Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors

The role played by information and communication technologies in today's businesses cannot be underestimated. While such technological advancements provide numerous advantages and opportunities, they are known to thread organizations with new challenges such as cyberattacks. This is particularly important for small and medium-sized enterprises (SMEs) that are deemed to be the least mature and highly vulnerable to cybersecurity risks. Thus, this research is set to assess the cyber risks in online retailing SMEs (e-tailing SMEs). Therefore, this article employs a sample of 124 small e-tailers in the United Kingdom and takes advantage of a multi-criteria decision analysis (MCDA) method. Indeed, we identified a total number of 28 identified cyber-oriented risks in five exhaustive themes of “security,” “dependency,” “employee,” “strategic,” and “legal” risks. Subsequently, an integrated approach using step-wise weight assessment ratio analysis (SWARA) and best–worst method (BWM) has been employed to develop a pathway of risk assessment. As such, the current study outlines a novel approach toward cybersecurity risk management for e-tailing SMEs and discusses its effectiveness and contributions to the cyber risk management literature.     

Resilience of Cyber Systems with Over‐ and Underregulation

Recent cyber attacks provide evidence of increased threats to our critical systems and infrastructure. A common reaction to a new threat is to harden the system by adding new rules and regulations. As federal and state governments request new procedures to follow, each of their organizations implements their own cyber defense strategies. This unintentionally increases time and effort that employees spend on training and policy implementation and decreases the time and latitude to perform critical job functions, thus raising overall levels of stress. People's performance under stress, coupled with an overabundance of information, results in even more vulnerabilities for adversaries to exploit. In this article, we embed a simple regulatory model that accounts for cybersecurity human factors and an organization's regulatory environment in a model of a corporate cyber network under attack. The resulting model demonstrates the effect of under‐ and overregulation on an organization's resilience with respect to insider threats. Currently, there is a tendency to use ad‐hoc approaches to account for human factors rather than to incorporate them into cyber resilience modeling. It is clear that using a systematic approach utilizing behavioral science, which already exists in cyber resilience assessment, would provide a more holistic view for decisionmakers.     

On the Complex Quantification of Risk: Systems‐Based Perspective on Terrorism

This article highlights the complexity of the quantification of the multidimensional risk function, develops five systems‐based premises on quantifying the risk of terrorism to a threatened system, and advocates the quantification of vulnerability and resilience through the states of the system. The five premises are: (i) There exists interdependence between a specific threat to a system by terrorist networks and the states of the targeted system, as represented through the system's vulnerability, resilience, and criticality‐impact. (ii) A specific threat, its probability, its timing, the states of the targeted system, and the probability of consequences can be interdependent. (iii) The two questions in the risk assessment process: “What is the likelihood?” and “What are the consequences?” can be interdependent. (iv) Risk management policy options can reduce both the likelihood of a threat to a targeted system and the associated likelihood of consequences by changing the states (including both vulnerability and resilience) of the system. (v) The quantification of risk to a vulnerable system from a specific threat must be built on a systemic and repeatable modeling process, by recognizing that the states of the system constitute an essential step to construct quantitative metrics of the consequences based on intelligence gathering, expert evidence, and other qualitative information. The fact that the states of all systems are functions of time (among other variables) makes the time frame pivotal in each component of the process of risk assessment, management, and communication. Thus, risk to a system, caused by an initiating event (e.g., a threat) is a multidimensional function of the specific threat, its probability and time frame, the states of the system (representing vulnerability and resilience), and the probabilistic multidimensional consequences.     

Use of Multicriteria Decision Analysis to Support Weight of Evidence Evaluation

Weight of evidence (WOE) methods are key components of ecological and human health risk assessments. Most WOE applications rely on the qualitative integration of diverse lines of evidence (LOE) representing impact on ecological receptors and humans. Recent calls for transparency in assessments and justifiability of management decisions are pushing the community to consider quantitative methods for integrated risk assessment and management. This article compares and contrasts the type of information required for application of individual WOE techniques and the outcomes that they provide in ecological risk assessment and proposes a multicriteria decision analysis (MCDA) framework for integrating individual LOE in support of management decisions. The use of quantitative WOE techniques is illustrated for a hypothetical but realistic case study of selecting remedial alternatives at a contaminated aquatic site. Use of formal MCDA does not necessarily eliminate biases and judgment calls necessary for selecting remedial alternatives, but allows for transparent evaluation and fusion of individual LOE. It also provides justifiable methods for selecting remedial alternatives consistent with stakeholder and decision‐maker values.     

A Discussion of Findings and Their Possible Implications from a Workshop on Bioterrorism Threat Assessment and Risk Management

In November 2001, the Monterey Institute of International Studies convened a workshop on bioterrorism threat assessment and risk management. Risk assessment practitioners from various disciplines, but without specialized knowledge of terrorism, were brought together with security and intelligence threat analysts to stimulate an exchange that could be useful to both communities. This article, prepared by a subset of the participants, comments on the workshop's findings and their implications and makes three recommendations, two short term (use of threat assessment methodologies and vulnerability analysis) and one long term (application of quantitative risk assessment and modeling), regarding the practical application of risk assessment methods to bioterrorism issues.     

Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks

In December 2015, a cyber‐physical attack took place on the Ukrainian electricity distribution network. This is regarded as one of the first cyber‐physical attacks on electricity infrastructure to have led to a substantial power outage and is illustrative of the increasing vulnerability of Critical National Infrastructure to this type of malicious activity. Few data points, coupled with the rapid emergence of cyber phenomena, has held back the development of resilience analytics of cyber‐physical attacks, relative to many other threats. We propose to overcome data limitations by applying stochastic counterfactual risk analysis as part of a new vulnerability assessment framework. The method is developed in the context of the direct and indirect socioeconomic impacts of a Ukrainian‐style cyber‐physical attack taking place on the electricity distribution network serving London and its surrounding regions. A key finding is that if decision‐makers wish to mitigate major population disruptions, then they must invest resources more‐or‐less equally across all substations, to prevent the scaling of a cyber‐physical attack. However, there are some substations associated with higher economic value due to their support of other Critical National Infrastructures assets, which justifies the allocation of additional cyber security investment to reduce the chance of cascading failure. Further cyber‐physical vulnerability research must address the tradeoffs inherent in a system made up of multiple institutions with different strategic risk mitigation objectives and metrics of value, such as governments, infrastructure operators, and commercial consumers of infrastructure services.     

Risk Analysis for Critical Asset Protection

This article proposes a quantitative risk assessment and management framework that supports strategic asset-level resource allocation decision making for critical infrastructure and key resource protection. The proposed framework consists of five phases: scenario identification, consequence and criticality assessment, security vulnerability assessment, threat likelihood assessment, and benefit-cost analysis. Key innovations in this methodology include its initial focus on fundamental asset characteristics to generate an exhaustive set of plausible threat scenarios based on a target susceptibility matrix (which we refer to as asset-driven analysis) and an approach to threat likelihood assessment that captures adversary tendencies to shift their preferences in response to security investments based on the expected utilities of alternative attack profiles assessed from the adversary perspective. A notional example is provided to demonstrate an application of the proposed framework. Extensions of this model to support strategic portfolio-level analysis and tactical risk analysis are suggested.     

An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

A Risk Analysis Framework for Cyber Security and Critical Infrastructure Protection of the U.S. Electric Power Grid

The purpose of this article is to introduce a risk analysis framework to enhance the cyber security of and to protect the critical infrastructure of the electric power grid of the United States. Building on the fundamental questions of risk assessment and management, this framework aims to advance the current risk analysis discussions pertaining to the electric power grid. Most of the previous risk-related studies on the electric power grid focus mainly on the recovery of the network from hurricanes and other natural disasters. In contrast, a disproportionately small number of studies explicitly investigate the vulnerability of the electric power grid to cyber-attack scenarios, and how they could be prevented or mitigated. Such a limited approach leaves the United States vulnerable to foreign and domestic threats (both state-sponsored and “lone wolf”) to infiltrate a network that lacks a comprehensive security environment or coordinated government response. By conducting a review of the literature and presenting a risk-based framework, this article underscores the need for a coordinated U.S. cyber security effort toward formulating strategies and responses conducive to protecting the nation against attacks on the electric power grid.     

Risk and the Five Hard Problems of Cybersecurity

This perspectives article addresses risk in cyber defense and identifies opportunities to incorporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary research in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy‐governed secure collaboration; (3) security‐metrics–driven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to address these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describing, quantifying, working with, and mitigating risk.     

Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach

The government, private sectors, and others users of the Internet are increasingly faced with the risk of cyber incidents. Damage to computer systems and theft of sensitive data caused by cyber attacks have the potential to result in lasting harm to entities under attack, or to society as a whole. The effects of cyber attacks are not always obvious, and detecting them is not a simple proposition. As the U.S. federal government believes that information sharing on cybersecurity issues among organizations is essential to safety, security, and resilience, the importance of trusted information exchange has been emphasized to support public and private decision making by encouraging the creation of the Information Sharing and Analysis Center (ISAC). Through a decision‐theoretic approach, this article provides new perspectives on ISAC, and the advent of the new Information Sharing and Analysis Organizations (ISAOs), which are intended to provide similar benefits to organizations that cannot fit easily into the ISAC structure. To help understand the processes of information sharing against cyber threats, this article illustrates 15 representative information sharing structures between ISAC, government, and other participating entities, and provide discussions on the strategic interactions between different stakeholders. This article also identifies the costs of information sharing and information security borne by different parties in this public‐private partnership both before and after cyber attacks, as well as the two main benefits. This article provides perspectives on the mechanism of information sharing and some detailed cost–benefit analysis.     

AbSRiM: An Agent‐Based Security Risk Management Approach for Airport Operations

Security risk management is essential for ensuring effective airport operations. This article introduces AbSRiM, a novel agent‐based modeling and simulation approach to perform security risk management for airport operations that uses formal sociotechnical models that include temporal and spatial aspects. The approach contains four main steps: scope selection, agent‐based model definition, risk assessment, and risk mitigation. The approach is based on traditional security risk management methodologies, but uses agent‐based modeling and Monte Carlo simulation at its core. Agent‐based modeling is used to model threat scenarios, and Monte Carlo simulations are then performed with this model to estimate security risks. The use of the AbSRiM approach is demonstrated with an illustrative case study. This case study includes a threat scenario in which an adversary attacks an airport terminal with an improvised explosive device. The approach provides a promising way to include important elements, such as human aspects and spatiotemporal aspects, in the assessment of risk. More research is still needed to better identify the strengths and weaknesses of the AbSRiM approach in different case studies, but results demonstrate the feasibility of the approach and its potential.     

Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.     

Vulnerability Assessment of Mining Subsidence Hazards

Between 1996 and 1999, five mining subsidence events occurred in the iron-ore field in Lorraine, France, and damaged several hundred buildings. Because of the thousand hectares of undermined areas, an assessment of the vulnerability of buildings and land is necessary for risk management. Risk assessment methods changed from initial risk management decisions that took place immediately after the mining subsidence to the risk assessment studies that are currently under consideration. These changes reveal much about the complexity of the vulnerability concept and about difficulties in developing simple and relevant methods for its assessment. The objective of this article is to present this process, suggest improvements on the basis of theoretical definitions of the vulnerability, and give an operational example of vulnerability assessment in the seismic field. The vulnerability is divided into three components: weakness, stakes value, and resilience. Final improvements take into account these three components and constitute an original method of assessing the vulnerability of a city to subsidence.     

Decision analysis and risk models for land development affecting infrastructure systems

Coordination and layering of models to identify risks in complex systems such as large-scale infrastructure of energy, water, and transportation is of current interest across application domains. Such infrastructures are increasingly vulnerable to adjacent commercial and residential land development. Land development can compromise the performance of essential infrastructure systems and increase the costs of maintaining or increasing performance. A risk-informed approach to this topic would be useful to avoid surprise, regret, and the need for costly remedies. This article develops a layering and coordination of models for risk management of land development affecting infrastructure systems. The layers are: system identification, expert elicitation, predictive modeling, comparison of investment alternatives, and implications of current decisions for future options. The modeling layers share a focus on observable factors that most contribute to volatility of land development and land use. The relevant data and expert evidence include current and forecasted growth in population and employment, conservation and preservation rules, land topography and geometries, real estate assessments, market and economic conditions, and other factors. The approach integrates to a decision framework of strategic considerations based on assessing risk, cost, and opportunity in order to prioritize needs and potential remedies that mitigate impacts of land development to the infrastructure systems. The approach is demonstrated for a 5,700-mile multimodal transportation system adjacent to 60,000 tracts of potential land development.     

Assurance of security in maritime supply chains: Conceptual issues of vulnerability and crisis management

Security assurance across maritime trading systems is a critical factor for international business managers and in the evolution of international trade generally. A number of initiatives are underway focusing on security issues in ports and ships (International Ship & Port Security Code), customs inspections in international ports (Container Security Initiative) and whole-of-supply chain outcomes (Customs & Trade Partnership against Terrorism). The main purpose of the above initiatives is to reduce the likelihood of maritime-vectored terrorism; however inappropriate implementation of these programs could affect competitiveness.This paper suggests that the complexity of interaction between ports, maritime operations and supply chains create vulnerabilities that require analysis that extends beyond the structured requirements of these initiatives and creates significant management challenges. Also the paper highlights the need for enhanced crisis management capabilities within ports as part of a standard management repertoire and suggests a new classification scheme for mapping vulnerability within ports and across supply networks. The paper concludes that there is a need to examine the goodness-of-fit of these security initiatives against business efficiency and competitiveness, and to consider the training needs for crisis management capabilities that will allow private and public sector groups involved in global trade to effectively mitigate the threat of maritime terrorism and loss of competitiveness.     

外包信息系统脆弱性评价模型研究

针对外包信息系统脆弱性评价问题,从技术脆弱性和管理脆弱性两个方面提出了信息系统脆弱评价指标体系。在此基础上,给出外包信息系统脆弱性评价流程,构建基于技术脆弱性和管理脆弱性的二维评价矩阵模型。最后通过一个制造企业的电子商务外包案例说明该评价模型的科学性和有效性。     

Spatial Risk Assessment Across Large Landscapes with Varied Land Use: Lessons from a Conservation Assessment of Military Lands

Spatial decision-support tools are necessary for assessment and management of threats to biodiversity, which in turn is necessary for biodiversity conservation. In conjunction with the U.S. Geological Survey-Biological Resources Division's Species at Risk program, we developed a GIS-based spatial decision-support tool for relative risk assessments of threats to biodiversity on the U.S. Army's White Sands Missile Range and Fort Bliss (New Mexico and Texas) due to land uses associated with military missions of the two bases. The project tested use of spatial habitat models, land-use scenarios, and species-specific impacts to produce an assessment of relative risks for use in conservation planning on the 1.2 million-hectare study region. Our procedure allows spatially explicit analyses of risks to multiple species from multiple sources by identifying a set of hazards faced by all species of interest, identifying a set of feasible management alternatives, assigning scores to each species for each hazard, and mapping the distribution of these hazard scores across the region of interest for each combination of species/management alternatives. We illustrate the procedure with examples. We demonstrate that our risk-based approach to conservation planning can provide resource managers with a useful tool for spatial assessment of threats to species of concern.     

Tiered Approach to Resilience Assessment

Regulatory agencies have long adopted a three‐tier framework for risk assessment. We build on this structure to propose a tiered approach for resilience assessment that can be integrated into the existing regulatory processes. Comprehensive approaches to assessing resilience at appropriate and operational scales, reconciling analytical complexity as needed with stakeholder needs and resources available, and ultimately creating actionable recommendations to enhance resilience are still lacking. Our proposed framework consists of tiers by which analysts can select resilience assessment and decision support tools to inform associated management actions relative to the scope and urgency of the risk and the capacity of resource managers to improve system resilience. The resilience management framework proposed is not intended to supplant either risk management or the many existing efforts of resilience quantification method development, but instead provide a guide to selecting tools that are appropriate for the given analytic need. The goal of this tiered approach is to intentionally parallel the tiered approach used in regulatory contexts so that resilience assessment might be more easily and quickly integrated into existing structures and with existing policies.     

Supplier quality assessment to identify depth technical knowledge of component reliability

As a result of global competition, international companies that manufacture photocopiers, printers or car navigation systems have to purchase low-cost electronic components such as semiconductors and hard disk drives by outsourcing production. However, it is often difficult for these companies to evaluate the quality of their suppliers through interviews and technical documentations. This article proposes new measures for supplier assessment and a systematic approach to select suppliers that have in-depth knowledge of component reliability and technology. The measures for selection not only include the physical quality of components but also information disclosures provided by suppliers, which consist of failure analysis, reliability data and details of the design-manufacturing process. The proposed measures are applied to real data of photocopier manufacturing enterprises. Experiments conducted show that a systematic assessment will enable selecting appropriate suppliers with a lower failure rate.