Storyless cyber security: Modelling threats with economic incentives
Doctoral thesis
Permanent lenke
https://hdl.handle.net/11250/2825312Utgivelsesdato
2021Metadata
Vis full innførselSamlinger
Sammendrag
Cyber risk management is about identifying, assessing and reducing risk to an acceptable level. With systems that have been in operation for some time, we might be able to make qualified risk estimations and treat them in a cost-efficient manner based on the previous events and experiences. However, with storyless systems, such estimations become more of a guesswork and it is hard to determine how much and what kind of security is good enough. Additionally, both old and new systems are exposed to an evolving threat environment where relying on the Maginot lines of the past could lead to brutal consequences in the future.
The purpose of this PhD study has been to investigate new methods for managing cyber security risks without too much reliance on historical events. These methods belong to an area found in the intersection between threat modelling and security economics. The former is about anticipating attacks and imagining what can go wrong, often taking the mindset of an adversary. The latter is concerned about how economic mechanisms shape security.
The overall research approach of the study leans towards practice-based research, where interventions and designs contribute to local practices as well as generalized knowledge. Following the principles of pragmatism, a mix of quantitative and qualitative research methods have been applied for empirical inquiry, covering problem investigation, artefact creation and evaluation. The study has complemented ongoing projects that are addressing threats and technology development within the aviation and maritime fields, and included cyber insurance as an application area for risk transfer to third parties. A general limitation is the assumed rational behaviour of both attackers and defenders, which do not cover all types of cyber threats. Furthermore, there are ethical concerns restricting the research methods and openness of results related to cyber crime investigations.
The results have been published as a collection of papers and show that subjective estimations can be supported by economic incentives when identifying threats, the likelihood of their occurrence and ways of treating them. For instance, by focusing on the capabilities that are needed for the different attack stages, we can spend less time and obtain a higher degree of reusability compared to modelling specific attack paths. Just as there is no one-solution-fits-all for threat modelling, we cannot use data types and sources for economic incentives uncritically. We have documented some of these strengths and weaknesses related to a given set of threats, and encourage to expand this work to support the cyber risk management discipline.
Består av
Paper A: Bagnato, Alessandra; Kordy, Barbara; Meland, Per Håkon; Schweitzer, Patrick. Attribute Decoration of Attack–Defense Trees. International Journal of Secure Software Engineering (IJSSE) 2012 ;Volum 3.(2) https://doi.org10.4018/jsse.2012040101Paper B: Meland, Per Håkon; Tøndel, Inger Anne; Solhaug, Bjørnar. Mitigating Risk with Cyberinsurance. IEEE Security and Privacy 2015 ;Volum 13.(6) s. 38-43 https://doi.org/10.1109/MSP.2015.137
Paper C: Bernsmed, Karin; Frøystad, Christian; Meland, Per Håkon; Nesheim, Dag Atle; Rødseth, Ørnulf Jan. Visualizing cyber security risks with bow-tie diagrams. Lecture Notes in Computer Science (LNCS) 2018 ;Volum 10744. s. 38-56 https://doi.org/10.1007/978-3-319-74860-3_3
Paper D: Meland, Per Håkon; Tøndel, Inger Anne; Moe, Marie Elisabeth Gaup; Seehusen, Fredrik. Facing uncertainty in cyber insurance policies. Lecture Notes in Computer Science (LNCS) 2017 ;Volum 10547. s. 89-100 https://doi.org/10.1007/978-3-319-68063-7_6
Paper E: P. H. Meland and F. Seehusen, ‘When to treat security risks with cyber insurance,’ International Journal on Cyber Situational Awareness, vol. 3, no. 1, pp. 39–60, 2018. doi: https://doi.org/10.22619/ijcsa.2018.100119 Creative Commons Attribution 4.0 International (CC BY 4.0)
Paper F: Meland, Per Håkon; Bernsmed, Karin; Frøystad, Christian; Li, Jingyue; Sindre, Guttorm. An experimental evaluation of bow-tie analysis for security. Information and Computer Security 2019 ;Volum 26.(4) s. 536-561 https://doi.org/10.1108/ICS-11-2018-0132 This article is published under the Creative Commons Attribution (CC BY 4.0) license.
Paper G: Franke, Ulrik; Meland, Per Håkon. Demand side expectations of cyber insurance. I: 2019 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA). IEEE 2019 ISBN 978-1-7281-0232-0. s. 1-8 https://doi.org/10.1109/CyberSA.2019.8899685
Paper H: Meland, Per Håkon; Johansen, Bent Heier; Sindre, Guttorm. An experimental analysis of cryptojacking attacks. I: Secure IT Systems. Springer 2019 ISBN 978-3-030-35055-0. s. 155-170 https://doi.org/10.1007/978-3-030-35055-0_10
Paper I: Meland, Per Håkon; Sindre, Guttorm. Cyber Attacks for Sale. I: Proceedings from the 2019 International Conference on Computational Science and Computational Intelligence (CSCI'19). IEEE conference proceedings 2020 ISBN 978-1-7281-5584-5. s. 54-59 https://doi.org/10.1109/CSCI49370.2019.00016
Paper J: Meland, Per Håkon; Bayoumy, Yara; Sindre, Guttorm. The Ransomware-as-a-Service economy within the darknet. Computers & security 2020 ;Volum 92. https://doi.org/10.1016/j.cose.2020.101762 This is an open access article under the CC BY license. ( http://creativecommons.org/licenses/by/4.0/ )
Paper K: Haga, Kristian; Meland, Per Håkon; Sindre, Guttorm. Breaking the Cyber Kill Chain by Modelling Resource Costs. I: Graphical Models for Security - 7th International Workshop, GraMSec 2020, Boston, MA, USA, June 22, 2020, Revised Selected Paper. Springer 2020 ISBN 978-3-030-62229-9. s. 111-126 https://doi.org/10.1007/978-3-030-62230-5_6
Paper L: Meland, P.H.; Tokas, S.; Erdogan, G.; Bernsmed, K.; Omerovic, A. A Systematic Mapping Study on Cyber Security Indicator Data. Electronics 2021, 10, 1092. https://doi.org/10.3390/ electronics10091092 This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY)
Paper M: Meland, P.H.; Nesheim, D.A.; Bernsmed,K.; Sindre; G. Assessing cyber threats for storyless systems. The final published version is available in Journal of Information Security and Applications Volume 64, February 2022, 103050 https://doi.org/10.1016/j.jisa.2021.103050 This is an open access article under the CC BY license
Poster: P. H. Meland, ‘Combining threat models with security economics,’ in The 11th Norwegian Information Security Conference (NISK), IEEE, 2018. [Online]. Available: https : //ojs.bibsys.no/index.php/NISK/article/view/570/486
Poster: P. H. Meland, ‘Resilient cyber security through cybercrime market analysis,’ in REA Symposium on Resilience Engineering Embracing Resilience, 2019, isbn: 978-91-88898- 41-8. [Online]. Available: https://open.lnu.se/index.php/rea/article/view/1975/ 1695