nuclear industry has been the development of “living” risk assessments that are updated more or less in real time to answer even routine operational questions. Similar but untapped opportunities abound for the use of living risk assessments to reduce risks in small operational decisions as well as large policy decisions in other areas of hazard management. They can also help improve understanding of and communication about risks, and future risk assessment and management. Realization of these opportunities will require significant changes in incentives and active promotion by the risk analytic community.     

An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

A Robust Approach for Mitigating Risks in Cyber Supply Chains

In recent years, there have been growing concerns regarding risks in federal information technology (IT) supply chains in the United States that protect cyber infrastructure. A critical need faced by decisionmakers is to prioritize investment in security mitigations to maximally reduce risks in IT supply chains. We extend existing stochastic expected budgeted maximum multiple coverage models that identify “good” solutions on average that may be unacceptable in certain circumstances. We propose three alternative models that consider different robustness methods that hedge against worst‐case risks, including models that maximize the worst‐case coverage, minimize the worst‐case regret, and maximize the average coverage in the $(1?\alpha )$ worst cases (conditional value at risk). We illustrate the solutions to the robust methods with a case study and discuss the insights their solutions provide into mitigation selection compared to an expected‐value maximizer. Our study provides valuable tools and insights for decisionmakers with different risk attitudes to manage cybersecurity risks under uncertainty.     

中小企业违约风险系统性和异质性测度——基于违约风险成分分析法的研究

与大中型企业相比，经济环境恶化或突发事件冲击使中小企业资产价值更易大幅下降，不仅单个企业违约风险急增，企业间的违约相关性也明显变大。然而不同类型中小企业违约风险变化特征仍有较大差异。为了更好测度中小企业违约风险、分析其相关性和差异性，本文在资产价值满足跳-扩散过程假定下，将或有权益分析法、组合违约风险分析与系统波动风险测度β相结合，把违约风险分解为系统成分和异质成分。系统成分越大，表明企业违约风险越易受外部经济环境和相关违约风险影响。异质成分越大则表明企业违约风险与自身异质性特征更为相关。实证研究表明，违约风险成分分析能较好解释中小企业违约风险的相关性和差异性，有助于违约风险分类管理。     

A Risk Analysis Framework for Cyber Security and Critical Infrastructure Protection of the U.S. Electric Power Grid

The purpose of this article is to introduce a risk analysis framework to enhance the cyber security of and to protect the critical infrastructure of the electric power grid of the United States. Building on the fundamental questions of risk assessment and management, this framework aims to advance the current risk analysis discussions pertaining to the electric power grid. Most of the previous risk-related studies on the electric power grid focus mainly on the recovery of the network from hurricanes and other natural disasters. In contrast, a disproportionately small number of studies explicitly investigate the vulnerability of the electric power grid to cyber-attack scenarios, and how they could be prevented or mitigated. Such a limited approach leaves the United States vulnerable to foreign and domestic threats (both state-sponsored and “lone wolf”) to infiltrate a network that lacks a comprehensive security environment or coordinated government response. By conducting a review of the literature and presenting a risk-based framework, this article underscores the need for a coordinated U.S. cyber security effort toward formulating strategies and responses conducive to protecting the nation against attacks on the electric power grid.     

The Event: An Underexamined Risk Concept

Some of the terms used in risk assessment and management are poorly and even contradictorily defined. One such term is “event,” which arguably describes the most basic of all risk‐related concepts. The author cites two contemporary textbook interpretations of “event” that he contends are incorrect and misleading. He then examines the concept of an event in A. N. Kolmogorov's probability axioms and in several more‐current textbooks. Those concepts are found to be too narrow for risk assessments and inconsistent with the actual usage of “event” by risk analysts. The author goes on to define and advocate linguistic definitions of events (as opposed to mathematical definitions)—definitions constructed from natural language. He argues that they should be recognized for what they are: the de facto primary method of defining events.     

中国中小企业集合债券研究——“聚沙成塔”型融资创新与牵头人“双能力”机制

中小企业集合债券是中国实践中具有特色的“聚沙成塔”型融资创新。对这一创新，文献还没有系统的理论总结与实证分析。本文首次提出集合债的核心机制，即牵头人“双能力”理论——资源动员能力和监督能力。利用2006—2017年期间发行的集合债样本及手工收集的集合债发行主体样本进行实证研究，结果表明(1)集合债主体评级平均为BBB，而匹配样本中单独发债企业评级平均为A。这检验了牵头人的资源动员能力理论，集合债券能使单独发债困难的中小企业也能获得直接融资，打破了债券市场融资的天花板，实现了“从0到1”的跨越。(2)双重差分估计结果表明，中小企业集合债券的发行能促进发行企业的经营效率的提高。这检验了牵头人的监督能力理论。进一步发现，地方中小企业专门管理部门作为牵头人比地方政府作为牵头人更能促进经营效率提高。建议在更大范围内推行地方专门管理部门作为牵头人的中小企业集合债券的创新融资模式。     

基于元网络分析的重大基础设施建设项目风险评估框架与实证

重大基础设施项目具有战略性、集成性、复杂性等特征，项目容易受到多种风险因素的综合影响，导致项目目标的偏离。现有风险评估与风险决策的方法缺乏对于风险因素、风险事件之间关联的分析。为了实现重大基础设施建设项目综合系统的风险评估，本文采用元网络分析方法，构建项目目标、风险事件和风险因素的交互模型，揭示重大基础设施风险事件发生机制的黑箱过程。风险评估过程中，通过多个网络叠加运算分析每个风险因素对于各种风险事件以及项目各目标的影响情况，改进了以往仅对风险因素单一影响程度的风险评估方法。同时，本研究选择我国某河流水电站过坝运输项目方案比选的风险评估过程验证方法的适用性。     

Desired Risk: Broadening the Social Amplification of Risk Framework1

Recently Kasperson et al.⁽⁶⁾ have proposed a conceptual framework, “The Social Amplification of Risk,” as a beginning step in developing a comprehensive theory of public experience of risk. A central goal of their effort is to systematically link technical assessments of risk with the growing findings from social scientific research. A key and growing domain of public risk experience is “desired” risk, but this is virtually neglected in the framework. This paper evaluates the scope of the “Social Amplification of Risk Framework,” asking whether it is applicable to desired risks, such as risk recreation (hang gliding, mountain climbing, and so forth). The analysis is supportive of the framework's applicability to the domain of desired risk.     

Assessing Potential Human Health Hazards and Benefits from Subtherapeutic Antibiotics in the United States: Tetracyclines as a Case Study

Many scientists, activists, regulators, and politicians have expressed urgent concern that using antibiotics in food animals selects for resistant strains of bacteria that harm human health and bring nearer a “postantibiotic era” of multidrug resistant “super‐bugs.” Proposed political solutions, such as the Preservation of Antibiotics for Medical Treatment Act (PAMTA), would ban entire classes of subtherapeutic antibiotics (STAs) now used for disease prevention and growth promotion in food animals. The proposed bans are not driven by formal quantitative risk assessment (QRA), but by a perceived need for immediate action to prevent potential catastrophe. Similar fears led to STA phase‐outs in Europe a decade ago. However, QRA and empirical data indicate that continued use of STAs in the United States has not harmed human health, and bans in Europe have not helped human health. The fears motivating PAMTA contrast with QRA estimates of vanishingly small risks. As a case study, examining specific tetracycline uses and resistance patterns suggests that there is no significant human health hazard from continued use of tetracycline in food animals. Simple hypothetical calculations suggest an unobservably small risk (between 0 and 1.75E‐11 excess lifetime risk of a tetracycline‐resistant infection), based on the long history of tetracycline use in the United States without resistance‐related treatment failures. QRAs for other STA uses in food animals also find that human health risks are vanishingly small. Whether such QRA calculations will guide risk management policy for animal antibiotics in the United States remains to be seen.     

Peak Exposures in Epidemiologic Studies and Cancer Risks: Considerations for Regulatory Risk Assessment

We review approaches for characterizing “peak” exposures in epidemiologic studies and methods for incorporating peak exposure metrics in dose–response assessments that contribute to risk assessment. The focus was on potential etiologic relations between environmental chemical exposures and cancer risks. We searched the epidemiologic literature on environmental chemicals classified as carcinogens in which cancer risks were described in relation to “peak” exposures. These articles were evaluated to identify some of the challenges associated with defining and describing cancer risks in relation to peak exposures. We found that definitions of peak exposure varied considerably across studies. Of nine chemical agents included in our review of peak exposure, six had epidemiologic data used by the U.S. Environmental Protection Agency (US EPA) in dose–response assessments to derive inhalation unit risk values. These were benzene, formaldehyde, styrene, trichloroethylene, acrylonitrile, and ethylene oxide. All derived unit risks relied on cumulative exposure for dose–response estimation and none, to our knowledge, considered peak exposure metrics. This is not surprising, given the historical linear no‐threshold default model (generally based on cumulative exposure) used in regulatory risk assessments. With newly proposed US EPA rule language, fuller consideration of alternative exposure and dose–response metrics will be supported. “Peak” exposure has not been consistently defined and rarely has been evaluated in epidemiologic studies of cancer risks. We recommend developing uniform definitions of “peak” exposure to facilitate fuller evaluation of dose response for environmental chemicals and cancer risks, especially where mechanistic understanding indicates that the dose response is unlikely linear and that short‐term high‐intensity exposures increase risk.     

When Is a Risk Assessment Deficient According to an Uncertainty‐Based Risk Perspective?

The Petroleum Safety Authority Norway (PSA‐N) has recently adopted a new definition of risk: “the consequences of an activity with the associated uncertainty.” The PSA‐N has also been using “deficient risk assessment” for some time as a basis for assigning nonconformities in audit reports. This creates an opportunity to study the link between risk perspective and risk assessment quality in a regulatory context, and, in the present article, we take a hard look at the term “deficient risk assessment” both normatively and empirically. First, we perform a conceptual analysis of how a risk assessment can be deficient in light of a particular risk perspective consistent with the new PSA‐N risk definition. Then, we examine the usages of the term “deficient” in relation to risk assessments in PSA‐N audit reports and classify these into a set of categories obtained from the conceptual analysis. At an overall level, we were able to identify on what aspects of the risk assessment the PSA‐N is focusing and where deficiencies are being identified in regulatory practice. A key observation is that there is a diversity in how the agency officials approach the risk assessments in audits. Hence, we argue that improving the conceptual clarity of what the authorities characterize as “deficient” in relation to the uncertainty‐based risk perspective may contribute to the development of supervisory practices and, eventually, potentially strengthen the learning outcome of the audit reports.     

Public Perceptions of the Risks and Benefits of Technology1

This study attempted to verify and extend previous research on people's perceptions of the risks and benefits of technology and their judgments concerning the acceptability of technology safety regulations. The study addressed several limitations of prior work, in that: (1) it was the first “expressed-preference” study to collect data from large, representative samples of Americans; (2) the research design made “person,” rather than “technology,” the unit of statistical analysis; and (3) the study employed an expanded set of independent variables, including three qualitative benefit characteristics. The results confirmed several major conclusions of prior expressed-preference research, the most important being that members of the public tend to define “risks,”“benefits,” and “acceptability” in a complex, multidimensional manner; and that their definitions differ significantly from those used by professional risk-managers and other technical experts in quantitative assessments of risk and acceptability. The results also indicated that people's stances toward technology regulation tend to cut across traditional sociodemographic lines.     

Rethinking Risk Assessment for Public Utility Safety Regulation

To aid in their safety oversight of large‐scale, potentially dangerous energy and water infrastructure and transportation systems, public utility regulatory agencies increasingly seek to use formal risk assessment models. Yet some of the approaches to risk assessment used by utilities and their regulators may be less useful for this purpose than is supposed. These approaches often do not reflect the current state of the art in risk assessment strategy and methodology. This essay explores why utilities and regulatory agencies might embrace risk assessment techniques that do not sufficiently assess organizational and managerial factors as drivers of risk, nor that adequately represent important uncertainties surrounding risk calculations. Further, it describes why, in the special legal, political, and administrative world of the typical public utility regulator, strategies to identify and mitigate formally specified risks might actually diverge from the regulatory promotion of “safety.” Some improvements are suggested that can be made in risk assessment approaches to support more fully the safety oversight objectives of public regulatory agencies, with examples from “high‐reliability organizations” (HROs) that have successfully merged the management of safety with the management of risk. Finally, given the limitations of their current risk assessments and the lessons from HROs, four specific assurances are suggested that regulatory agencies should seek for themselves and the public as objectives in their safety oversight of public utilities.     

Other Aspects of BSE Issues in East Asian Countries

Scientific risk estimates of BSE can be the same internationally; however, socioeconomic backgrounds, such as food supply (e.g., beef import status) and dietary life, are different between East Asian countries (i.e., in this article, Japan, Korea, and Taiwan) and Western countries, which may account for differences in risk perception of people. Since political and social backgrounds also differ among these East Asian countries, they will also influence people's attitudes toward food safety. Psychological factors such as “dread” and the “unknown” are considered to be important in risk perception, but socioeconomic, and in some cases political, situations (e.g., attitudes of politicians and political pressures in trade) may strongly influence the perception and acceptance of various risks by citizens. With regard to the BSE issues, latter aspects may contribute a lot to risk perception, but have not been examined in depth until now. Although protection of health is the key element to food safety, sometimes business factors can overwhelm safety issues in international trade. Appropriate risk governance in food safety issues, such as BSE, can be attained not only through application of outputs of scientific assessment, but also through deliberation of various aspects, that may have strong influence on people's risk perception, and improved communication among stakeholders and also among countries.     

In Search of Perfect Foresight? Policy Bias,Management of Unknowns,and What Has Changed in Science Policy Since the Tohoku Disaster

The failure to foresee the catastrophic earthquakes, tsunamis, and nuclear accident of 2011 has been perceived by many in Japan as a fundamental shortcoming of modern disaster risk science. Hampered by a variety of cognitive and institutional biases, the conventional disaster risk management planning based on the “known risks” led to the cascading failures of the interlinked disaster risk management (DRM) apparatus. This realization led to a major rethinking in the use of science for policy and the incorporations of lessons learned in the country's new DRM policy. This study reviews publicly available documents on expert committee discussions and scientific articles to identify what continuities and changes have been made in the use of scientific knowledge in Japanese risk management. In general, the prior influence of cognitive bias (e.g., overreliance on documented hazard risks) has been largely recognized, and increased attention is now being paid to the incorporation of less documented but known risks. This has led to upward adjustments in estimated damages from future risks and recognition of the need for further strengthening of DRM policy. At the same time, there remains significant continuity in the way scientific knowledge is perceived to provide sufficient and justifiable grounds for the development and implementation of DRM policy. The emphasis on “evidence‐based policy” in earthquake and tsunami risk reduction measures continues, despite the critical reflections of a group of scientists who advocate for a major rethinking of the country's science‐policy institution respecting the limitations of the current state science.