The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Road2CPS priorities and recommendations for research and innovation in cyber-physical systems

This document summarises the findings of the Road2CPS project, co-financed by the European Commission under the H2020 Research and Innovation Programme, to develop a roadmap and recommendations for strategic action required for future deployment of Cyber-Physical Systems (CPS). The term Cyber-Physical System describes hardware-software systems, which tightly couple the physical world and the virtual world. They are established from networked embedded systems that are connected with the outside world through sensors and actuators and have the capability to collaborate, adapt, and evolve. In the ARTEMIS Strategic Research Agenda 2016, CPS are described as ‘Embedded Intelligent ICT Systems’ that make products smarter, more interconnected, interdependent, collaborative, and autonomous. In the future world of CPS, a huge number of devices connected to the physical world will be able to exchange data with each other, access web services, and interact with people. Moreover, information systems will sense, monitor and even control the physical world via Cyber-Physical Systems and the Internet of Things (HiPEAC Vision 2015). Cyber-Physical Systems find their application in many highly relevant areas to our society: multi-modal transport, health, smart factories, smart grids and smart cities amongst others. The deployment of Cyber-Physical Systems (CPS) is expected to increase substantially over the next decades, holding great potential for novel applications and innovative product development. Digital technologies have already pervaded day-to-day life massively, affecting all kinds of interactions between humans and their environment. However, the inherent complexity of CPSs, as well as the need to meet optimised performance and comply with essential requirements like safety, privacy, security, raises many questions that are currently being explored by the research community. Road2CPS aims at accelerating uptake and implementation of these efforts. The Road2CPS project identifying and analysing the relevant technology fields and related research priorities to fuel the development of trustworthy CPS, as well as the specific technologies, needs and barriers for a successful implementation in different application domains and to derive recommendations for strategic action. The document at hand was established through an interactive, community-based approach, involving over 300 experts from academia, industry and policy making through a series of workshops and consultations. Visions and priorities of recently produced roadmaps in the area of CPS, IoT (Internet of Things), SoS (System-of-Systems) and FoF (Factories of the Future) were discussed, complemented by sharing views and perspectives on CPS implementation in application domains, evolving multi-sided eco-systems as well as business and policy related barriers, enablers and success factors. From the workshops and accompanying activities recommendations for future research and innovation activities were derived and topics and timelines for their implementation proposed. Amongst the technological topics, and related future research priorities ‘integration, interoperability, standards’ ranged highest in all workshops. The topic is connected to digital platforms and reference architectures, which have already become a key priority theme for the EC and their Digitisation Strategy as well as the work on the right standards to help successful implementation of CPSs. Other themes of very high technology/research relevance revealed to be ‘modelling and simulation’, ‘safety and dependability’, ‘security and privacy’, ‘big data and real-time analysis’, ‘ubiquitous autonomy and forecasting’ as well as ‘HMI/human machine awareness’. Next to this, themes emerged including ‘decision making and support’, ‘CPS engineering (requirements, design)’, ‘CPS life-cycle management’, ‘System-of-Systems’, ‘distributed management’, ‘cognitive CPS’, ‘emergence, complexity, adaptability and flexibility’ and work on the foundations of CPS and ‘cross-disciplinary research/CPS Science’

Expanding the Gordon-Loeb Model to Cyber-Insurance

We present an economic model for decisions on competing cyber-security and cyber-insurance investment based on the Gordon-Loeb model for investment in information security. We consider a one-period scenario in which a firm may invest in information security measures to reduce the probability of a breach, in cyber-insurance or in a combination of both. The optimal combination of investment and insurance under the assumptions of the Gordon-Loeb model is investigated via consideration of the costs and benefits of investment in security alongside purchasing insurance at an independent premium rate. Under both exponential (constant absolute risk aversion) and logarithmic (constant relative risk aversion) utility functions it is found that when the insurance premium is below a certain value, utility is maximised with insurance and security investment. These results suggest that cyber-insurance is a worthwhile undertaking provided it is not overly costly. We believe this model to be the first attempt to integrate the Gordon-Loeb model into a classical microeconomic analysis of insurance, particularly using the Gordon-Loeb security breach functions to determine the probability of an insurance claim. The model follows the tradition of the Gordon-Loeb model in being accessible to practitioners and decision makers in information security

Modeling and pricing cyber insurance: Idiosyncratic, systematic, and systemic risks

The paper provides a comprehensive overview of modeling and pricing cyber insurance and includes clear and easily understandable explanations of the underlying mathematical concepts. We distinguish three main types of cyber risks: idiosyncratic, systematic, and systemic cyber risks. While for idiosyncratic and systematic cyber risks, classical actuarial and financial mathematics appear to be well-suited, systemic cyber risks require more sophisticated approaches that capture both network and strategic interactions. In the context of pricing cyber insurance policies, issues of interdependence arise for both systematic and systemic cyber risks; classical actuarial valuation needs to be extended to include more complex methods, such as concepts of risk-neutral valuation and (set-valued) monetary risk measures

Managing cyber risk in organizations and supply chains

In the Industry 4.0, modern organizations are characterized by an extensive digitalization and use of Information Technology (IT). Even though there are significant advantages in such a technological progress, a noteworthy drawback is represented by cyber risks, whose occurrence dramatically increased over the last years. The information technology literature has shown great interested toward the topic, identifying mainly technical solutions to face these emerging risks. Nonetheless, cyber risks cause business disruption and damages to tangible and intangible corporate assets and require a major integration between technical solutions and a strategic management. Recently, the risk management domain and the supply chain literature have provided studies about how an effective cyber risk management process should be planned, to improve organizational resilience and to prevent financial drawbacks. However, the aforementioned studies are mainly theoretical and there is still a significant lack of empirical studies in the management literature, measuring the potential effects of cyber threats within single companies, and along networks of relationships, in a wider supply chain perspective. The present thesis aims at filling some of these gaps through three empirical essays. The first study has implemented a Grounded Theory approach to develop an interview targeting 15 European organizations. Afterwards, the fuzzy set Qualitative Comparative Analysis (fsQCA) has been performed, in order to ascertain how managers perceive cyber risks. Results contradict studies that focus merely on technical solution, and con\ufb01rm the dynamic capability literature, which highlights the relevance of a major integration among relational, organizational, and technical capabilities when dealing with technological issues. Moreover, the study proposes a managerial framework that draws on the dynamic capabilities view, in order to consider the complexity and dynamism of IT and cyber risks. The framework proposes to implement both technical (e.g. software, insurance, investments in IT assets) and organizational (e.g. team work, human IT resources) capabilities to protect the capability of the company to create value. The second essay extends the investigation of the drawbacks of cyber risks to supply chains. The study conducts a Grounded Theory empirical investigation toward several European organizations that rely on security and risk management standards in order to choose the drivers of systematic IT and cyber risk management (risk assessment, risk prevention, risk mitigation, risk compliance, and risk governance). The evidence gleaned from the interviews have highlighted that investments in supply chain mitigation strategies are scant, resulting in supply chains that perform like they had much higher risk appetite than managers declared. Moreover, it has emerged a general lack of awareness regarding the effects that IT and cyber risks may have on supply operations and relationships. Thus, a framework drawing on the supply chain risk management is proposed, offering a holistic risk management process, in which strategies, processes, technologies, and human resources should be aligned in coherence with the governance of each organization and of the supply chain as a whole. The \ufb01nal result should be a supply chain where the actors share more information throughout the whole process, which guarantees strategic bene\ufb01ts, reputation protection, and business continuity. The third essay draws on the Situational Crisis Communication Theory (SCCT) to ascertain whether and how different types of cyber breaches differently affect the corporate reputation, defined as a multidimensional construct in which perceptions of customers, suppliers, (potential) employees, investors and local communities converge. Data breaches have been categorized into three groups by the literature, meaning intentional and internal to the organization (e.g., malicious employees stealing customers\u2019 data), unintentional and internal to the organization (e.g., incorrect security settings that expose private information), and intentional and external to the organization (e.g., ransomware infecting companies\u2019 software). However, this is among the first study to analyse the different reputational drawbacks these types may cause. Moreover, the study considers that, in the industry 4.0 era, social media analysis may be of paramount importance for organizations to understand the market. In fact, user-generated content (UGC), meaning the content created by users, might help in understanding which dimensions of the corporate have been more attacked after a data breach. In this context, the study implements the Latent Dirichlet Allocation (LDA) automated method, a base model in the family of \u201ctopic models\u201d, to extract the reputational dimensions expressed in UGC of a sample of 35 organizations in nine industries that had a data breach incident between 2013 and 2016. The results reveal that in general, after a data breach, three dimensions\u2014perceived quality, customer orientation and corporate performance\u2014 are a subject of debate for users. However, if the data breach was intentional ad malicious, users focused more on the role of firms\u2019 human resources management, whereas if users did not identify a responsible, users focused more on privacy drawbacks. The study complements crisis communication research by categorizing, in a data breach context, stakeholders\u2019 perceptions of a crisis. In addition, the research is informative for risk management literature and reputation research, analysing corporate reputation dimensions in a data breach crisis setting

Building Resilience in Cybersecurity -- An Artificial Lab Approach

Based on classical contagion models we introduce an artificial cyber lab: the digital twin of a complex cyber system in which possible cyber resilience measures may be implemented and tested. Using the lab, in numerical case studies, we identify two classes of measures to control systemic cyber risks: security- and topology-based interventions. We discuss the implications of our findings on selected real-world cybersecurity measures currently applied in the insurance and regulation practice or under discussion for future cyber risk control. To this end, we provide a brief overview of the current cybersecurity regulation and emphasize the role of insurance companies as private regulators. Moreover, from an insurance point of view, we provide first attempts to design systemic cyber risk obligations and to measure the systemic risk contribution of individual policyholders

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small

When Are Cyber Blackouts in Modern Service Networks Likely?: A Network Oblivious Theory on Cyber (Re)Insurance Feasibility

Service liability interconnections among globally networked IT- and IoT-driven service organizations create potential channels for cascading service disruptions worth billions of dollars, due to modern cyber-crimes such as DDoS, APT, and ransomware attacks. A natural question that arises in this context is: What is the likelihood of a cyber-blackout?, where the latter term is defined as the probability that all (or a major subset of) organizations in a service chain become dysfunctional in a certain manner due to a cyber-attack at some or all points in the chain. The answer to this question has major implications to risk management businesses such as cyber-insurance when it comes to designing policies by risk-averse insurers for providing coverage to clients in the aftermath of such catastrophic network events. In this article, we investigate this question in general as a function of service chain networks and different cyber-loss distribution types. We show somewhat surprisingly (and discuss the potential practical implications) that, following a cyber-attack, the effect of (a) a network interconnection topology and (b) a wide range of loss distributions on the probability of a cyber-blackout and the increase in total service-related monetary losses across all organizations are mostly very small. The primary rationale behind these results are attributed to degrees of heterogeneity in the revenue base among organizations and the Increasing Failure Rate property of popular (i.i.d/non-i.i.d) loss distributions, i.e., log-concave cyber-loss distributions. The result will enable risk-averse cyber-riskmanagers to safely infer the impact of cyber-attacks in a worst-case network and distribution oblivious setting.Peer reviewe

Are cyber-blackouts in service networks likely?: Implications for Aggregate Cyber Risk Management

@TechReport{UCAM-CL-TR-926, author = {Pal, Ranjan and Psounis, Konstantinos and Kumar, Abhishek and Crowcroft, Jon and Hui, Pan and Golubchik, Leana and Kelly, John and Chatterjee, Aritra and Tarkoma, Sasu}, title = {{Are cyber-blackouts in service networks likely?: implications for cyber risk management}}, year = 2018, month = oct, url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-926.pdf}, institution = {University of Cambridge, Computer Laboratory}, number = {UCAM-CL-TR-926} }Service liability interconnections among networked IT and IoT driven service organizations create potential channels for cascading service disruptions due to modern cybercrimes such as DDoS, APT, and ransomware attacks. The very recent Mirai DDoS and WannaCry ransomware attacks serve as famous examples of cyber-incidents that have caused catastrophic service disruptions worth billions of dollars across organizations around the globe. A natural question that arises in this context is “what is the likelihood of a cyber-blackout?”, where the latter term is defined as: “the probability that all (or a major subset of) organizations in a service chain become dysfunctional in a certain manner due to a cyber-attack at some or all points in the chain”. The answer to this question has major implications to risk management businesses such as cyber-insurance when it comes to designing policies by risk-averse insurers for providing coverage to clients in the aftermath of such catastrophic network events. In this paper, we investigate this question in general as a function of service chain networks and different loss distribution types. We show somewhat surprisingly (and discuss potential practical implications) that following a cyber-attack, the probability of a cyber-blackout and the increase in total service-related monetary losses across all organizations, due to the effect of (a) network interconnections, and (b) a wide range of loss distributions, are mostly very small, regardless of the network structure – the primary rationale behind the results being attributed to degrees of heterogeneity in wealth base among organizations, and Increasing Failure Rate (IFR) property of loss distributions