Chapter 3. Modeling and Risk Analysis of Information Sharing in the Financial Infrastructure

Abstract: This chapter defines the community of banks as a Complex Adaptive System of Systems or CASoS and analyzes the value of information sharing as a general policy to protect the community against cyber attacks. We develop a model of interacting banks that have networks of business relations with a possible overlay network of shared information for cyber security. If a bank suffers a cyber attack it incurs losses and there is some probability that its infection will spread through the business network, imposing costs on its neighbors. Losses arising from financial system compromise continue until the problem is detected and remediated. The information sharing system allows detection events to be broadcast, and also increases the probability of detecting the experimental probes that might precede the actual attack. Shared information is a public good: one institution's agreeing to share information speeds responses at other institutions, reducing their probability of initial compromise. Information sharing participation carries with it costs which need to be balanced by direct expected gain or to be subsidized in order to have a critical number of banks to agree to share information and to discourage free riding. The analysis described in this chapter examines the incentives motivating banks to participate in information sharing, the benefits to the financial system that arise from their participation, and the ways banks ’ incentives might be shaped by policy to achieve a beneficial outcome for th

Phoenix : Complex Adaptive System of Systems (CASoS) engineering version 1.0.

Complex Adaptive Systems of Systems, or CASoS, are vastly complex ecological, sociological, economic and/or technical systems which we must understand to design a secure future for the nation and the world. Perturbations/disruptions in CASoS have the potential for far-reaching effects due to pervasive interdependencies and attendant vulnerabilities to cascades in associated systems. Phoenix was initiated to address this high-impact problem space as engineers. Our overarching goals are maximizing security, maximizing health, and minimizing risk. We design interventions, or problem solutions, that influence CASoS to achieve specific aspirations. Through application to real-world problems, Phoenix is evolving the principles and discipline of CASoS Engineering while growing a community of practice and the CASoS engineers to populate it. Both grounded in reality and working to extend our understanding and control of that reality, Phoenix is at the same time a solution within a CASoS and a CASoS itself