An Adversarial Risk Analysis Framework for Cybersecurity

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.     

Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors

The role played by information and communication technologies in today's businesses cannot be underestimated. While such technological advancements provide numerous advantages and opportunities, they are known to thread organizations with new challenges such as cyberattacks. This is particularly important for small and medium-sized enterprises (SMEs) that are deemed to be the least mature and highly vulnerable to cybersecurity risks. Thus, this research is set to assess the cyber risks in online retailing SMEs (e-tailing SMEs). Therefore, this article employs a sample of 124 small e-tailers in the United Kingdom and takes advantage of a multi-criteria decision analysis (MCDA) method. Indeed, we identified a total number of 28 identified cyber-oriented risks in five exhaustive themes of “security,” “dependency,” “employee,” “strategic,” and “legal” risks. Subsequently, an integrated approach using step-wise weight assessment ratio analysis (SWARA) and best–worst method (BWM) has been employed to develop a pathway of risk assessment. As such, the current study outlines a novel approach toward cybersecurity risk management for e-tailing SMEs and discusses its effectiveness and contributions to the cyber risk management literature.     

Estimating Fatality Reductions from Increased Safety Belt Use

Fatality reductions from increases in safety belt use are estimated taking into account that drivers who change from being nonusers to being users have lower accident involvement rates than the remaining nonusers, a process referred to as "selective recruitment." Analytical functions are derived which express expected fatality reductions in terms of changes in safety belt use rates from an initial rate. The function parameters are determined by requiring that computed average crash rates for nonusers be 53% higher than the rates for users, a recently determined empirical value. These functions show that, depending on the initial use rate and use rate increase, selective recruitment may increase or decrease expected fatality reductions. However, effects are relatively small, in no case exceeding +/- 5.3%.     

Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.     

Risk Migration and Scientific Advance: The Case of Flame-Retardant Compounds

It is a common experience that attempts to mitigate a risk lead to new risks, and that risks formerly thought to be of one kind become another kind as technical knowledge evolves. This phenomenon of risk migration suggests that we should take processes over time, rather than specific risks or specific technologies, as a unit of analysis. Several of our existing models of the social management of risks-such as that of social risk amplification-are process models of a kind but are still oriented around the playing out of a particular event or issue. A case study of risk in a group of flame-retardant compounds was used as the basis of a grounded, exploratory analysis of migration processes, the phenomena that influence them, and their consequences. This illustrated how migration naturally occurs from risks that are understood, in which risk bearers have at least some agency, to risks that are not understood and not capable of being influenced by risk bearers. It illustrated how the simultaneous improvement in measuring technology, which detects potential toxins at increasingly small concentrations, combines with intuitive models that ignore concentration to produce conditions likely to generate anxiety. And it illustrated how pressure groups and commercial interests exploit this effect. It also showed how migration makes precautionary action problematic, and how more generally it tends to undermine a society's capacity to cope with risk.     

Exploring Factors Influencing the Risky Cycling Behaviors of Young Cyclists Aged 15–24 Years: A Questionnaire-Based Study in China

Road traffic crashes are the leading cause of death for young people, among whom cyclists account for a higher percentage of injuries and deaths than any other road users. This study aimed to examine the factor structure of the Young Cyclist Behavior Questionnaire (YCBQ) and investigate the relationships among demographic characteristics, cycling use-related variables, perceived risk, perceived cycling skills, and risky cycling behaviors among young people. A sample of 448 cyclists (mean age of 20.37 years) completed the questionnaire. Exploratory factor analysis, confirmatory factor analysis, and structural equation modeling were utilized. The YCBQ had a clear factorial structure, items with high factor loadings, and good internal consistency. The five-factor structure included traffic violations, impulsive behaviors, ordinary violations, distractions, and errors. Risky cycling behaviors could be explained by gender, age, perceived risk, and perceived cycling skills, with the model explaining 37% of the variance. Gender had the greatest impact on risky cycling behaviors; male individuals were more likely to engage in risky behaviors. Young cyclists with higher levels of perceived risk had lower probabilities of engaging in risky cycling behaviors. Cyclists with lower scores on perceived cycling skills were more likely to report engaging in risky cycling behaviors. Age significantly explained risky behaviors; the younger the cyclist was, the higher his or her risky behaviors score. This research provides a theoretical foundation for the prevention of risky behaviors among young cyclists. Regarding intervention design, attention to the identified gender differences, the need to strengthen the ability to perceive risk, and the importance of road safety education for young cyclists may promote safer cycling.     

Tampering with Nature: A Systematic Review

Tampering with nature has been shown to be a strong, and sometimes even the strongest, predictor of the risk perception and acceptance of various technologies and behaviors, including environmental technologies, such as geoengineering. It is therefore helpful to understand what tampering with nature is as a construct, to which factors it relates, and when a technology or behavior is perceived as such. By means of a systematic review, we show that very little systematic research has been conducted on tampering with nature. Because tampering with nature has not yet been clearly defined, no systematic operationalization of tampering with nature has been used in the current literature. We show that tampering with nature is often used interchangeably with other constructs, such as naturalness. Based on the literature, we suggest that tampering with nature is related to and possibly influenced by three other constructs, which are naturalness, morality, and controllability. We discuss the influence of tampering with nature on the acceptance and risk perception of various technologies and behaviors and make suggestions for future research needs in order to better understand this construct.     

Communicating with the Public About Marauding Terrorist Firearms Attacks: Results from a Survey Experiment on Factors Influencing Intention to “Run,Hide, Tell” in the United Kingdom and Denmark

Effective risk communication is an integral part of responding to terrorism, but until recently, there has been very little pre‐event communication in a European context to provide advice to the public on how to protect themselves during an attack. Following terrorist attacks involving mass shootings in Paris, France, in November 2015, the U.K. National Police Chiefs’ Council released a Stay Safe film and leaflet that advises the public to “run,” “hide,” and “tell” in the event of a firearms or weapons attack. However, other countries, including Denmark, do not provide preparedness information of this kind, in large part because of concern about scaring the public. In this survey experiment, 3,003 U.K. and Danish participants were randomly assigned to one of three conditions: no information, a leaflet intervention, and a film intervention to examine the impact of “Run, Hide, Tell” advice on perceptions about terrorism, the security services, and intended responses to a hypothetical terrorist firearms attack. Results demonstrate important benefits of pre‐event communication in relation to enhancing trust, encouraging protective health behaviors, and discouraging potentially dangerous actions. However, these findings also suggest that future communications should address perceived response costs and target specific problem behaviors. Cross‐national similarities in response suggest this advice is suitable for adaptation in other countries.     

Health Risk Characterization of Chlorpyrifos Using Epidemiological Dose‐Response Data and Probabilistic Techniques: A Case Study with Rice Farmers in Vietnam

Various methods for risk characterization have been developed using probabilistic approaches. Data on Vietnamese farmers are available for the comparison of outcomes for risk characterization using different probabilistic methods. This article addresses the health risk characterization of chlorpyrifos using epidemiological dose‐response data and probabilistic techniques obtained from a case study with rice farmers in Vietnam. Urine samples were collected from farmers and analyzed for trichloropyridinol (TCP), which was converted into absorbed daily dose of chlorpyrifos. Adverse health response doses due to chlorpyrifos exposure were collected from epidemiological studies to develop dose‐adverse health response relationships. The health risk of chlorpyrifos was quantified using hazard quotient (HQ), Monte Carlo simulation (MCS), and overall risk probability (ORP) methods. With baseline (prior to pesticide spraying) and lifetime exposure levels (over a lifetime of pesticide spraying events), the HQ ranged from 0.06 to 7.1. The MCS method indicated less than 0.05% of the population would be affected while the ORP method indicated that less than 1.5% of the population would be adversely affected. With postapplication exposure levels, the HQ ranged from 1 to 32.5. The risk calculated by the MCS method was that 29% of the population would be affected, and the risk calculated by ORP method was 33%. The MCS and ORP methods have advantages in risk characterization due to use of the full distribution of data exposure as well as dose response, whereas HQ methods only used the exposure data distribution. These evaluations indicated that single‐event spraying is likely to have adverse effects on Vietnamese rice farmers.     

Avian Influenza Risk Perception and Live Poultry Purchase in Guangzhou, China, 2006

Human H5N1 highly pathogenic avian influenza (HPAI) infection is associated with intimate exposure to live poultry. Perceptions of risk can modify behaviors, influencing actual exposure. However, greater hazard is not necessarily followed by perception of greater risk and more precautionary behavior because self-serving cognitive biases modulate precautionary and hazardous behaviors. We examined risk perception associated with avian influenza. A total of 1,550 face-to-face within-household interviews and 1,760 telephone interviews were derived to study avian influenza risk perception and live poultry use in Guangzhou and Hong Kong, respectively. Chi-square and Mann-Whitney tests assessed bivariate associations and risk distributions, respectively, and fully adjusted multivariate logistic models determined independent risk associations. Relative to Hong Kong, perceived "generalized" risk from buying live poultry (GZ, 58%, 95% confidence interval 55–60% vs. HK, 41%, 39–43%; χ²= 86.95, df  = 1, p < 0.001) and perceived self/family risk from buying ( z  =−2.092, p  = 0.036) were higher in Guangzhou. Higher perceived "generalized" risk was associated with not buying live poultry (OR = 0.65, 0.49–0.85), consistent with the pattern seen in Hong Kong, while perceived higher self/family risk was associated with buying ("likely/very likely/certain" OR = 1.74, 1.18–2.59); no such association was seen in Hong Kong. Multivariate adjustment indicated older age was associated with buying live poultry in Guangzhou (OR = 2.91, 1.36–6.25). Guangzhou respondents perceived greater risk relative to Hong Kong. Buying live poultry was associated with perceptions of less "generalized" risk but more self/family risk. Higher generalized risk was associated with fewer live poultry purchases, suggesting generalized risk may be a useful indicator of precautionary HPAI risk behavior.     

The Use of Individual and Societal Risk Criteria Within the Dutch Flood Safety Policy—Nationwide Estimates of Societal Risk and Policy Applications

The Dutch government is in the process of revising its flood safety policy. The current safety standards for flood defenses in the Netherlands are largely based on the outcomes of cost‐benefit analyses. Loss of life has not been considered separately in the choice for current standards. This article presents the results of a research project that evaluated the potential roles of two risk metrics, individual and societal risk, to support decision making about new flood safety standards. These risk metrics are already used in the Dutch major hazards policy for the evaluation of risks to the public. Individual risk concerns the annual probability of death of a person. Societal risk concerns the probability of an event with many fatalities. Technical aspects of the use of individual and societal risk metrics in flood risk assessments as well as policy implications are discussed. Preliminary estimates of nationwide levels of societal risk are presented. Societal risk levels appear relatively high in the southwestern part of the country where densely populated dike rings are threatened by a combination of river and coastal floods. It was found that cumulation, the simultaneous flooding of multiple dike rings during a single flood event, has significant impact on the national level of societal risk. Options for the application of the individual and societal risk in the new flood safety policy are presented and discussed.     

Cigarette Smoking and Multiple Health Risk Behaviors: A Latent Class Regression Model to Identify a Profile of Young Adolescents

Cigarette smoking is often established during adolescence when other health‐related risk behaviors tend to occur. The aim of the study was to further investigate the hypothesis that risky health behaviors tend to cluster together and to identify distinctive profiles of young adolescents based on their smoking habits. To explore the idea that smoking behavior can predict membership in a specific risk profile of adolescents, with heavy smokers being more likely to exhibit other risk behaviors, we reanalyzed the data from the 2014 Health Behaviour in School‐Aged Children Italian survey of about 60,000 first‐ and third‐grade junior high school (JHS) and second‐grade high school (HS) students. A Bayesian approach was adopted for selecting the manifest variables associated with smoking; a latent class regression model was employed to identify smoking behaviors among adolescents. Finally, a health‐related risk pattern associated with different types of smoking behaviors was found. Heavy smokers engaged in higher alcohol use and abuse and experienced school failure more often than their peers. Frequent smokers reported below‐average academic achievement and self‐rated their health as fair/poor more frequently than nonsmokers. Lifetime cannabis use and early sexual intercourse were more frequent among heavy smokers. Our findings provide elements for constructing a profile of frequent adolescent smokers and for identifying behavioral risk patterns during the transition from JHS to HS. This may provide an additional opportunity to devise interventions that could be more effective to improve smoking cessation among occasional smokers and to adequately address other risk behaviors among frequent smokers.     

Who is a Distracted Driver? Associations between Mobile Phone Use while Driving,Domain‐Specific Risk Taking,and Personality

Mobile phone use while driving (MPUWD) is an increasingly common form of distracted driving. Given its widespread prevalence, it is important for researchers to identify factors that may predict who is more likely to engage in this risky behavior. The current study investigates associations between MPUWD risk behaviors, domain‐specific risk perceptions, and broad personality dimensions. An Italian community sample (n = 804) completed a survey regarding MPUWD risk perceptions and engagement in MPUWD, in addition to the HEXACO‐PI‐R, a broad six‐factor personality inventory (honesty‐humility, emotionality, extraversion, agreeableness, conscientiousness, openness to experience), and the DOSPERT, a six‐factor domain‐specific self‐report risk‐taking measure (health/safety, recreational, social, ethical, gambling, and investment). With respect to domain‐specific risk taking, greater frequency of SMS use while driving most strongly was associated with greater risk taking for the health/safety, gambling, and ethical risk domains. Further, greater honesty‐humility and conscientiousness, two traits related to cognitive control and risk behaviors, and to a lesser extent openness to experience, were associated with less frequent MPUWD, and positively associated with MPUWD risk perceptions. With growing public safety concern surrounding MPUWD, understanding associated personality factors is not only important for identifying psychological mechanisms underlying risk behavior, but also for more effective prevention and intervention programs.     

Risk and the Five Hard Problems of Cybersecurity

This perspectives article addresses risk in cyber defense and identifies opportunities to incorporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary research in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy‐governed secure collaboration; (3) security‐metrics–driven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to address these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describing, quantifying, working with, and mitigating risk.     

Protecting From Malware Obfuscation Attacks Through Adversarial Risk Analysis

Malware constitutes a major global risk affecting millions of users each year. Standard algorithms in detection systems perform insufficiently when dealing with malware passed through obfuscation tools. We illustrate this studying in detail an open source metamorphic software, making use of a hybrid framework to obtain the relevant features from binaries. We then provide an improved alternative solution based on adversarial risk analysis which we illustrate describe with an example.     

Does Size Matter? A Study of Risk Perceptions of Global Population Growth

The global human population now exceeds 7 billion and is projected to reach 10 billion around 2060. While population growth has been associated with certain benefits (e.g., economies of scale, technological advancements), theoretical models, probabilistic projections, and empirical evidence also indicate that this growth could increase the likelihood of many adverse events (e.g., climate change, resource shortages) and the impact of these events, as more people are exposed to the outcomes. While concerns about these issues are well‐documented in the academic literature, there is little evidence concerning the public's perceptions of the risks associated with global population growth (GPG) and how these perceptions are likely to influence related decisions. To address these issues, we conducted a U.K.‐based study that examined respondents’ risk perceptions of GPG, their willingness to embrace mitigation/precautionary behaviors, and reasons for variations in these two factors. We found that GPG is perceived as a moderate‐to‐high risk, with concerns about the increased likelihood of resource shortages, ecological damage, and violent conflict being foremost. Respondents believed that the worst effects of GPG would arrive around 2050 and would be experienced by the world's poorest people. Respondents who perceived greater levels of risk from GPG were generally those who indicated a greater willingness to embrace mitigation behaviors (e.g., reduce resource consumption) and preventative actions (e.g., support political action to limit growth). We discuss how our findings might be utilized to better manage the potential challenges associated with GPG and we suggest several directions for further research.     

A Comparative Analysis of PRA and Intelligent Adversary Methods for Counterterrorism Risk Management

In counterterrorism risk management decisions, the analyst can choose to represent terrorist decisions as defender uncertainties or as attacker decisions. We perform a comparative analysis of probabilistic risk analysis (PRA) methods including event trees, influence diagrams, Bayesian networks, decision trees, game theory, and combined methods on the same illustrative examples (container screening for radiological materials) to get insights into the significant differences in assumptions and results. A key tenent of PRA and decision analysis is the use of subjective probability to assess the likelihood of possible outcomes. For each technique, we compare the assumptions, probability assessment requirements, risk levels, and potential insights for risk managers. We find that assessing the distribution of potential attacker decisions is a complex judgment task, particularly considering the adaptation of the attacker to defender decisions. Intelligent adversary risk analysis and adversarial risk analysis are extensions of decision analysis and sequential game theory that help to decompose such judgments. These techniques explicitly show the adaptation of the attacker and the resulting shift in risk based on defender decisions.     

Risk Perception and Technological Development at a Societal Level

This article tests the hypothesis that the exposure to the threat to societies posed by the introduction of new technologies is associated with a normalization of risk perception. Data collected in 2000 by the International Social Survey Programme (ISSP) on environmental issues were used to explore this hypothesis. Representative samples from 25 countries were employed to assess the national levels of perceived threat to the environment associated with a series of technologies and activities. These values were correlated with economic indicators (mainly from the World Bank) of the diffusion of each of the technologies or activities in each country. Results indicate a negative association of risk perception with the level of technological prevalence (societal normalization effect) and a positive association with the rate of growth of the technology (societal sensitivity effect). These results indicate that the most acute levels of perceived environmental risk are found in those countries where the level of technological prevalence is low but where there has recently been substantial technological development. Environmental awareness is a mediator of the relationship between risk perception and the indices of technological diffusion. This result means that: (1) societal normalization of risk is not a direct consequence of prevalence of the technology, but is driven by awareness of technological development and that (2) societal sensitivity to risk is associated with lower levels of environmental awareness.     

Risk Perception and Risk Talk: The Case of the Fukushima Daiichi Nuclear Radiation Risk

Individuals’ perceptions and their interpersonal communication about a risk event, or risk talk, can play a significant role in the formation of societal responses to the risk event. As they formulate their risk opinions and speak to others, risk information can circulate through their social networks and contribute to the construction of their risk information environment. In the present study, Japanese citizens’ risk perception and risk talk were examined in the context of the Fukushima Daiichi nuclear radiation risk. We hypothesized and found that the risk information environment and risk literacy (i.e., competencies to understand and use risk information) interact to influence their risk perception and risk talk. In particular, risk literacy tends to stabilize people's risk perceptions and their risk communications. Nevertheless, there were some subtle differences between risk perception and communication, suggesting the importance of further examination of interpersonal risk communication and its role in the societal responses to risk events.     

Assessment of the Regional Economic Impacts of Catastrophic Events: CGE Analysis of Resource Loss and Behavioral Effects of an RDD Attack Scenario

We investigate the regional economic consequences of a hypothetical catastrophic event—attack via radiological dispersal device (RDD)—centered on the downtown Los Angeles area. We distinguish two routes via which such an event might affect regional economic activity: (i) reduction in effective resource supply (the resource loss effect) and (ii) shifts in the perceptions of economic agents (the behavioral effect). The resource loss effect relates to the physical destructiveness of the event, while the behavioral effect relates to changes in fear and risk perception. Both affect the size of the regional economy. RDD detonation causes little capital damage and few casualties, but generates substantial short‐run resource loss via business interruption. Changes in fear and risk perception increase the supply cost of resources to the affected region, while simultaneously reducing demand for goods produced in the region. We use results from a nationwide survey, tailored to our RDD scenario, to inform our model values for behavioral effects. Survey results, supplemented by findings from previous research on stigmatized asset values, suggest that in the region affected by the RDD, households may require higher wages, investors may require higher returns, and customers may require price discounts. We show that because behavioral effects may have lingering long‐term deleterious impacts on both the supply‐cost of resources to a region and willingness to pay for regional output, they can generate changes in regional gross domestic product (GDP) much greater than those generated by resource loss effects. Implications for policies that have the potential to mitigate these effects are discussed.