Matching Possible Mitigations to Cyber Threats: A Document-Driven Decision Support Systems Approach

Cyber systems are ubiquitous in all aspects of society. At the same time, breaches to cyber systems continue to be front-page news (Calfas, 2018; Equifax, 2017) and, despite more than a decade of heightened focus on cybersecurity, the threat continues to evolve and grow, costing globally up to $575 billion annually (Center for Strategic and International Studies, 2014; Gosler & Von Thaer, 2013; Microsoft, 2016; Verizon, 2017). To address possible impacts due to cyber threats, information system (IS) stakeholders must assess the risks they face. Following a risk assessment, the next step is to determine mitigations to counter the threats that pose unacceptably high risks. The literature contains a robust collection of studies on optimizing mitigation selections, but they universally assume that the starting list of appropriate mitigations for specific threats exists from which to down-select. In current practice, producing this starting list is largely a manual process and it is challenging because it requires detailed cybersecurity knowledge from highly decentralized sources, is often deeply technical in nature, and is primarily described in textual form, leading to dependence on human experts to interpret the knowledge for each specific context. At the same time cybersecurity experts remain in short supply relative to the demand, while the delta between supply and demand continues to grow (Center for Cyber Safety and Education, 2017; Kauflin, 2017; Libicki, Senty, & Pollak, 2014). Thus, an approach is needed to help cybersecurity experts (CSE) cut through the volume of available mitigations to select those which are potentially viable to offset specific threats. This dissertation explores the application of machine learning and text retrieval techniques to automate matching of relevant mitigations to cyber threats, where both are expressed as unstructured or semi-structured English language text. Using the Design Science Research Methodology (Hevner & March, 2004; Peffers, Tuunanen, Rothenberger, & Chatterjee, 2007), we consider a number of possible designs for the matcher, ultimately selecting a supervised machine learning approach that combines two techniques: support vector machine classification and latent semantic analysis. The selected approach demonstrates high recall for mitigation documents in the relevant class, bolstering confidence that potentially viable mitigations will not be overlooked. It also has a strong ability to discern documents in the non-relevant class, allowing approximately 97% of non-relevant mitigations to be excluded automatically, greatly reducing the CSE’s workload over purely manual matching. A false v positive rate of up to 3% prevents totally automated mitigation selection and requires the CSE to reject a few false positives. This research contributes to theory a method for automatically mapping mitigations to threats when both are expressed as English language text documents. This artifact represents a novel machine learning approach to threat-mitigation mapping. The research also contributes an instantiation of the artifact for demonstration and evaluation. From a practical perspective the artifact benefits all threat-informed cyber risk assessment approaches, whether formal or ad hoc, by aiding decision-making for cybersecurity experts whose job it is to mitigate the identified cyber threats. In addition, an automated approach makes mitigation selection more repeatable, facilitates knowledge reuse, extends the reach of cybersecurity experts, and is extensible to accommodate the continued evolution of both cyber threats and mitigations. Moreover, the selection of mitigations applicable to each threat can serve as inputs into multifactor analyses of alternatives, both automated and manual, thereby bridging the gap between cyber risk assessment and final mitigation selection

Strategic and operational risk in an international collaboration agency: a knowledge management solution

The International Cooperation Agency (identified in this article as IDEA) working in Colombia is one of the most important in Colombian society with programs that support gender rights, human rights, justice and peace, scholarships, aboriginal population, youth, afro descendants population, economic development in communities, and environmental development. The identified problem is based on the diversified offer of services, collaboration and social intervention which requires diverse groups of people with multiple agendas, ways to support their mandates, disciplines, and professional competences. Knowledge creation and the growth and sustainability of the organization can be in danger because of a silo culture and the resulting reduced leverage of the separate group capabilities. Organizational memory is generally formed by the tacit knowledge of the organization members, given the value of accumulated experience that this kind of social work implies. Its loss is therefore a strategic and operational risk when most problem interventions rely on direct work in the socio-economic field and living real experiences with communities. The knowledge management solution presented in this article starts first, with the identification of the people and groups concerned and the creation of a knowledge map as a means to strengthen the ties between organizational members; second, by introducing a content management system designed to support the documentation process and knowledge sharing process; and third, introducing a methodology for the adaptation of a Balanced Scorecard based on the knowledge management processes. These three main steps lead to a knowledge management “solution” that has been implemented in the organization, comprising three components: a knowledge management system, training support and promotion of cultural change

Yamato: Bringing the Moon to the Earth ... Again

The Yamato mission to the lunar South Pole-Aitken Basin returns samples that enable dating of lunar formation and the lunar bombardment period. The design of the Yamato mission is based on a systems engineering process which takes an advanced consideration of cost and mission risk to give the mission a high probability of success

Interpretation of surface water monitoring results in the authorisation procedure of plant protection products in the Netherlands

As part of the ‘Surface Waters Decision Tree’ project a new authorisation procedure for plant protection products (PPPs) has been developed. The feedback of monitoring results in the authorisation procedure consists of 3 main steps: 1. Identification and ranking of problematic substances 2. Analysis of plausible causes 3. Feedback procedure In this report, a methodology for all three steps is describe

Risk Assessment for Marine Construction Projects

Marine-construction projects are becoming increasingly important for the development of the maritime industry. However, such increases are hampered by various risks that can significantly impact growth. Natural forces, political events, administrative and operational mistakes, equipment failures, external attacks such as arson, and economic events are some of the major risks faced by firms in this industry. Researchers have paid little attention on marine- construction risk assessment, despite the importance of such research. This study sought to develop a generic risk-levels predictor framework, using the integrated definition function model (IDEF0) and the case-based reasoning approach (CBR), to predict levels of risk associated with a new marine-construction project. This framework can be developed through the following three phases: (a) Cases collection: previous marine-construction projects (cases) were investigated for identification, classification, and evaluation of risk factors and triggers, (b) Cases classification: the cases were organized and stored in a marine construction database (MCDB) and compiled into risk-triggers and risk-levels data for each case, (c) Cases reasoning: using the information from previous phases, when risk-triggers data for a new case is entered into a system knowledge database (i.e., a temporary database that keeps the new risks triggers and proposes prediction data for further knowledge and validation) looking for risk-levels prediction, the system searches into the MCDB for known risk-triggers that are similar to the new case. The similar cases are retrieved, and their risk-levels data are used to propose a risk -levels prediction for the new case. Finally, when the proposed prediction is revised and approved by users, the risk-triggers and risk-levels prediction data for the new case are stored in the system knowledge database for further learning. The implementation of the proposed risk-level predictor framework (RLPF) was tested in this study on 10 hypothetical marine construction projects conducted in Saudi Arabia. The automated systematic approach—the RLPF proposed in this study—can address specific and time-urgent decisions invariably and accurately. Future researchers should use the RLPF to gain knowledge on risk aspects in marine construction projects

Cloud Computing: Challenges And Risk Management Framework

Cloud-computing technology has developed rapidly. It can be found in a wide range of social, business and computing applications. Cloud computing would change the Internet into a new computing and collaborative platform. It is a business model that achieves purchase ondemand and pay-per-use in network. Many competitors, organizations and companies in the industry have jumped into cloud computing and implemented it. Cloud computing provides us with things such as convenience, reduced cost and high scalability. But despite all of these advantages, there are many enterprises, individual users and organizations that still have not deployed this innovative technology. Several reasons lead to this problem; however, the main concerns are related to security, privacy and trust. Low trust between users and cloud computing providers has been found in the literature

Cyber Security and the Government/ Private Sector Connection

The United States does not possess a sufficient cyber security framework. Over eighty-five percent of the critical infrastructure in the United States is controlled by private industry. The greatest concern is an intentional cyber attack against electronic control systems that regulate thousands of interconnected computers, routers, and switches. The centralized computer networks controlling the U.S. infrastructure presents tempting targets. Generally, there are four types of cyber attacks. First, the most common, is service disruption—which aims to flood the target computer with data packets or connection requests, thereby making it unavailable to the user. The second type is designed to capture and control certain elements of cyberspace in order to use them as actual weapons. The third category of cyber attack is aimed at theft of assets from, for example, financial institutions. The fourth category of cyber attack can be a conventional explosive attack on a physical structure, such as a building. The government’s approach to cyber security has been one of cooperative engagement and not mandatory regulation. Unfortunately, cooperation between the government and the private sector has been weak. Very few private companies have exhibited interest in joining the cyber security effort to the degree that the various government strategies require. Partnering the private industry with the government is imperative to an effective cyber security system

A case-based reasoning approach to improve risk identification in construction projects

Risk management is an important process to enhance the understanding of the project so as to support decision making. Despite well established existing methods, the application of risk management in practice is frequently poor. The reasons for this are investigated as accuracy, complexity, time and cost involved and lack of knowledge sharing. Appropriate risk identification is fundamental for successful risk management. Well known risk identification methods require expert knowledge, hence risk identification depends on the involvement and the sophistication of experts. Subjective judgment and intuition usually from par1t of experts’ decision, and sharing and transferring this knowledge is restricted by the availability of experts. Further, psychological research has showed that people have limitations in coping with complex reasoning. In order to reduce subjectivity and enhance knowledge sharing, artificial intelligence techniques can be utilised. An intelligent system accumulates retrievable knowledge and reasoning in an impartial way so that a commonly acceptable solution can be achieved. Case-based reasoning enables learning from experience, which matches the manner that human experts catch and process information and knowledge in relation to project risks. A case-based risk identification model is developed to facilitate human experts making final decisions. This approach exploits the advantage of knowledge sharing, increasing confidence and efficiency in investment decisions, and enhancing communication among the project participants