An options approach to cybersecurity investment

Cybersecurity has become a key factor that determines the success or failure of companies that rely on information systems. Therefore, investment in cybersecurity is an important financial and operational decision. Typical information technology investments aim to create value, whereas cybersecurity investments aim to minimize loss incurred by cyber attacks. Admittedly, cybersecurity investment has become an increasingly complex one, since information systems are typically subject to frequent attacks, whose arrival and impact fluctuate stochastically. Furthermore, cybersecurity measures and improvements, such as patches, become available at random points in time making investment decisions even more challenging. We propose and develop an analytical real options framework that incorporates major components relevant to cybersecurity practice, and analyze how optimal cybersecurity investment decisions perform for a private firm. The novelty of this paper is that it provides analytical solutions that lend themselves to intuitive interpretations regarding the effect of timing and cybersecurity risk on investment behavior using real options theory. Such aspects are frequently not implemented within economic models that support policy initiatives. However, if these are not properly understood, security controls will not be properly set resulting in a dynamic inefficiency reflected in cycles of over or under investment, and, in turn, increased cybersecurity risk following corrective policy actions. Results indicate that greater uncertainty over the cost of cybersecurity attacks raises the value of an embedded option to invest in cybersecurity. This increases the incentive to suspend operations temporarily in order to install a cybersecurity patch that will make the firm more resilient to cybersecurity breaches. Similarly, greater likelihood associated with the availability of a cybersecurity patch increases the value of the option to invest in cybersecurity. However, the absence of an embedded investment option increases the incentive to delay the permanent abandonment of the company’s operation due to the irreversible nature of the decision

Agenda for change: strategic choices for the next government

The next government has a primary requirement to be well briefed on the challenges inherent in Australia’s strategic circumstances and the policy options available to it. ASPI is publishing this report to layout our strategic choices and to provide recommendations. Contributors are Peter Jennings on strategic policy, Mark Thomson and Andrew Davies on defence, Anthony Bergin and Kristy Bryden on homeland security, Russell Trood on foreign policy and Ryan Stokes on economic security. This body of ideas makes a compelling contribution to the discussions which ought always to characterise the Australian strategic and defence debate

Governing autonomous vehicles: emerging responses for safety, liability, privacy, cybersecurity, and industry risks

The benefits of autonomous vehicles (AVs) are widely acknowledged, but there are concerns about the extent of these benefits and AV risks and unintended consequences. In this article, we first examine AVs and different categories of the technological risks associated with them. We then explore strategies that can be adopted to address these risks, and explore emerging responses by governments for addressing AV risks. Our analyses reveal that, thus far, governments have in most instances avoided stringent measures in order to promote AV developments and the majority of responses are non-binding and focus on creating councils or working groups to better explore AV implications. The US has been active in introducing legislations to address issues related to privacy and cybersecurity. The UK and Germany, in particular, have enacted laws to address liability issues, other countries mostly acknowledge these issues, but have yet to implement specific strategies. To address privacy and cybersecurity risks strategies ranging from introduction or amendment of non-AV specific legislation to creating working groups have been adopted. Much less attention has been paid to issues such as environmental and employment risks, although a few governments have begun programmes to retrain workers who might be negatively affected.Comment: Transport Reviews, 201

Cybersecurity by executive order

This report explores the details of the Obama Administration\u27s executive order on cybersecurity, breaking down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context. Summary: On 12 February 2014 the United States National Institute of Standards & Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity, the flagship accomplishment of the Obama Administration’s 2013 cybersecurity Executive Order. Just weeks before the White House announced its executive order, the then Australian Prime Minister Julia Gillard made an equally exciting declaration introducing the Australian Cyber Security Centre (ACSC). One year on, the contrast between the two efforts is stark. The United States and Australia share a common interests in developing a robust partnership between the government and private sector to develop whole-of-system cybersecurity. To move beyond political optics, the ACSC must embrace existing best practices, commit to meaningful public-private partnerships, and set a pragmatic strategy moving forward. The Obama Administration’s efforts, while far from perfect, offer critical lessons that the Australian government can adopt and adapt to ensure that the ACSC is a successful endeavour and critical infrastructure cybersecurity is improved. This Strategic Insight report explores the details of the executive order, breaking down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context

Compelled to control: conflicting visions of the future of cyberspace

This report looks at the desire among states for greater control over the digital domain. It considers the convergence of controlling desires among the major cyberpowers and examines some of the main dynamics of the Russian and Chinese positions. Their positions are examined relative to each other and to the Western consensus. The paper analyses the potential implications for the global internet and the impact that developing countries may have on the dialogue

CEPS Task Force on Artificial Intelligence and Cybersecurity Technology, Governance and Policy Challenges Task Force Evaluation of the HLEG Trustworthy AI Assessment List (Pilot Version). CEPS Task Force Report 22 January 2020

The Centre for European Policy Studies launched a Task Force on Artificial Intelligence (AI) and Cybersecurity in September 2019. The goal of this Task Force is to bring attention to the market, technical, ethical and governance challenges posed by the intersection of AI and cybersecurity, focusing both on AI for cybersecurity but also cybersecurity for AI. The Task Force is multi-stakeholder by design and composed of academics, industry players from various sectors, policymakers and civil society. The Task Force is currently discussing issues such as the state and evolution of the application of AI in cybersecurity and cybersecurity for AI; the debate on the role that AI could play in the dynamics between cyber attackers and defenders; the increasing need for sharing information on threats and how to deal with the vulnerabilities of AI-enabled systems; options for policy experimentation; and possible EU policy measures to ease the adoption of AI in cybersecurity in Europe. As part of such activities, this report aims at assessing the High-Level Expert Group (HLEG) on AI Ethics Guidelines for Trustworthy AI, presented on April 8, 2019. In particular, this report analyses and makes suggestions on the Trustworthy AI Assessment List (Pilot version), a non-exhaustive list aimed at helping the public and the private sector in operationalising Trustworthy AI. The list is composed of 131 items that are supposed to guide AI designers and developers throughout the process of design, development, and deployment of AI, although not intended as guidance to ensure compliance with the applicable laws. The list is in its piloting phase and is currently undergoing a revision that will be finalised in early 2020. This report would like to contribute to this revision by addressing in particular the interplay between AI and cybersecurity. This evaluation has been made according to specific criteria: whether and how the items of the Assessment List refer to existing legislation (e.g. GDPR, EU Charter of Fundamental Rights); whether they refer to moral principles (but not laws); whether they consider that AI attacks are fundamentally different from traditional cyberattacks; whether they are compatible with different risk levels; whether they are flexible enough in terms of clear/easy measurement, implementation by AI developers and SMEs; and overall, whether they are likely to create obstacles for the industry. The HLEG is a diverse group, with more than 50 members representing different stakeholders, such as think tanks, academia, EU Agencies, civil society, and industry, who were given the difficult task of producing a simple checklist for a complex issue. The public engagement exercise looks successful overall in that more than 450 stakeholders have signed in and are contributing to the process. The next sections of this report present the items listed by the HLEG followed by the analysis and suggestions raised by the Task Force (see list of the members of the Task Force in Annex 1)

Latin American perspectives to internationalize undergraduate information technology education

The computing education community expects modern curricular guidelines for information technology (IT) undergraduate degree programs by 2017. The authors of this work focus on eliciting and analyzing Latin American academic and industry perspectives on IT undergraduate education. The objective is to ensure that the IT curricular framework in the IT2017 report articulates the relationship between academic preparation and the work environment of IT graduates in light of current technological and educational trends in Latin America and elsewhere. Activities focus on soliciting and analyzing survey data collected from institutions and consortia in IT education and IT professional and educational societies in Latin America; these activities also include garnering the expertise of the authors. Findings show that IT degree programs are making progress in bridging the academic-industry gap, but more work remains