| dc.contributor.advisor | Sindre, Guttorm | |
| dc.contributor.advisor | Jaccheri, Letizia | |
| dc.contributor.advisor | Bernsmed, Karin | |
| dc.contributor.author | Meland, Per Håkon | |
| dc.date.accessioned | 2021-10-25T11:05:45Z | |
| dc.date.available | 2021-10-25T11:05:45Z | |
| dc.date.issued | 2021 | |
| dc.identifier.isbn | 978-82-326-6362-0 | |
| dc.identifier.issn | 2703-8084 | |
| dc.identifier.uri | https://hdl.handle.net/11250/2825312 | |
| dc.description.abstract | Cyber risk management is about identifying, assessing and reducing risk to an acceptable level. With systems that have been in operation for some time, we might be able to make qualified risk estimations and treat them in a cost-efficient manner based on the previous events and experiences. However, with storyless systems, such estimations become more of a guesswork and it is hard to determine how much and what kind of security is good enough. Additionally, both old and new systems are exposed to an evolving threat environment where relying on the Maginot lines of the past could lead to brutal consequences in the future.
The purpose of this PhD study has been to investigate new methods for managing cyber security risks without too much reliance on historical events. These methods belong to an area found in the intersection between threat modelling and security economics. The former is about anticipating attacks and imagining what can go wrong, often taking the mindset of an adversary. The latter is concerned about how economic mechanisms shape security.
The overall research approach of the study leans towards practice-based research, where interventions and designs contribute to local practices as well as generalized knowledge. Following the principles of pragmatism, a mix of quantitative and qualitative research methods have been applied for empirical inquiry, covering problem investigation, artefact creation and evaluation. The study has complemented ongoing projects that are addressing threats and technology development within the aviation and maritime fields, and included cyber insurance as an application area for risk transfer to third parties. A general limitation is the assumed rational behaviour of both attackers and defenders, which do not cover all types of cyber threats. Furthermore, there are ethical concerns restricting the research methods and openness of results related to cyber crime investigations.
The results have been published as a collection of papers and show that subjective estimations can be supported by economic incentives when identifying threats, the likelihood of their occurrence and ways of treating them. For instance, by focusing on the capabilities that are needed for the different attack stages, we can spend less time and obtain a higher degree of reusability compared to modelling specific attack paths. Just as there is no one-solution-fits-all for threat modelling, we cannot use data types and sources for economic incentives uncritically. We have documented some of these strengths and weaknesses related to a given set of threats, and encourage to expand this work to support the cyber risk management discipline. | |
| dc.language.iso | eng | en_US |
| dc.publisher | NTNU | en_US |
| dc.relation.ispartofseries | Doctoral theses at NTNU;2021:329 | |
| dc.relation.haspart | Paper A: Bagnato, Alessandra; Kordy, Barbara; Meland, Per Håkon; Schweitzer, Patrick. Attribute Decoration of Attack–Defense Trees. International Journal of Secure Software Engineering (IJSSE) 2012 ;Volum 3.(2) https://doi.org10.4018/jsse.2012040101 | en_US |
| dc.relation.haspart | Paper B: Meland, Per Håkon; Tøndel, Inger Anne; Solhaug, Bjørnar. Mitigating Risk with Cyberinsurance. IEEE Security and Privacy 2015 ;Volum 13.(6) s. 38-43 https://doi.org/10.1109/MSP.2015.137 | en_US |
| dc.relation.haspart | Paper C: Bernsmed, Karin; Frøystad, Christian; Meland, Per Håkon; Nesheim, Dag Atle; Rødseth, Ørnulf Jan. Visualizing cyber security risks with bow-tie diagrams. Lecture Notes in Computer Science (LNCS) 2018 ;Volum 10744. s. 38-56 https://doi.org/10.1007/978-3-319-74860-3_3 | en_US |
| dc.relation.haspart | Paper D: Meland, Per Håkon; Tøndel, Inger Anne; Moe, Marie Elisabeth Gaup; Seehusen, Fredrik. Facing uncertainty in cyber insurance policies. Lecture Notes in Computer Science (LNCS) 2017 ;Volum 10547. s. 89-100 https://doi.org/10.1007/978-3-319-68063-7_6 | en_US |
| dc.relation.haspart | Paper E: P. H. Meland and F. Seehusen, ‘When to treat security risks with cyber insurance,’ International Journal on Cyber Situational Awareness, vol. 3, no. 1, pp. 39–60, 2018. doi: https://doi.org/10.22619/ijcsa.2018.100119
Creative Commons Attribution 4.0 International (CC BY 4.0) | en_US |
| dc.relation.haspart | Paper F: Meland, Per Håkon; Bernsmed, Karin; Frøystad, Christian; Li, Jingyue; Sindre, Guttorm. An experimental evaluation of bow-tie analysis for security. Information and Computer Security 2019 ;Volum 26.(4) s. 536-561 https://doi.org/10.1108/ICS-11-2018-0132
This article is published under the Creative Commons Attribution (CC BY 4.0) license. | en_US |
| dc.relation.haspart | Paper G: Franke, Ulrik; Meland, Per Håkon. Demand side expectations of cyber insurance. I: 2019 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA). IEEE 2019 ISBN 978-1-7281-0232-0. s. 1-8 https://doi.org/10.1109/CyberSA.2019.8899685 | en_US |
| dc.relation.haspart | Paper H: Meland, Per Håkon; Johansen, Bent Heier; Sindre, Guttorm. An experimental analysis of cryptojacking attacks. I: Secure IT Systems. Springer 2019 ISBN 978-3-030-35055-0. s. 155-170 https://doi.org/10.1007/978-3-030-35055-0_10 | en_US |
| dc.relation.haspart | Paper I: Meland, Per Håkon; Sindre, Guttorm. Cyber Attacks for Sale. I: Proceedings from the 2019 International Conference on Computational Science and Computational Intelligence (CSCI'19). IEEE conference proceedings 2020 ISBN 978-1-7281-5584-5. s. 54-59 https://doi.org/10.1109/CSCI49370.2019.00016 | en_US |
| dc.relation.haspart | Paper J: Meland, Per Håkon; Bayoumy, Yara; Sindre, Guttorm. The Ransomware-as-a-Service economy within the darknet. Computers & security 2020 ;Volum 92. https://doi.org/10.1016/j.cose.2020.101762 This is an open access article under the CC BY license. ( http://creativecommons.org/licenses/by/4.0/ ) | en_US |
| dc.relation.haspart | Paper K: Haga, Kristian; Meland, Per Håkon; Sindre, Guttorm. Breaking the Cyber Kill Chain by Modelling Resource Costs. I: Graphical Models for Security - 7th International Workshop, GraMSec 2020, Boston, MA, USA, June 22, 2020, Revised Selected Paper. Springer 2020 ISBN 978-3-030-62229-9. s. 111-126 https://doi.org/10.1007/978-3-030-62230-5_6 | en_US |
| dc.relation.haspart | Paper L: Meland, P.H.; Tokas, S.; Erdogan, G.; Bernsmed, K.; Omerovic, A. A Systematic Mapping Study on Cyber Security Indicator Data. Electronics 2021, 10, 1092. https://doi.org/10.3390/ electronics10091092 This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) | en_US |
| dc.relation.haspart | Paper M:
Meland, P.H.; Nesheim, D.A.; Bernsmed,K.; Sindre; G.
Assessing cyber threats for storyless systems.
The final published version is available in Journal of Information Security and Applications
Volume 64, February 2022, 103050
https://doi.org/10.1016/j.jisa.2021.103050
This is an open access article under the CC BY license | en_US |
| dc.relation.haspart | Poster:
P. H. Meland, ‘Combining threat models with security economics,’ in The 11th Norwegian
Information Security Conference (NISK), IEEE, 2018. [Online]. Available: https :
//ojs.bibsys.no/index.php/NISK/article/view/570/486 | |
| dc.relation.haspart | Poster:
P. H. Meland, ‘Resilient cyber security through cybercrime market analysis,’ in REA
Symposium on Resilience Engineering Embracing Resilience, 2019, isbn: 978-91-88898-
41-8. [Online]. Available: https://open.lnu.se/index.php/rea/article/view/1975/
1695 | |
| dc.rights | In reference to IEEE copyrighted material which is used with permission in this thesis, the IEEE does not endorse any of [name of university or educational entity]’s products or services. Internal or personal use of this material is permitted. If interested in reprinting/republishing IEEE copyrighted material for advertising or promotional purposes or for creating new collective works for resale or redistribution, please go to http://www.ieee.org/publications_standards/publications/rights/rights_link.html to learn how to obtain a License from RightsLink. | |
| dc.title | Storyless cyber security: Modelling threats with economic incentives | en_US |
| dc.type | Doctoral thesis | en_US |
