Cybersecurity Decisions Research Articles

DeepSecure: A computational design science approach for interpretable threat hunting in cybersecurity decision making

DeepSecure: A computational design science approach for interpretable threat hunting in cybersecurity decision making

Dealing with uncertainty in cybersecurity decision support

Dealing with uncertainty in cybersecurity decision support

Machine Learning Algorithm for Enhanced Cybersecurity: Identification and Mitigation of Emerging Threats

Machine learning (ML) methodologies have significantly transformed cybersecurity by offering sophisticated instruments that not only identify but also avert and alleviate cyber threats. This research study seeks to examine the convergence of machine learning and cybersecurity, focusing on diverse methodologies and their use in enhancing cybersecurity measures. The study examines several machines learning methods, including Graph Neural Networks, Adversarial Learning, Federated Learning, Explainable AI, and Reinforcement Learning. Every algorithm is essential for enhancing the identification and mitigation of cyber assaults. Graph Neural Networks facilitate the modelling of intricate linkages within cybersecurity data. It aids not just in forecasting future events but also in identifying anomalies and analyzing network traffic. Adversarial Learning assists in training machine learning models to address the difficulty of producing misleading input data that can deceive any model, hence enhancing their efficacy. Federated Learning is examined as a method for training machine learning models across decentralized networks while preserving data privacy and enhancing model accuracy. Explainable AI methodologies primarily offer transparency and interpretability in machine learning-driven cybersecurity decisions, which are crucial for comprehension and confidence in automated security systems. Reinforcement Learning is focused on a trial-and-error methodology, wherein the model acquires new tasks through a system of rewards and penalties. These sophisticated algorithms jointly improve the effectiveness, precision, and clarity of cybersecurity protocols, offering strong protection against emerging cyber threats.

Stackelberg Security Game for Optimizing Cybersecurity Decisions in Cloud Computing

As it is difficult to cover all cybersecurity threats, an optimal defense strategy is one of the focal issues in cloud computing due to its dynamic abstraction and scalability. On this basis, Stackelberg security games (SSG) have received significant attention for their better deployment of limited security. To deal with uncertainty and incomplete information, we introduce a modified quantal response (Mod-QR) approach that incorporates bounded rationality and preference into the decision-making process. Formally, this can be done by using the quantal response equilibrium (QRE) framework to find a trade-off between the effectiveness and operating costs of cloud computing. In this case, the most effective countermeasures to defend the cloud can be viewed as a mixed strategy in which all the actions of the defender are played with a nonzero probability. This framework has been evaluated using an experimental study on MATLAB optimization toolbox to understand the behavioral aspects of cybersecurity actors and then to proactively protect cloud computing.

Intelligent Risk-Based Cybersecurity Protection for Industrial Systems Control—A Feasibility Study

Summary Intelligent automated industrial process control, enabled by IR 4.0 technology, requires increased system integration and connectedness. With such development comes a heightened risk of cyberattack for operational technology (OT) systems, including industrial control systems (ICS) and industrial automation and control systems (IACS), historically shielded from cyberspace. Cyberattacks on OT systems can also impact the physical world. The recent attack on the US Colonial Pipeline interrupted delivery of oil along the US West coast for several days, resulting in a declaration of a state of emergency, while the Ukraine power grid attacks interrupted electrical power supply in Kyiv, impacting thousands of consumers. In 2021, an Equinor-operated platform on the Norwegian Continental shelf was hit by malware. The incident had the potential to affect the drilling control system (DCS). For ICS, the concern is ensuring a safe process, as opposed to the more traditional concern with data protection for information technology (IT) system management. To ensure safe implementation of advanced industrial systems control, while avoiding unnecessary operational downtime, there is a need for cybersecurity solutions that account for risk for the whole cyberphysical system (CPS), including the ICS, the work environment, the product, and the physical surroundings. Diagnostic models and methods must therefore be developed that cover the functionality of the whole CPS. Further, to account for process dynamics and evolving cyberattack threats, adaptability is required with respect to both process state and new types of attacks. For this purpose, knowledge-based awareness monitoring combined with existing cyberattack detection tools for ICS, known as ICS intrusion detection systems (IDS), is proposed, providing an element of artificial intelligence. Results from studies in a DCS environment indicate that existing monitoring applications can be used to detect and discern between different types of cyberattacks on CPSs. This indicates feasibility with respect to monitoring the control and IT components of the ICS system for building risk-based cybersecurity decision support solutions. The key challenge and novelty of the proposed approach is to extend the capability of cybermonitoring in systems control to automated evaluation of process risk, including risk to the physical environment. Such capability will enable appropriate decision support with respect to both process risk and operational downtime.

Cultural Influences on Information Security

Humans are by far the weakest link in the information security chain. Many in the information security industry advocate for a technical solution to this problem. Unfortunately, technology does not hold the answer to solving the human problem. Instead, it is important to better understand the problem and find new ways of training individuals, so they have a better security mindset and make better security minded decisions. The security challenges associated with human factors have been widely studied in previous literature and different research groups. Prior research has shown that both human behavioural factors and social media usage factors can be used to better assess a person’s susceptibility to cybercrime. We know that humans are multi-faceted beings who are swayed by many factors. In addition to behavioural factors and social media factors, humans are predisposed by cultural influences. This paper begins the process of understanding how culture influences a person's ability to make positive cybersecurity decisions in a world that is full of data being thrown at them. The end goal of this research is to use culture, along with behaviour and social media usage as new metrics in measuring a person’s susceptibility to cybercrime. This information can then be used by information security practitioners and researchers to better prepare individuals to defend themselves from cyber threats. This paper is the start of the research process into how culture impacts a person’s susceptibility to cybercrime. It shows the significance of identifying what specific aspects of culture impact how someone makes a decision. This can help mitigate social engineering attacks by better understanding the influencing factors which control an end user. The authors will continue their work on this project to develop new Information Awareness (IA) training programmes that work to modify an individual's behaviour, while taking into consideration their behaviours, social media usage and culture.

Making Sense of the Unknown: How Managers Make Cyber Security Decisions

Managers rarely have deep knowledge of cyber security and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of seven teams of senior managers from the same organisation as they complete the Decisions & Disruptions cyber security exercise. We use grounded theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams’ dialogue that illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning that describes how these teams make their decisions, showing how each team members’ experience, intuition, and understanding affects the team’s overall shared reasoning and decision-making. Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security–specific training, they demonstrate reasoning that closely resembles the decision-making approaches espoused in cyber security–specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non–cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.

Information Systems Strategy and Security Policy: A Conceptual Framework

As technology evolves, businesses face new threats and opportunities in the areas of information and information assets. These areas include information creation, refining, storage, and dissemination. Governments and other organizations around the world have begun prioritizing the protection of cyberspace as a pressing international issue, prompting a renewed emphasis on information security strategy development and implementation. While every nation’s information security strategy is crucial, there has not been much work conducted to define a method for gauging national cybersecurity attitudes that takes into account factors and indicators that are specific to that nation. In order to develop a framework that incorporates issues based on the current research in this area, this paper will examine the fundamentals of the information security strategy and the factors that affect its integration. This paper contributes by providing a model based on the ITU cybersecurity decisions, with the goal of developing a roadmap for the successful development and implementation of the National Cybersecurity Strategy in Greece, as well as identifying the factors at the national level that may be aligned with a country’s cybersecurity level.

The new offensive cyber security: Strategically using asymmetrical tactics to promote information security

Since the very first hack, cyber security professionals have sought to take the fight back to the hackers. Offensive cyber security operations usually focus upon proactive technical attacks on hackers to disrupt their operations and deter future attacks, and there are currently efforts by governments to expand these capabilities. Cyber security professionals are locked in an unfair, asymmetrical conflict with hackers, but they need not confine their thinking to historical rules of engagement. This paper briefly traces the theories of asymmetrical warfare in the 21st century, including its cyber security dimensions, to explore how companies and cyber security decision makers can learn from the lessons of the past while changing the rules of the conflict in their favour.

Cybersecurity decision support model to designing information technology security system based on risk analysis and cybersecurity framework

The proposed work was a recommendation model for designing cyber security decision support, in building an information technology security system based on risk analysis and the ISO/IEC 27001 cybersecurity framework. The proposed model aimed to obtain the best security system in mitigating security threats. This paper contributed to strategic policymakers in designing cyber security decision support recommendations to determine the best steps in designing information technology security systems. The model built can map the priority value of threat mitigation based on the relative threat score against the relative evaluation score of the implementation of ISO/IEC 27001 compliance. The mitigation priority value is the key in determining priority recommendations for building an information technology security system based on the ISO/IEC 27001 framework. Furthermore, the results implementation of information technology security system recommendations is tested by carrying out security attacks directly on the system being built. The work ends by conducting a statistical evaluation of the system built based on the recommendations of the information technology security system. The results achieved indicate an increase in the average value of the evaluation of ISO/IEC 27001 compliance from 36.27 to 82.37 with the p-value of Paired T-Test being 0.002138 < 0.05, meaning that there is a significant influence between threats to information technology security systems that implement and do not apply the recommendations of information technology security systems to the ISO/IEC 27001 compliance evaluation index value. Furthermore, based on 12 types of threat samples, it shows a decrease in the average threat criticality level from 8.75 to 4.00 with the p-value of the chi-square test being 0.0006605 < 0.05 and Fisher Test's p-value is 0.000008284 < 0.05, meaning that there is an association relationship between threats to information technology security systems that apply recommendations and do not apply recommendations to the criticality level of information technology security threats. While the results of the evaluation of the relationship between the implementation of security system recommendations on cybersecurity attack mitigation showed an increase in the effectiveness of cyber-attack mitigation from an average rating of 18.32 to 40.74 with the p-value of the chi-square test being 0.000005221 < 0.05 and the Fisher Test being 0.00000005658 < 0.05 means that there is an association relationship between systems that implement and do not implement recommendations based on ISO/IEC 27001 for cybersecurity attack mitigation.

Code development of regulatory technology for legitimacy of cybersecurity adjudication

Artificial Intelligence (AI) on cybersecurity is designed to control financial transactions and agreements worldwide. It is an innovative regulatory tool architecturally networked to combat cyber threats and attacks in various degrees of war and crime perpetration from various banking industries and its corresponding government authority functions with implementing arms for execution of monitoring, reporting, and compliance. Regulatory Technology (RegTech) is an AI tool used by treasury departments and institutions, both local and private, for tracking malicious threats possible for money laundering and terrorism financing concealed in various settlements around the world. However, cybersecurity decisions need conformity in regulations and proceedings that it aims to engineer code development involving attacks under Regulatory Technology usage for administrative functions in favor of the financial intelligence authorities for combating and resolving issues on cyberwar. Therefore, political adjudication is a developing means of resolving gaps and optimizing judicial process principles within the policy function of financial intelligence. Hence, international laws and its accompanied policies must be globally harmonized in terms of federal and transnational tracking of financial flows of assets.

Serious games as a tool to model attack and defense scenarios for cyber-security exercises

Technology is evolving rapidly; this poses a problem for security specialists and average citizens as their technological skill sets are quickly made obsolete. This makes the knowledge and understanding of cyber-security in a technologically evolving world difficult. Global IT infrastructure and individuals’ privacy are constantly under threat. One way to tackle this problem is by providing continuous training and self-learning platforms. Cyber-security exercises can provide a necessary platform for training people’s cyber-security skills. However, conducting cyber-security exercises with new and unique scenarios requires comprehensive planning and commitment to the preparation time and resources. In this work, we propose a serious game for the development of cyber-security exercise scenarios. The game provides a platform to model simulated cyber-security exercise scenarios, transforming them into an emulated cyber-security exercise environment using domain-specific language (DSL) and infrastructure orchestration. In this game, players can play as cyber attackers or defenders in a multiplayer environment to make operational cyber-security decisions in real-time. The decisions are evaluated for the development of operational cyber-attack and defense strategies.

Bayesian Stackelberg games for cyber-security decision support

A decision support system for cyber-security is here presented. The system aims to select an optimal portfolio of security controls to counteract multi-stage attacks. The system has several components: a preventive optimisation to select controls for an initial defensive portfolio, a learning mechanism to estimate possible ongoing attacks, and an online optimisation selecting an optimal portfolio to counteract ongoing attacks. The system relies on efficient solutions of bi-level optimisations, in particular, the online optimisation is shown to be a Bayesian Stackelberg game solution. The proposed solution is shown to be more efficient than both classical solutions like Harsanyi transformation and more recent efficient solvers. Moreover, the proposed solution provides significant security improvements on mitigating ongoing attacks compared to previous approaches. The novel techniques here introduced rely on recent advances in Mixed-Integer Conic Programming (MICP), strong duality and totally unimodular matrices. • A cyber-security decision support system to select an optimal security portfolio to counteract multistage cyber-attacks. • The system has both preventive and online optimizations supported by a learning mechanism to detect ongoing attacks. • The online optimization is shown to be a Bayesian Stackelberg game for which efficient solutions are introduced.

“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision makers’ risk thinking —their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing dataset derived from a tabletop cyber-physical systems security game. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first . Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 and ISO 27001) are followed neither substantially nor exclusively when it comes to decision making. Instead, our analysis finds that decision making is affected by the plasticity of teams—that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.

System for analysing of big data on cybersecurity issues from social media

The paper proposes and substantiates approaches to building a corporate system for monitoring and analyzing social media on cybersecurity issues, which are based on the concept Big Data, Data/Text Mining, Information Extraction, Complex Networks, and Cloud Computing. The components of Elastic Stack technology, Sphinx information retrieval system, Graph Data Base Management System Neo4j, and Gephi graph analysis system are examined in detail. The main idea of a system for analyzing large amounts of data on cybersecurity issues from social media is the simultaneous application of methods and means of information retrieval, data analysis, and aggregation of information flows. The system should ensure the implementation of the following functions: the formation of databases by collecting information from certain information resources; settings for automatic scanning and primary processing of information from websites and social networks; maintaining full-text information databases; identifying duplicates similar in content to informational messages; full-text search; analysis of text messages, determination of tonality, the formation of analytical reports; integration with geographic information system; data analysis and visualization; study of the dynamics of thematic information flows; predicting developments based on the analysis of the dynamics of the publication in social media; providing access for many users to the functional components of the system. The practical significance of the results is to create a working layout of the content monitoring and analysis system of social media on cybersecurity issues, ready to be used as a component in information and cybersecurity decision support systems. The interface of the system layout is considered, in which the functions of search, analysis, and forecasting of information appearance in social media are available. Central to the interface is a digest of the most relevant user needs. In the analytical mode, a number of tools are implemented for graphical presentation of the analyzed data, which are displayed as a time series of the number of relevant queries per day, as well as viewing the main topics, clusters grouped by predefined reference words. The system provides modes for forming networks of concepts that correspond to individual messages (persons, brands) and information sources that allow you to rank the concepts and explore the relationships between them.

A Socio-technical Systems Approach to Design and Support Systems Thinking in Cybersecurity and Risk Management Education

Cybersecurity decisions are made across a range of social, technical, economic, regulatory and political domains. There is a gap between what companies and institutions plan to do while developing their internal IS-related policies and what should be done according to a multi-stakeholder system perspective in this area. Our task as researchers is to bridge this gap by offering potential solutions. The aim of our work is to promote the usage of the socio-technical systems (STS) approach to support the emerging role of systems thinking in cybersecurity education, using simulation as a supporting tool for learning. Meanwhile, new trends in cybersecurity curricula suggest an important shift toward new thinking approaches such as adversarial and systems thinking. We explored individuals’ adversarial and systems thinking skills in an open agent-based simulated environment and subsequently assessed the impact based on a participant survey. We discuss these results and point to directions for further investigation. The second contribution of the article is the provision of a tool for developing target users’ skills in making quantitative risk decisions and giving them a deeper understanding of the importance and use of key indices in the cyber risk management process.

MaCRA: a model-based framework for maritime cyber-risk assessment

In the current economy, roughly 90% of all world trade is transported by the shipping industry, which is now accelerating its technological growth. While the demand on mariners, ship owners, and the encompassing maritime community for digital advances (particularly towards digitization and automation) has led to efficient shipping operations, maritime cyber-security is a pertinent issue of equal importance. As hackers are becoming increasingly aware of cyber-vulnerabilities within the maritime sector, and as existing risk assessment tools do not adequately represent the unique nature of maritime cyber-threats, this article introduces a model-based risk assessment framework which considers a combination of cyber and maritime factors. Confronted with a range of ship functionalities, configurations, users, and environmental factors, this framework aims to comprehensively present maritime cyber-risks and better inform those in the maritime community when making cyber-security decisions. By providing the needed maritime cyber-risk profiles, it becomes possible to support a range of parties, such as operators, regulators, insurers, and mariners, in increasing overall global maritime cyber-security.

Cybersecurity: The Three-headed Janus

Multiple entities define the stage: Ayn, an accomplished CIO; James, an idealistic CEO; Kira, an unscrupulous hacker; Randcom, a rail company; and Zuidia, a country reinventing itself. These entities intersect in a tense cybersecurity gameplay. A cyber-attack rages across multiple fronts, targeting Randcom's technology, processes, and people, suddenly delivering a staggering blow to the company. Ayn stands in the eye of the storm, figuring a path forward. This cybersecurity case study offers an active learning and role-playing experience for students. Immersing the student in the anatomy of a cybersecurity attack, this case converges various perspectives: the hacker, the company, and the macro environment (e.g., country culture). In the process, this case highlights conflicting strategic choices and opportunity costs of decisions in an environment that requires a company to be both competitive and yet secure across three cybersecurity facets: technology, processes, and people. This case could be used as a class discussion and exercise as well as a role play with multiple protagonists. Specific roles include the CEO, the CIO, the hacker, and the CFO. This case brings together multiple viewpoints, often conflicting, representative of real-life decisional and ethical dilemmas in the context of a company. This case, further contextualized using a developing country as the backdrop, adds an additional layer of decisional trade-offs. Nonetheless, this case is representative of IS and cybersecurity decision making in a company, regardless of the type of country.

Risk and the Small-Scale Cyber Security Decision Making Dialogue—a UK Case Study

Despite a long-standing understanding that developments in personal and cloud computing practices would change the way we approach security, small-scale IT users (SSITUs) remain ill-served by existing cyber security practices. This paper discusses results from a survey that considered (in part) cyber security decisions made by SSITUs. We determine that SSITUs are focusing on easy-to-implement technical measures, leading to a disconnect between the security implemented and any risks identified; available resources, knowledge, prioritization of business processes, reduced system control and a lack of threat intelligence all combine to limit the ability to make cyber security decisions; and assessing risk in SSITUs will not lead to sufficient investment to mitigate risks for risk-holding stakeholders in the supply chain. We conclude that the constraints faced by SSITUs have far greater impact on the decisions they make than either our risk-holding, or security-providing, participants may have anticipated. Any limitations faced by SSITUs as they make their security decisions will have a significant impact on both the measures they are able to apply and the security of the supply chain as a whole.

On System Dynamics Modeling of Human‐Intensive Workflow Improvement – Case Study in Cybersecurity Adaptive Knowledge Encoding

AbstractModeling and simulation offers one way to express a system of systems, to measure its performance, and predict the effects of prospective modifications. This paper introduces a system dynamics model (SDM) as a systems engineering design decision support tool. The SDM structure, design rationale, and results have broader applicability to many people‐oriented workflows that may benefit from 1) working smarter and 2) introducing automation to complement human activities. The SDM structure consists of a sequential time‐essential workflow of eleven phases. The simulation establishes a pre‐modification performance baseline, identifies the fit of a prospective modification with intent to improve workflow, estimates the modification's effect on performance, and then produces post‐modification performance results to compare with the baseline. To provide focus for the SDM, the details herein use cybersecurity operations as one example of a system of systems predominantly operated by people performing insufficiently to address the volume of cyberspace‐related anomalies. The SDM is specifically for cybersecurity operations to identify procedural bottlenecks and show the impact of proposed improvements. Cybersecurity decision patterns (CDPs) provide a case study as a prospective improvement. CDPs are one solution under the integrated adaptive cyberspace defense – joint cognitive system capability area to help establish and sustain agile cybersecurity operations (Willett 2015a). Lessons learned from the approach, application, and results are more broadly applicable to many systems and system of systems operations.