Quantifying Risks in Service Networks: Using Probability Distributions for the Evaluation of Optimal Security Levels

The increasing costs and frequency of security incidents require organizations to apply proper IT risk management. At the same time, the expanding usage of Service-oriented Architectures fosters software systems composed of cross-linked services. Therefore, it is important to develop risk management methods for these composite systems. In this paper, we present a straightforward model that can be used to quantify the risks related to service networks. Based on the probability distribution of the costs which are related to risks, it is possible to make proper investment choices using individual risk preferences. The attractiveness of investment alternatives and different levels of security can be measured with various characteristics like the expected value of the costs, the Value-at-Risk or more complex utility functions. Through performance evaluations we show that our model can be used to calculate the costs’ probability density function for large scale networks in a very efficient way. Furthermore, we demonstrate the application of the model and the algorithms with the help of a concrete application scenario. As a result, we improve IT risk management by proposing a model which supports decision makers in comparing alternative service scenarios and alternative security investments in order to find the optimal level of IT security

The economics of abortion bans: Abortion bans, low wages, and public underinvestment are interconnected economic policy tools to disempower and control workers

Abortion has long been framed as a cultural, religious, or personal issue rather than a material "bread and butter" economic concern. Since the Supreme Court overturned Roe v. Wade, more economic policymakers have been emphasizing the issue as a pressing economic concern. In perhaps the first public comment on the issue by a major political figure, Secretary of the Treasury Janet Yellen noted: "eliminating the right of women to make decisions about when and whether to have children would have very damaging effects on the economy and would set women back decades" (Guida 2022). This direct connection between abortion and reproductive access and economic rights is critical (Banerjee 2022). This report argues that abortion access is fundamentally intertwined with economic progress and mobility. Specifically, in states where abortion has been banned or restricted, abortion restrictions constitute an additional piece in a sustained project of economic subjugation and disempowerment.The states banning abortion rights have, over decades, intentionally constructed an economic policy architecture defined by weak labor standards, underfunded and purposefully dysfunctional public services, and high levels of incarceration. Through a cross-sectional quantitative analysis of state level abortion access status and five indicators of economic security—the minimum wage, unionization, unemployment insurance, Medicaid expansion, and incarceration—we find that, generally, the states enacting abortion bans are the same ones that are economically disempowering workers through other channels.The results of the analysis underscore that abortion restrictions and bans do have economic effects, given the strong correlation between abortion status and various economic wellbeing metrics. Further, the consistent pattern of state abortion bans and negative economic outcomes shows how abortion fits into an economics and politics of control. Abortion restrictions are planks in a policy regime of disempowerment and control over workers' autonomy and livelihoods, just like deliberately low wage standards, underfunded social services, or restricted collective bargaining power. Economic policymakers must prioritize this issue as widespread abortion bans will contribute to a loss in economic security and independence for millions in the current and future generations

A RISK BASED APPROACH FOR SELECTING SERVICES IN BUSINESS PROCESS EXECUTION

The vision of automated business processes within a service-oriented paradigm includes the flexible orchestration of IT services. Whenever alternative services are available for activities in an ITsupported business process, an automated decision is worth aspiring to. According to valueoriented management, this decision should be motivated economically and also requires taking account of risk. This paper presents a novel approach for assessing the risk of IT services, based on vulnerability information as can be obtained in the form of publicly available Common Vulnerability Scoring System (CVSS) data

A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory

The protection of information technology (IT) has become and is predicted to remain a key economic challenge for organizations. While research on IT security investment is fast growing, it lacks a theoretical basis for structuring research, explaining economic-technological phenomena and guide future research. We address this shortcoming by suggesting a new theoretical model emerging from a multi-theoretical perspective adopting the Resource-Based View and the Organizational Learning Theory. The joint application of these theories allows to conceptualize in one theoretical model the organizational learning effects that occur when the protection of organizational resources through IT security countermeasures develops over time. We use this model of IT security investments to synthesize findings of a large body of literature and to derive research gaps. We also discuss managerial implications of (closing) these gaps by providing practical examples

PUBLIC-PRIVATE PARTNERSHIP FOR THE DEVELOPMENT OF INFRASTRUCTURE INDUSTRIES: EUROPEAN EXPERIENCE OF STRENGTHENING NATIONAL ECONOMIC SECURITY

Economic security is a prerequisite for the stable development of any country; it is partially reflected in GDP per capita, employment, and unemployment rates. The purpose of this study is to determine the impact of investments for the development of infrastructure facilities on the basis of public-private partnership (PPP) on the economic security of a country. The analysis uses official data from the European Investment Bank and the Statistical Office of the European Union. The article concludes that there is a high correlation between accumulated investment in infrastructure and GDP per capita, employment, and unemployment. On this basis, it is reasonable to consider infrastructure development policy as important not only for national but also for economic security. Developing infrastructure facilities by attracting private investment can reduce pressure on national budgets and accelerate the implementation of capital-intensive projects

A Fuzzy Model for IT Security Investments

This paper presents a fuzzy set based decision support model for taking uncertainty into account when making security investment decisions for distributed systems. The proposed model is complementary to robabilistic approaches and useful in situations where probabilistic information is either unavailable or not appropriate to reliably predict future conditions. We first present the specification of a formal security language that allows to specify under which conditions a distributed system is protected against security violations. We show that each term of the security language can be transformed into an equivalent propositional logic term. Then we use propositional logic terms to define a fuzzy set based decision model. This optimization model incorporates uncertainty with regard to the impact of investments on the achieved security levels of components of the distributed system. The model also accounts for budget and security constraints, in order to be applicable in practice

QUANTSEC - Ein Modell zur Nutzenquantifizierung von IT-Sicherheitsmaßnahmen

IT-Sicherheitsmaßnahmen unterstützen den sicheren Software-Entwicklungsprozess und tragen zur Reduktion von Angriffen und Schwachstellen bei. Art und Ausmaß einzusetzender Sicherheitsmaßnahmen beruhen in der Regel auf ökonomischen Kosten-Nutzen-Abwägungen. In dieser Arbeit wird ein generisches kennzahlenbasiertes Modell zur ökonomischen Wirkungsanalyse implementierter Sicherheitsmaßnahmen vorgestellt. Dazu werden technische und ökonomische Wirkungszusammenhänge und zugehörige, objektiv messbare Kennzahlen, wie z.B. Erkennungs- und Korrekturzeiten sowie Ursachenklassen, erarbeitet. Das Wissen um Wirkungszusammenhänge ermöglicht Analysen zur Messung des Nutzens implementierter Sicherheitsmaßnahmen. Der Einsatz des Modells wird exemplarisch anhand von Maßnahmen der Bedrohungsanalyse illustriert. Mit Hilfe statistischer Methoden können die Auswirkungen von Sicherheitsmaßnahmen und deren Nutzen quantifiziert werden. Das Modell, der Nutzen und die praktische Anwendbarkeit werden in sechs Experteninterviews diskutiert

Automating Cyber Analytics

Model based security metrics are a growing area of cyber security research concerned with measuring the risk exposure of an information system. These metrics are typically studied in isolation, with the formulation of the test itself being the primary finding in publications. As a result, there is a flood of metric specifications available in the literature but a corresponding dearth of analyses verifying results for a given metric calculation under different conditions or comparing the efficacy of one measurement technique over another. The motivation of this thesis is to create a systematic methodology for model based security metric development, analysis, integration, and validation. In doing so we hope to fill a critical gap in the way we view and improve a system’s security. In order to understand the security posture of a system before it is rolled out and as it evolves, we present in this dissertation an end to end solution for the automated measurement of security metrics needed to identify risk early and accurately. To our knowledge this is a novel capability in design time security analysis which provides the foundation for ongoing research into predictive cyber security analytics. Modern development environments contain a wealth of information in infrastructure-as-code repositories, continuous build systems, and container descriptions that could inform security models, but risk evaluation based on these sources is ad-hoc at best, and often simply left until deployment. Our goal in this work is to lay the groundwork for security measurement to be a practical part of the system design, development, and integration lifecycle. In this thesis we provide a framework for the systematic validation of the existing security metrics body of knowledge. In doing so we endeavour not only to survey the current state of the art, but to create a common platform for future research in the area to be conducted. We then demonstrate the utility of our framework through the evaluation of leading security metrics against a reference set of system models we have created. We investigate how to calibrate security metrics for different use cases and establish a new methodology for security metric benchmarking. We further explore the research avenues unlocked by automation through our concept of an API driven S-MaaS (Security Metrics-as-a-Service) offering. We review our design considerations in packaging security metrics for programmatic access, and discuss how various client access-patterns are anticipated in our implementation strategy. Using existing metric processing pipelines as reference, we show how the simple, modular interfaces in S-MaaS support dynamic composition and orchestration. Next we review aspects of our framework which can benefit from optimization and further automation through machine learning. First we create a dataset of network models labeled with the corresponding security metrics. By training classifiers to predict security values based only on network inputs, we can avoid the computationally expensive attack graph generation steps. We use our findings from this simple experiment to motivate our current lines of research into supervised and unsupervised techniques such as network embeddings, interaction rule synthesis, and reinforcement learning environments. Finally, we examine the results of our case studies. We summarize our security analysis of a large scale network migration, and list the friction points along the way which are remediated by this work. We relate how our research for a large-scale performance benchmarking project has influenced our vision for the future of security metrics collection and analysis through dev-ops automation. We then describe how we applied our framework to measure the incremental security impact of running a distributed stream processing system inside a hardware trusted execution environment

Розробка моделі поведінки антагоністичних агентів в умовах кіберконфлікта

The results of the development of the model of the antagonistic agents behavior in a cyber conflict are presented. It is shown that the resulting model can be used to analyze investment processes in security systems, taking into account the assumption that investment processes are significantly influenced by the behavior of parties involved in a cyber conflict.General approaches to model development are presented. First of all, the system of concepts, assumptions and limitations is formed, within the framework of which a mathematical model of behavior must be developed. Taking this into account, the mathematical model of the conflicting agents behavior, presented in the form of algebraic and differential equations, is developed. The developed model presents both the technical characteristics of the security system and the psychological characteristics of the participants in the cyber conflict, which affect the financial characteristics of the investment processes in cybersecurity systems. A distinctive feature of the proposed model is the simultaneous consideration of the behavior of the parties to a cyber conflict not as independent parties, but as agents mutually interacting with each other. The model also makes it possible to simulate the destabilizing effect of the confrontation environment disturbances on the behavior of the conflicting parties, changing the degree of vulnerability of the cybersecurity system along various attack vectors and the level of their success.Using the developed model, simulation modeling of the interacting agents behavior in a cyber conflict is performed. The simulation results showed that even the simplest behavior strategies of the attacking side (“the weakest link”) and the defense side (“wait and see”) make it possible to ensure information security of the business process loop.The developed model of interaction between the attacker and the defender can be considered as a tool for modeling the processes of the conflicting parties behavior when implementing various investment scenarios. The simulation results enable decision-makers to receive support regarding the direction of investment in the security of the business process loop.Представлены результаты разработки модели поведения антагонистических агентов в условиях киберконфликта. Показано, что полученная модель может использоваться для анализа процессов инвестирования в системах безопасности с учетом предположения, что на инвестиционные процессы значительное влияние оказывает поведение участвующих в киберконфликте сторон.Представлены общие подходы к разработке модели. Прежде всего, сформирована система понятий, допущений и ограничений, в рамках которых и должна быть разработана математическая модель поведения. С учетом этого разработана математическая модель поведения конфликтующих агентов, представленная в виде алгебраических и дифференциальных уравнений. В разработанной модели представлены как технические характеристики системы безопасности, так и психологические особенности участников киберконфликта, которые влияют на финансовые характеристики процессов инвестирования систем кибербезопасности. Отличительной особенностью предлагаемой модели является одновременное рассмотрение поведения сторон киберконфликта не как независимых сторон, а как взаимовляющих друг на друга агентов. Модель также позволяет имитировать дестабилизирующее влияние на поведение конфликтующих сторон возмущений со стороны среды противостояния, изменяя степень уязвимости системы кибербезопасности по различным векторам атак и уровень успешности их проведения.С использованием разработанной модели выполнено имитационное моделирование поведения взаимодействующих агентов в условиях киберконфликта. Результаты моделирования показали, что даже простейшие стратегии поведения атакующей стороны («самое слабое звено») и стороны защиты («жди и смотри») позволяют обеспечить информационную безопасность контура бизнес-процессов.Разработанную модель взаимодействия атакующего и защитника можно рассматривать как инструмент моделирования процессов поведения конфликтующих сторон при реализации различных сценариев инвестирования. Результаты моделирования дают возможность лицам, принимающим решения, получать поддержку относительно направления инвестирования в безупосность контура бизнес-процессовНаведені результати розробки моделі поведінки антагоністичних агентів в умовах кіберконфлікта. Показано, що отримана модель може використовуватися для аналізу процесів інвестування в системах безпеки з урахуванням припущення, що на інвестиційні процеси значною мірою впливає поведінка агентів, що беруть участь в кіберконфлікті.Представлено загальні підходи до розробки моделі. Перш за все, сформована система понять, припущень і обмежень, в рамках яких і повинна бути розроблена математична модель поведінки. З урахуванням цього розроблено математичну модель поведінки конфліктуючих агентів, яка представлена у вигляді алгебраїчних і диференціальних рівнянь. У розробленій моделі відображено як технічні характеристики системи безпеки, так і психологічні особливості учасників кіберконфлікта, які впливають на фінансові характеристики процесів інвестування систем кібербезпеки. Відмінною особливістю пропонованої моделі є одночасний розгляд поведінки сторін кіберконфлікта не як незалежних сторін, а як взаїмовпливающих один на одного агентів. Модель також дозволяє імітувати дестабілізуючий вплив на поведінку конфліктуючих сторін збурень з боку середовища протистояння, змінюючи ступінь уразливості системи кібербезпеки різних векторах атак і рівень успішності їх проведення.З використанням розробленої моделі виконано імітаційне моделювання поведінки взаємодіючих агентів в умовах кіберконфлікта. Результати моделювання показали, що навіть найпростіші стратегії поведінки атакуючої сторони («найслабша ланка») і сторони захисту («чекай і дивись») дозволяють забезпечити інформаційну безпеку контуру бізнес-процесівРозроблену модель взаємодії атакуючого і захисника можна розглядати як інструмент моделювання процесів поведінки конфліктуючих сторін при реалізації різних сценаріїв інвестування. Результати моделювання дають можливість особам, які приймають рішення, отримувати підтримку щодо напрямів інвестування в безпеку контуру бізнес-процесі