Game Theory for Security Investments in Cyber and Supply Chain Networks

In a constantly and intricately connected world that is going digital, cybersecurity is imperative to not just the success but also the survival of a business. The ubiquitous digital transformation is fueled by a convulsive growth of devices and data that are leading important innovations in the domain of cyber-physical systems. However, this growth has also enabled internal and external threats to skyrocket, depicting the inherent dichotomy. With an evolving threat landscape, a perpetrator has to be successful once, while the defenders have to continually succeed in fending-off attacks to protect critical infrastructure and digital assets. Businesses are facing a barrage of attacks, majority of which have a financial or an espionage motive. Against the hackers, businesses put forth an asymmetric and myopic struggle.Through this dissertation, I contribute to the modeling and analysis of security investments in cyber and supply chain networks considering network vulnerability also nonlinear budget constraints. The latter contributes significantly to the literature on variational inequality, game theory, and cybersecurity by being methodologically relevant to the application and solution of such problems. I also explore cooperation in terms of cybersecurity among firms in a network, providing a quantitative basis to information sharing to explore its financial and policy related benefits. This work extends the current literature in the cooperative game theory and cybersecurity domains

ЕФЕКТИВНІСТЬ МЕТОДИКИ РОЗРАХУНКУ ПОКАЗНИКІВ ІНВЕСТИЦІЙ В СИСТЕМИ ІНФОРМАЦІЙНОЇ БЕЗПЕКИ ОБ’ЄКТІВ ІНФОРМАТИЗАЦІЇ

The article analyzes publications on the evaluation of investments in information security (IS) of objects of informatization (OBI). The possibility and necessity of obtaining the necessary data have been substantiated, contributing to a reliable assessment of the effectiveness of measures aimed at increasing the company’s IS. In the study process, the modelling methods have been used. A methodology is proposed for calculating indicators from investment activities in the context of increasing IS metrics of OBI. A specific example of such simulation is described. The proposed methodology provides an assessment of the damage prevention from a cyber-attack. The amount of the damage prevention from a cyber-attack is taken as a basic indicator for calculating the economic effect of investing in information security tools (IST). The performed simulation modelling allowed taking into account the relative uncertainty of the real situation with IS of OBI. The conducted study will help practitioners in the field of IS to obtain informed decisions to increase the efficiency of investment projects in the field of IS for OBI, using the approach outlined in the study. Unlike the existing ones, the proposed methodology takes into account both direct and indirect factors of investment projects in the field of IS of OBIУ статті проведено аналіз публікацій за проблематикою оцінки інвестицій в інформаційну безпеку об’єктів безпеки інформатизації. Обґрунтовано можливість і необхідність отримання необхідних даних, що сприяють достовірній оцінці ефективності заходів, спрямованих на підвищення інформаційної безпеки компанії. У процесі дослідження застосовано методи імітаційного моделювання. Пропонується методика розрахунку показників від інвестиційних заходів в рамках підвищення метрик ІБ ОБІ. Описано конкретний приклад застосування імітаційного моделювання. У запропонованій методиці передбачена оцінка попередження шкоди від кібератаки. Як базисний показник розрахунку економічного ефекту від інвестування в засоби захисту інформації (ЗЗІ) прийнятий розмір попередження шкоди від кібератаки. Запропоноване імітаційне моделювання дало можливість врахувати відносну невизначеність реальної ситуації з ІБ ОБІ. Проведені дослідження нададуть можливість практикам у сфері інформаційної безпеки отримувати за допомогою викладеного в роботі підходу формулювати обґрунтовані рішення по підвищенню ефективності інвестиційних проектів в сфері інформаційної безпеки для ОБІ. На відміну від існуючих, у запропонованій методиці враховані як прямі, так і непрямі чинники інвестиційних проектів в сфері ІБ ОБІ

Military and Security Applications: Cybersecurity (Encyclopedia of Optimization, Third Edition)

The domain of cybersecurity is growing as part of broader military and security applications, and the capabilities and processes in this realm have qualities and characteristics that warrant using solution methods in mathematical optimization. Problems of interest may involve continuous or discrete variables, a convex or non-convex decision space, differing levels of uncertainty, and constrained or unconstrained frameworks. Cyberattacks, for example, can be modeled using hierarchical threat structures and may involve decision strategies from both an organization or individual and the adversary. Network traffic flow, intrusion detection and prevention systems, interconnected human-machine interfaces, and automated systems – these all require higher levels of complexity in mathematical optimization modeling and analysis. Attributes such as cyber resiliency, network adaptability, security capability, and information technology flexibility – these require the measurement of multiple characteristics, many of which may involve both quantitative and qualitative interpretations. And for nearly every organization that is invested in some cybersecurity practice, decisions must be made that involve the competing objectives of cost, risk, and performance. As such, mathematical optimization has been widely used and accepted to model important and complex decision problems, providing analytical evidence for helping drive decision outcomes in cybersecurity applications. In the paragraphs that follow, this chapter highlights some of the recent mathematical optimization research in the body of knowledge applied to the cybersecurity space. The subsequent literature discussed fits within a broader cybersecurity domain taxonomy considering the categories of analyze, collect and operate, investigate, operate and maintain, oversee and govern, protect and defend, and securely provision. Further, the paragraphs are structured around generalized mathematical optimization categories to provide a lens to summarize the existing literature, including uncertainty (stochastic programming, robust optimization, etc.), discrete (integer programming, multiobjective, etc.), continuous-unconstrained (nonlinear least squares, etc.), continuous-constrained (global optimization, etc.), and continuous-constrained (nonlinear programming, network optimization, linear programming, etc.). At the conclusion of this chapter, research implications and extensions are offered to the reader that desires to pursue further mathematical optimization research for cybersecurity within a broader military and security applications context

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity. Keywords: Cybersecurity; Decision-making; Simulation; Capability developmen

Vine copula modeling dependence among cyber risks: A dangerous regulatory paradox

Dependence among different cyber risk classes is a fundamentally underexplored topic in the literature. However, disregarding the dependence structure in cyber risk management leads to inconsistent estimates of potential unintended losses. To bridge this gap, this article adopts a regulatory perspective to develop vine copulas to capture dependence. In quantifying the solvency capital requirement gradient for cyber risk measurement according to Solvency II, a dangerous paradox emerges: an insurance company does not tend to provide cyber risk hedging products as they are excessively expensive and would require huge premiums that it would not be possible to find policyholders

An Empirical Investigation Of Information Technology Mediated Customer Services In China

Information technology mediated customer service is a reality of the 21st century. More and more companies have moved their customer services from in store and in person to online through computer or mobile devices. Using 208 respondents collected from two Chinese universities, this paper investigates customer preference over two service delivery model (either in store or online) on five type of purchasing (retail, eating-out, banking, travel and entertainment) and their perception difference in customer service quality between those two delivery model. Results show that a majority of Chinese students prefer in store and in person for eating out. For ordering tickets for travel and entertainment, they prefer computer/mobile device. For retail purchasing and banking, less than half of the students prefer in person services. In general, the results show that ordering through computer/mobile devices has become more popular in China and has received higher rating for most of customer service quality except security compared to ordering in store. In addition, it is found that there exist a gender difference in purchasing preference and perception in service delivery quality in China

Cibersegurança: políticas públicas para uma cultura de cibersegurança nas empresas

A história mostra que as revoluções industriais introduziram alterações profundas a todos os níveis: social, económico e político. Concomitantemente, a globalização potencia processos de transformação digital tornando pessoas e organizações cada vez mais dependentes das TIC, em especial do Ciberespaço e da Internet. Verifica-se um aumento na implementação de políticas públicas, nacionais e europeias, que visam incentivar a transformação digital das economias, destacando os seus benefícios económicos, independentemente da dificuldade verificada na medição do seu impacto nos PIB nacionais e globais. Mas se se aceita que estes processos podem acrescentar benefícios às empresas e à economia em geral, eles podem também revelar riscos muitas vezes ignorados. Iniciámos o nosso estudo tentando perceber a ação das empresas, em especial das PME, face ao risco de segurança digital, mas depressa nos vimos confrontados com a inexistência de dados que nos pudessem orientar no desenho de um panorama nacional. Na análise do quadro de políticas públicas, nacional e europeu, para identificar instrumentos ao dispor das organizações para lidar com os riscos de cibersegurança, percecionámos que a adoção pelas organizações, em Portugal, de culturas de cibersegurança ainda é incipiente. Considerando que em matéria de cibersegurança parece existir alguma insatisfação com a ação do Estado, o nosso trabalho tenta consolidar um conjunto de relações das organizações com a transformação digital e o risco de segurança digital, sintetiza práticas passiveis de serem adotadas pelas organizações, e apresenta ainda uma proposta sobre o papel do Estado em matéria de políticas públicas na área da cibersegurança em Portugal.History shows that industrial revolutions brought about deep shifts at all levels: social, economic and political. At the same time, globalisation fosters digital transformation processes, making people and organisations increasingly dependent on ICT, especially of the cyberspace and the Internet. There is an increase implementation of public policies, both national and European, aimed at stimulating the digital transformation of economies by arguing their economic benefits, regardless of the difficulty in measuring its impact on national and global GDP. However, if one considers that these processes can generate benefits to companies and the economy in general, they may also cause risks that are often ignored. We started our study trying to perceive the action of companies, especially SMEs, in the face of the risk of digital security, but we were soon confronted with the lack of data that could guide us in the design of a national framework. In analysing the national and European public policy framework to identify instruments available to organisations to deal with cybersecurity risks, we realized that the adoption of cybersecurity cultures by organisations in Portugal is still incipient. Considering that there seems to be some dissatisfaction with the action of the State in cybersecurity, our work tries to consolidate a set of relationships between organizations with digital transformation and digital security risks, synthesizes practices that can be adopted by organisations, and submits a proposal on the role of the State regarding cybersecurity public policies in Portugal

Rules for Growth: Promoting Innovation and Growth Through Legal Reform

The United States economy is struggling to recover from its worst economic downturn since the Great Depression. After several huge doses of conventional macroeconomic stimulus - deficit-spending and monetary stimulus - policymakers are understandably eager to find innovative no-cost ways of sustaining growth both in the short and long runs. In response to this challenge, the Kauffman Foundation convened a number of America’s leading legal scholars and social scientists during the summer of 2010 to present and discuss their ideas for changing legal rules and policies to promote innovation and accelerate U.S. economic growth. This meeting led to the publication of Rules for Growth: Promoting Innovation and Growth Through Legal Reform, a comprehensive and groundbreaking volume of essays prescribing a new set of growth-promoting policies for policymakers, legal scholars, economists, and business men and women. Some of the top Rules include: • Reforming U.S. immigration laws so that more high-skilled immigrants can launch businesses in the United States. • Improving university technology licensing practices so university-generated innovation is more quickly and efficiently commercialized. • Moving away from taxes on income that penalize risk-taking, innovation, and employment while shifting toward a more consumption-based tax system that encourages saving that funds investment. In addition, the research tax credit should be redesigned and made permanent. • Overhauling local zoning rules to facilitate the formation of innovative companies. • Urging judges to take a more expansive view of flexible business contracts that are increasingly used by innovative firms. • Urging antitrust enforcers and courts to define markets more in global terms to reflect contemporary realities, resist antitrust enforcement from countries with less sound antitrust regimes, and prohibit industry trade protection and subsidies. • Reforming the intellectual property system to allow for a post-grant opposition process and address the large patent application backlog by allowing applicants to pay for more rapid patent reviews. • Authorizing corporate entities to form digitally and use software as a means for setting out agreements and bylaws governing corporate activities. The collective essays in the book propose a new way of thinking about the legal system that should be of interest to policymakers and academic scholars alike. Moreover, the ideas presented here, if embodied in law, would augment a sustained increase in U.S. economic growth, improving living standards for U.S. residents and for many in the rest of the world

Technology and Australia's Future: New technologies and their role in Australia's security, cultural, democratic, social and economic systems

Chapter 1. Introducing technology -- Chapter 2. The shaping of technology -- Chapter 3. Prediction of future technologies -- Chapter 4. The impacts of technology -- Chapter 5. Meanings, attitudes and behaviour -- Chapter 6. Evaluation -- Chapter 7. Intervention -- Conclusion - adapt or wither.This report was commisioned by Australian Council of Learned Academies

Polycentric Information Commons: A Theory Development and Empirical Investigation

Decentralized systems online—such as open source software (OSS) development, online communities, wikis, and social media—often experience decline in participation which threatens their long-terms sustainability. Building on a rich body of research on the sustainability of physical resource systems, this dissertation presents a novel theoretical framing that addresses the sustainability issues arising in decentralized systems online and which are amplified because of their open nature. The first essay develops the theory of polycentric information commons (PIC) which conceptualizes decentralized systems online as “information commons”. The theory defines information commons, the stakeholders that participate in them, the sustainability indicators of information commons and the collective-action threats putting pressure on their long-term sustainability. Drawing on Ostrom’s factors associated with stable common pool resource systems, PIC theory specifies four polycentric governance practices that can help information commons reduce the magnitude and impact of collective-action threats while improving the information commons’ sustainability. The second essay further develops PIC theory by applying it in an empirical context of “digital activism”. Specifically, it examines the role of polycentric governance in reducing the threats to the legitimacy of digital activism—a type of information commons with an overarching objective of instigating societal change. As such, it illustrates the applicability of PIC theory in the study of digital activism. The third essay focuses on the threat of “information pollution” and its impact on open collaboration, a type of information commons dedicated to the creation of value through open participation online. It uncovers the way polycentric governance mechanism help reduce the duration of pollution events. This essay contributes to PIC theory by expanding it to the realm of operational governance in open collaboration