Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Vishik, Claire; Sheldon, Frederick T.; Ott, David E.

doi:10.1007/978-3-658-03371-2_12

Cited by 6 publications

(10 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the other hand, unsuccessful voluntary sharing has several and different root causes. Several studies have been analyzing why people is often reluctant to share [2][3][4][5][6][7].…”

Section: Motivationmentioning

confidence: 99%

“…Visik et al [3], characterize the main reasons about why people is reluctant to share information, if there are not enough incentives for them. Authors suggest that users do not have the same knowledge about the value of artifacts offered, or simply they do not want to share their own data or incidents, as they could be giving a competitive advantage to their own competitors.…”

Section: Paper Organizationmentioning

confidence: 99%

“…There are multiple benefits of information exchange in cybersecurity, like threat prevention and detection, between others. On the other hand, there are also several unsuccessful voluntary sharing initiatives, which have been studied by multiple authors [2][3][4][5][6][7]. A summary of all the following problems can be seen in the Table 1.…”

Section: The Problem: Open Challenges and Limitations Of Existing Solutionsmentioning

confidence: 99%

See 2 more Smart Citations

Cybersecurity threat intelligence knowledge exchange based on blockchain

2019

View full text Add to dashboard Cite

Although cyber threat intelligence (CTI) exchange is a theoretically useful technique for improving security of a society, the potential participants are often reluctant to share their CTI and prefer to consume only, at least in voluntary based approaches. Such behavior destroys the idea of information exchange. On the other hand, governments are forcing specific entities and operators to report them specific incidents depending on their impact, otherwise there could be sanctions to those operators which are not reporting them on time. Obligations and sanctions are usually discouraging participants to share information voluntarily which will just share and report what is strictly required. We propose a paradigm shift of cybersecurity information exchange by introducing a new way to encourage all participants involved, at all levels, to share relevant information dynamically. It will also contribute to the support and deployment of Dynamic Risk Management frameworks to keep risks under an acceptance level along the time. Participants will have new and specific incentives to share, invest and consume threat intelligence and risk intelligence information depending on their different roles (producers, consumers, investors, donors and owner). Our proposal leverages from standards like Structured Threat Information Exchange, as well as W3C semantic web standards to enable a workspace of knowledge related to behavioral threat intelligence patterning to characterize tactics, techniques and procedures. At the same time, we propose an Ethereum Blockchain Smart contract Marketplace to better incentivize the sharing of that knowledge between all parties involved as well as creating a standard CTI token as a digital asset with a promising value in the market. Simulations and an experimentation were performed to demonstrate its benefits and incentives, but also its potential limits with regard to storage and cost of transactions.

show abstract

“…On the other hand, unsuccessful voluntary sharing has several and different root causes. Several studies have been analyzing why people is often reluctant to share [2][3][4][5][6][7].…”

Section: Motivationmentioning

confidence: 99%

Section: Paper Organizationmentioning

confidence: 99%

Section: The Problem: Open Challenges and Limitations Of Existing Solutionsmentioning

confidence: 99%

See 1 more Smart Citation

Cybersecurity threat intelligence knowledge exchange based on blockchain

2019

View full text Add to dashboard Cite

show abstract

“…In [35], the concept of Mean Failure Cost (MFC) was first introduced. The concept was refined through a series of applications [21,36,37] and has been applied to several domains which include mission assurance [38,39], failure impact analysis in Advanced Metering Infrastructure (AMI) [40,41], risk assessment [42,43], game theoretic simulation [40,44], cybersecurity modeling in the cloud [45], and SCADA environments [46,47]. This value-based metric (MFC), when applied quantifies the security of a computing system by the statistical mean of the random variable that represents for each stakeholder, the amount of loss that results from security threats and system vulnerabilities.…”

Section: Mean Failure Cost (Mfc) As a Measure Of Securitymentioning

confidence: 99%

Risk Assessment For Industrial Control Systems Quantifying Availability Using Mean Failure Cost (MFC)

Chen

Abercrombie

Sheldon

2015

Journal of Artificial Intelligence and Soft Computing Research

View full text Add to dashboard Cite

1 Industrial Control Systems (ICS) are commonly used in industries such as oil and natural gas, transportation, electric, water and wastewater, chemical, pharmaceutical, pulp and paper, food and beverage, as well as discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. Originally, ICS implementations were susceptible primarily to local threats because most of their components were located in physically secure areas (i.e., ICS components were not connected to IT networks or systems). The trend toward integrating ICS systems with IT networks (e.g., efficiency and the Internet of Things) provides significantly less isolation for ICS from the outside world thus creating greater risk due to external threats. Albeit, the availability of ICS/SCADA systems is critical to assuring safety, security and profitability. Such systems form the backbone of our national cyber-physical infrastructure. Herein, we extend the concept of mean failure cost (MFC) to address quantifying availability to harmonize well with ICS security risk assessment. This new measure is based on the classic formulation of Availability combined with Mean Failure Cost (MFC). The metric offers a computational basis to estimate the availability of a system in terms of the loss that each stakeholder stands to sustain as a result of security violations or breakdowns (e.g., deliberate malicious failures).

show abstract

“…The concept was refined through a series of applications [20,30,31] and has been applied to several domains which include mission assurance [32,33], failure impact analysis in Advanced Metering Infrastructure (AMI) [34,35], risk assessment [36], game theoretic simulation [34,37], cybersecurity modeling in the cloud [38] and SCADA environments [39]. This value-based metric, MFC, when applied quantifies the security of a computing system by the statistical mean of the random variable that represents for each stakeholder, the amount of loss resulting from security threats and system vulnerabilities.…”

Section: The Mean Failure Cost As a Measure Of Securitymentioning

confidence: 99%

Quantifying the impact of unavailability in cyber-physical environments

Aissa

Abercrombie

Sheldon

et al. 2014

2014 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)

View full text Add to dashboard Cite

Abstract-The Supervisory Control and Data Acquisition (SCADA) system discussed in this work manages a distributed control network for the Tunisian Electric & Gas Utility. The network is dispersed over a large geographic area that monitors and controls the flow of electricity/gas from both remote and centralized locations. The availability of the SCADA system in this context is critical to ensuring the uninterrupted delivery of energy, including safety, security, continuity of operations and revenue. Such SCADA systems are the backbone of national critical cyber-physical infrastructures. Herein, we propose adapting the Mean Failure Cost (MFC) metric for quantifying the cost of unavailability. This new metric combines the classic availability formulation with MFC. The resulting metric, socalled Econometric Availability (EA), offers a computational basis to evaluate a system in terms of the gain/loss ($/hour of operation) that affects each stakeholder due to unavailability.

show abstract

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Cited by 6 publications

References 25 publications

Cybersecurity threat intelligence knowledge exchange based on blockchain

Cybersecurity threat intelligence knowledge exchange based on blockchain

Risk Assessment For Industrial Control Systems Quantifying Availability Using Mean Failure Cost (MFC)

Quantifying the impact of unavailability in cyber-physical environments

Contact Info

Product

Resources

About