Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies

Managing cyber security in an organization involves allocating the protection budget across a spectrum of possible options. This requires assessing the benefits and the costs of these options. The risk analyses presented here are statistical when relevant data are available, and system‐based for high‐consequence events that have not happened yet. This article presents, first, a general probabilistic risk analysis framework for cyber security in an organization to be specified. It then describes three examples of forward‐looking analyses motivated by recent cyber attacks. The first one is the statistical analysis of an actual database, extended at the upper end of the loss distribution by a Bayesian analysis of possible, high‐consequence attack scenarios that may happen in the future. The second is a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity. The third is an analysis of sequential decisions to upgrade the software of an existing cyber security system or to adopt a new one to stay ahead of adversaries trying to find their way in. The results are distributions of losses to cyber attacks, with and without some considered countermeasures in support of risk management decisions based both on past data and anticipated incidents.     

Risk Analysis for U.S. Offshore Wind Farms: The Need for an Integrated Approach

Wind power is becoming an increasingly important part of the global energy portfolio, and there is growing interest in developing offshore wind farms in the United States to better utilize this resource. Wind farms have certain environmental benefits, notably near‐zero emissions of greenhouse gases, particulates, and other contaminants of concern. However, there are significant challenges ahead in achieving large‐scale integration of wind power in the United States, particularly offshore wind. Environmental impacts from wind farms are a concern, and these are subject to a number of on‐going studies focused on risks to the environment. However, once a wind farm is built, the farm itself will face a number of risks from a variety of hazards, and managing these risks is critical to the ultimate achievement of long‐term reductions in pollutant emissions from clean energy sources such as wind. No integrated framework currently exists for assessing risks to offshore wind farms in the United States, which poses a challenge for wind farm risk management. In this “Perspective”, we provide an overview of the risks faced by an offshore wind farm, argue that an integrated framework is needed, and give a preliminary starting point for such a framework to illustrate what it might look like. This is not a final framework; substantial work remains. Our intention here is to highlight the research need in this area in the hope of spurring additional research about the risks to wind farms to complement the substantial amount of on‐going research on the risks from wind farms.     

Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports

We study interdependent risks in security, and shed light on the economic and policy implications of increasing security interdependence in presence of reactive attackers. We investigate the impact of potential public policy arrangements on the security of a group of interdependent organizations, namely, airports. Focusing on security expenditures and costs to society, as assessed by a social planner, to individual airports and to attackers, we first develop a game-theoretic framework, and derive explicit Nash equilibrium and socially optimal solutions in the airports network. We then conduct numerical experiments mirroring real-world cyber scenarios, to assess how a change in interdependence impact the airports' security expenditures, the overall expected costs to society, and the fairness of security financing. Our study provides insights on the economic and policy implications for the United States, Europe, and Asia.     

An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

A Macro-Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property

The article is based on the premise that, from a macro-economic viewpoint, cyber attacks with long-lasting effects are the most economically significant, and as a result require more attention than attacks with short-lasting effects that have historically been more represented in literature. In particular, the article deals with evaluation of cyber security risks related to one type of attack with long-lasting effects, namely, theft of intellectual property (IP) by foreign perpetrators. An International Consequence Analysis Framework is presented to determine (1) the potential macro-economic consequences of cyber attacks that result in stolen IP from companies in the United States, and (2) the likely sources of such attacks. The framework presented focuses on IP theft that enables foreign companies to make economic gains that would have otherwise benefited the U.S. economy. Initial results are presented.     

Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks

In December 2015, a cyber‐physical attack took place on the Ukrainian electricity distribution network. This is regarded as one of the first cyber‐physical attacks on electricity infrastructure to have led to a substantial power outage and is illustrative of the increasing vulnerability of Critical National Infrastructure to this type of malicious activity. Few data points, coupled with the rapid emergence of cyber phenomena, has held back the development of resilience analytics of cyber‐physical attacks, relative to many other threats. We propose to overcome data limitations by applying stochastic counterfactual risk analysis as part of a new vulnerability assessment framework. The method is developed in the context of the direct and indirect socioeconomic impacts of a Ukrainian‐style cyber‐physical attack taking place on the electricity distribution network serving London and its surrounding regions. A key finding is that if decision‐makers wish to mitigate major population disruptions, then they must invest resources more‐or‐less equally across all substations, to prevent the scaling of a cyber‐physical attack. However, there are some substations associated with higher economic value due to their support of other Critical National Infrastructures assets, which justifies the allocation of additional cyber security investment to reduce the chance of cascading failure. Further cyber‐physical vulnerability research must address the tradeoffs inherent in a system made up of multiple institutions with different strategic risk mitigation objectives and metrics of value, such as governments, infrastructure operators, and commercial consumers of infrastructure services.     

Using Probabilistic Terrorism Risk Modeling for Regulatory Benefit-Cost Analysis: Application to the Western Hemisphere Travel Initiative in the Land Environment

This article presents a framework for using probabilistic terrorism risk modeling in regulatory analysis. We demonstrate the framework with an example application involving a regulation under consideration, the Western Hemisphere Travel Initiative for the Land Environment, (WHTI‐L). First, we estimate annualized loss from terrorist attacks with the Risk Management Solutions (RMS) Probabilistic Terrorism Model. We then estimate the critical risk reduction, which is the risk‐reducing effectiveness of WHTI‐L needed for its benefit, in terms of reduced terrorism loss in the United States, to exceed its cost. Our analysis indicates that the critical risk reduction depends strongly not only on uncertainties in the terrorism risk level, but also on uncertainty in the cost of regulation and how casualties are monetized. For a terrorism risk level based on the RMS standard risk estimate, the baseline regulatory cost estimate for WHTI‐L, and a range of casualty cost estimates based on the willingness‐to‐pay approach, our estimate for the expected annualized loss from terrorism ranges from $2.7 billion to $5.2 billion. For this range in annualized loss, the critical risk reduction for WHTI‐L ranges from 7% to 13%. Basing results on a lower risk level that results in halving the annualized terrorism loss would double the critical risk reduction (14–26%), and basing the results on a higher risk level that results in a doubling of the annualized terrorism loss would cut the critical risk reduction in half (3.5–6.6%). Ideally, decisions about terrorism security regulations and policies would be informed by true benefit‐cost analyses in which the estimated benefits are compared to costs. Such analyses for terrorism security efforts face substantial impediments stemming from the great uncertainty in the terrorist threat and the very low recurrence interval for large attacks. Several approaches can be used to estimate how a terrorism security program or regulation reduces the distribution of risks it is intended to manage. But, continued research to develop additional tools and data is necessary to support application of these approaches. These include refinement of models and simulations, engagement of subject matter experts, implementation of program evaluation, and estimating the costs of casualties from terrorism events.     

Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors

The role played by information and communication technologies in today's businesses cannot be underestimated. While such technological advancements provide numerous advantages and opportunities, they are known to thread organizations with new challenges such as cyberattacks. This is particularly important for small and medium-sized enterprises (SMEs) that are deemed to be the least mature and highly vulnerable to cybersecurity risks. Thus, this research is set to assess the cyber risks in online retailing SMEs (e-tailing SMEs). Therefore, this article employs a sample of 124 small e-tailers in the United Kingdom and takes advantage of a multi-criteria decision analysis (MCDA) method. Indeed, we identified a total number of 28 identified cyber-oriented risks in five exhaustive themes of “security,” “dependency,” “employee,” “strategic,” and “legal” risks. Subsequently, an integrated approach using step-wise weight assessment ratio analysis (SWARA) and best–worst method (BWM) has been employed to develop a pathway of risk assessment. As such, the current study outlines a novel approach toward cybersecurity risk management for e-tailing SMEs and discusses its effectiveness and contributions to the cyber risk management literature.     

Using Graph Models to Analyze the Vulnerability of Electric Power Networks

In this article, we model electric power delivery networks as graphs, and conduct studies of two power transmission grids, i.e., the Nordic and the western states (U.S.) transmission grid. We calculate values of topological (structural) characteristics of the networks and compare their error and attack tolerance (structural vulnerability), i.e., their performance when vertices are removed, with two frequently used theoretical reference networks (the Erdös‐Rényi random graph and the Barabási‐Albert scale‐free network). Further, we perform a structural vulnerability analysis of a fictitious electric power network with simple structure. In this analysis, different strategies to decrease the vulnerability of the system are evaluated. Finally, we present a discussion on the practical applicability of graph modeling.     

Speaking the Truth in Maritime Risk Assessment

Several major risk studies have been performed in recent years in the maritime transportation domain. These studies have had significant impact on management practices in the industry. The first, the Prince William Sound risk assessment, was reviewed by the National Research Council and found to be promising but incomplete, as the uncertainty in its results was not assessed. The difficulty in assessing this uncertainty is the different techniques that need to be used to model risk in this dynamic and data-scarce application area. In previous articles, we have developed the two pieces of methodology necessary to assess uncertainty in maritime risk assessment, a Bayesian simulation of the occurrence of situations with accident potential and a Bayesian multivariate regression analysis of the relationship between factors describing these situations and expert judgments of accident risk. In this article, we combine the methods to perform a full-scale assessment of risk and uncertainty for two case studies. The first is an assessment of the effects of proposed ferry service expansions in San Francisco Bay. The second is an assessment of risk for the Washington State Ferries, the largest ferry system in the United States.     

Risk Framework for an Organizational System With Major Components

Many large organizations accomplish their various functions through interactions across their major components. Components refers to functional entities within a large complex organization, such as business sectors, academic departments, or regional divisions. The dependency between the various components can cause risk to propagate through their overall system. This article presents a risk assessment framework that integrates risk across a diverse set of components to the overall organization functions. This project addresses three major challenges: aggregating risk, estimating component interdependencies including cycles of dependencies, and propagating risk across components. The framework aggregates risk assessments through a value function for severity that is evaluated at the expected outcome of accomplishing planned goals in terms of performance, schedule, and resources. The value function, which represents risk tolerance, scales between defined points corresponding to failure and success. Different risk assessment may be aggregated together. This article presents a novel approach to establishing relationships between the various components. This article develops and compares three network risk propagation models that characterize the overall organizational risk. The U.S. Air Force has applied this risk framework to evaluate success in hypothetical future wars. The analysts employing this risk framework have informed billions of dollars of strategic investment decisions.     

Optimal Tracking and Testing of U.S. and Canadian Herds for BSE: A Value-of-Information (VOI) Approach

The U.S. Department of Agriculture (USDA) tests a subset of cattle slaughtered in the United States for bovine spongiform encephalitis (BSE). Knowing the origin of cattle (U.S. vs. Canadian) at testing could enable new testing or surveillance policies based on the origin of cattle testing positive. For example, if a Canadian cow tests positive for BSE, while no U.S. origin cattle do, the United States could subject Canadian cattle to more stringent testing. This article illustrates the application of a value-of-information (VOI) framework to quantify and compare potential economic costs to the United States of implementing tracking cattle origins to the costs of not doing so. The potential economic value of information from a tracking program is estimated to exceed its costs by more than five-fold if such information can reduce future losses in export and domestic markets and reduce future testing costs required to reassure or win back customers. Sensitivity analyses indicate that this conclusion is somewhat robust to many technical, scientific, and market uncertainties, including the current prevalence of BSE in the United States and/or Canada and the likely reactions of consumers to possible future discoveries of BSE in the United States and/or Canada. Indeed, the potential value of tracking information is great enough to justify locating and tracking Canadian cattle already in the United States when this can be done for a reasonable cost. If aggressive tracking and testing can win back lost exports, then the VOI of a tracking program may increase to over half a billion dollars per year.     

Risk-Management and Risk-Analysis-Based Decision Tools for Attacks on Electric Power

Incident data about disruptions to the electric power grid provide useful information that can be used as inputs into risk management policies in the energy sector for disruptions from a variety of origins, including terrorist attacks. This article uses data from the Disturbance Analysis Working Group (DAWG) database, which is maintained by the North American Electric Reliability Council (NERC), to look at incidents over time in the United States and Canada for the period 1990-2004. Negative binomial regression, logistic regression, and weighted least squares regression are used to gain a better understanding of how these disturbances varied over time and by season during this period, and to analyze how characteristics such as number of customers lost and outage duration are related to different characteristics of the outages. The results of the models can be used as inputs to construct various scenarios to estimate potential outcomes of electric power outages, encompassing the risks, consequences, and costs of such outages.     

Quantifying Potential Human Health Impacts of Animal Antibiotic Use: Enrofloxacin and Macrolides in Chickens

Use of similar or identical antibiotics in both human and veterinary medicine has come under increasing scrutiny by regulators concerned that bacteria resistant to animal antibiotics will infect people and resist treatment with similar human antibiotics, leading to excess illnesses and deaths. Scientists, regulators, and interest groups in the United States and Europe have urged bans on nontherapeutic and some therapeutic uses of animal antibiotics to protect human health. Many regulators and public health experts have also expressed dissatisfaction with the perceived limitations of quantitative risk assessment and have proposed alternative qualitative and judgmental approaches ranging from "attributable fraction" estimates to risk management recommendations based on the precautionary principle or on expert judgments about the importance of classes of compounds in human medicine. This article presents a more traditional quantitative risk assessment of the likely human health impacts of continuing versus withdrawing use of fluoroquinolones and macrolides in production of broiler chickens in the United States. An analytic framework is developed and applied to available data. It indicates that withdrawing animal antibiotics can cause far more human illness-days than it would prevent: the estimated human BENEFIT:RISK health ratio for human health impacts of continued animal antibiotic use exceeds 1,000:1 in many cases. This conclusion is driven by a hypothesized causal sequence in which withdrawing animal antibiotic use increases illnesses rates in animals, microbial loads in servings from the affected animals, and hence human health risks. This potentially important aspect of human health risk assessment for animal antibiotics has not previously been quantified.     

A Comprehensive Network Security Risk Model for Process Control Networks

The risk of cyber attacks on process control networks (PCN) is receiving significant attention due to the potentially catastrophic extent to which PCN failures can damage the infrastructures and commodity flows that they support. Risk management addresses the coupled problems of (1) reducing the likelihood that cyber attacks would succeed in disrupting PCN operation and (2) reducing the severity of consequences in the event of PCN failure or manipulation. The Network Security Risk Model (NSRM) developed in this article provides a means of evaluating the efficacy of candidate risk management policies by modeling the baseline risk and assessing expectations of risk after the implementation of candidate measures. Where existing risk models fall short of providing adequate insight into the efficacy of candidate risk management policies due to shortcomings in their structure or formulation, the NSRM provides model structure and an associated modeling methodology that captures the relevant dynamics of cyber attacks on PCN for risk analysis. This article develops the NSRM in detail in the context of an illustrative example.     

Insights into the Societal Risk of Nuclear Power Plant Accidents

The elements of societal risk from a nuclear power plant accident are clearly illustrated by the Fukushima accident: land contamination, long‐term relocation of large numbers of people, loss of productive farm area, loss of industrial production, and significant loss of electric capacity. NUREG‐1150 and other studies have provided compelling evidence that the individual health risk of nuclear power plant accidents is effectively negligible relative to other comparable risks, even for people living in close proximity to a plant. The objective of this study is to compare the societal risk of nuclear power plant accidents to that of other events to which the public is exposed. We have characterized the monetized societal risk in the United States from major societally disruptive events, such as hurricanes, in the form of a complementary cumulative distribution function. These risks are compared with nuclear power plant risks, based on NUREG‐1150 analyses and new MACCS code calculations to account for differences in source terms determined in the more recent SOARCA study. A candidate quantitative societal objective is discussed for potential adoption by the NRC. The results are also interpreted with regard to the acceptability of nuclear power as a major source of future energy supply.     

Risk Analysis for Critical Asset Protection

This article proposes a quantitative risk assessment and management framework that supports strategic asset-level resource allocation decision making for critical infrastructure and key resource protection. The proposed framework consists of five phases: scenario identification, consequence and criticality assessment, security vulnerability assessment, threat likelihood assessment, and benefit-cost analysis. Key innovations in this methodology include its initial focus on fundamental asset characteristics to generate an exhaustive set of plausible threat scenarios based on a target susceptibility matrix (which we refer to as asset-driven analysis) and an approach to threat likelihood assessment that captures adversary tendencies to shift their preferences in response to security investments based on the expected utilities of alternative attack profiles assessed from the adversary perspective. A notional example is provided to demonstrate an application of the proposed framework. Extensions of this model to support strategic portfolio-level analysis and tactical risk analysis are suggested.     

A Perspective: Risk Analysis as a Tool for Reducing the Risks of Terrorism

The destruction by terrorists of the twin towers of the World Trade Center and major damage wrought to the Pentagon on September 11, 2001, followed closely by the bioterrorist anthrax attacks via the mails raised the question of whether risk analysis might have a place in defending the United States against terrorist attacks. After first reviewing the multifaceted nature of terrorism and the reasons it is likely to become endemic in world society in the long term, just as other areas of crime are endemic, this article surveys several fields of risk analysis, finding possible short- and long-term uses of risk analysis. The areas chiefly considered are: risk communication and chemical, biological, and technological risk analysis. Broad policy and other uses are also considered. The author finds that risk analysis has already played some role, perhaps informally, but he sees the possibility for a much larger, formal one, a role that is centrally important for the present and future of the United States and the world.     

Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.     

Integrating Stakeholder Mapping and Risk Scenarios to Improve Resilience of Cyber‐Physical‐Social Networks

The future of energy mobility involves networks of users, operators, organizations, vehicles, charging stations, communications, materials, transportation corridors, points of service, and so on. The integration of smart grids with plug‐in electric vehicle technologies has societal and commercial advantages that include improving grid stability, minimizing dependence on nonrenewable fuels, reducing vehicle emissions, and reducing the cost of electric vehicle ownership. However, ineffective or delayed participation of particular groups of stakeholders could disrupt industry plans and delay the desired outcomes. This article develops a framework to address enterprise resilience for two modes of disruptions—the first being the influence of scenarios on priorities and the second being the influence of multiple groups of stakeholders on priorities. The innovation of this study is to obtain the advantages of integrating two recent approaches: scenario‐based preferences modeling and stakeholder mapping. Public agencies, grid operators, plug‐in electric vehicle owners, and vehicle manufacturers are the four groups of stakeholders that are considered in this framework, along with the influence of four scenarios on priorities.