How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

Thomas, Russell; Antkiewicz, Marcin; Florer, Patrick; Widup, Suzanne; Woodyard, Matthew

doi:10.2139/ssrn.2233075

Cited by 8 publications

(6 citation statements)

References 86 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The tandem of BSIMM and Touchpoints provides a basis to address the global and emergent nature of software security, although some will note that collections of 'best practice' do not constitute formally evaluated methodologies [80]. Touchpoints is often presented as an ordered list in order to impart effectiveness, and while BSIMM appears to bear out this ranking, the original basis for this ordering lies with the experience of the Touchpoints developer [55].…”

Section: Swsec Practisementioning

confidence: 99%

A case for the economics of secure software development

Heitzenrater

Simpson

2016

Proceedings of the 2016 New Security Paradigms Workshop

View full text Add to dashboard Cite

Over the past 15 years the topic of information security economics has grown to become a large and diverse field, influencing security thinking on issues as diverse as bitcoin markets and cybersecurity insurance. An aspect yet to receive much attention in this respect is that of secure software development, or 'SWSec'-another area that has seen a surge of research since 2000. SWSec provides paradigms, practices and procedures that offer some promise to address current security problems, yet those solutions face financial and technical barriers that necessitate a more thorough approach to planning and execution. Meanwhile, information security economics has developed theory and practice to support a particular world-view; however, it has yet to account for the investments, constructs and benefits of SWSec. As the frequency and severity of computer misuse has increased, both areas have struggled to impart a new mindset for addressing the inherent issues that arise in a diverse, connected and functionality-driven landscape. This paper presents a call for the establishment of an economics of secure software development. We present the primary challenges facing practice, citing relevant literature from both communities to illustrate where commonalities lie-and where further work is needed. Those challenges are decomposed into a research agenda, deriving from the application of principles in both themes a lack of models, representation and analysis in practice. A framework emerges that facilitates discussions of security theory and practice. CCS Concepts •Security and privacy → Economics of security and privacy; Software security engineering; •Software and its engineering → Software design tradeoffs;

show abstract

Section: Swsec Practisementioning

confidence: 99%

A case for the economics of secure software development

Heitzenrater

Simpson

2016

Proceedings of the 2016 New Security Paradigms Workshop

View full text Add to dashboard Cite

show abstract

“…They could lead to production losses or the inability to control a plant, multimillion financial losses, and even impact stock prices [7]. One of the key problems for understanding such consequences is that OT systems are also cyber-physical systems (CPS) encompassing both computational and complex physical elements [39].…”

Section: Cybersecurity Challenges In Operational Technologymentioning

confidence: 99%

A Graphical Adversarial Risk Analysis Model for Oil and Gas Drilling Cybersecurity

Vieira

Houmb

Insua³

2014

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

Oil and gas drilling is based, increasingly, on operational technology, whose cybersecurity is complicated by several challenges. We propose a graphical model for cybersecurity risk assessment based on Adversarial Risk Analysis to face those challenges. We also provide an example of the model in the context of an offshore drilling rig. The proposed model provides a more formal and comprehensive analysis of risks, still using the standard business language based on decisions, risks, and value.

show abstract

“…Much of the risk analysis associated with security events continues to be ad hoc, and reliable models for estimating the cost of adverse security activity will improve the situation [TAFW13].…”

Section: Economic Impact Of Adverse Eventsmentioning

confidence: 99%

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Vishik¹,

Sheldon

Ott³

2013

ISSE 2013 Securing Electronic Business Processes

View full text Add to dashboard Cite

Cybersecurity practice lags behind cyber technology achievements. Solutions designed to address many problems may and do exist but frequently cannot be broadly deployed due to economic constraints. Whereas security economics focuses on the cost/benefit analysis and supply/demand, we believe that more sophisticated theoretical approaches, such as economic modeling, rarely utilized, would derive greater societal benefits. Unfortunately, today technologists pursuing interesting and elegant solutions have little knowledge of the feasibility for broad deployment of their results and cannot anticipate the influences of other technologies, existing infrastructure, and technology evolution, nor bring the solutions lifecycle into the equation. Additionally, potentially viable solutions are not adopted because the risk perceptions by potential providers and users far outweighs the economic incentives to support introduction/adoption of new best practices and technologies that are not well enough defined. In some cases, there is no alignment with predominant and future business models as well as regulatory and policy requirements.This paper provides an overview of the economics of security, reviewing work that helped to define economic models for the Internet economy from the 1990s. We bring forward examples of potential use of theoretical economics in defining metrics for emerging technology areas, positioning infrastructure investment, and building real-time response capability as part of software development. These diverse examples help us understand the gaps in current research. Filling these gaps will be instrumental for defining viable economic incentives, economic policies, regulations as well as early-stage technology development approaches, that can speed up commercialization and deployment of new technologies in cybersecurity.

show abstract

How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

Cited by 8 publications

References 86 publications

A case for the economics of secure software development

A case for the economics of secure software development

A Graphical Adversarial Risk Analysis Model for Oil and Gas Drilling Cybersecurity

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Contact Info

Product

Resources

About