IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v39y2019i12p2766-2785.html
   My bibliography  Save this article

Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks

Author

Listed:
  • Wei Wang
  • Francesco Di Maio
  • Enrico Zio

Abstract

Defenders have to enforce defense strategies by taking decisions on allocation of resources to protect the integrity and survivability of cyber–physical systems (CPSs) from intentional and malicious cyber attacks. In this work, we propose an adversarial risk analysis approach to provide a novel one‐sided prescriptive support strategy for the defender to optimize the defensive resource allocation, based on a subjective expected utility model, in which the decisions of the adversaries are uncertain. This increases confidence in cyber security through robustness of CPS protection actions against uncertain malicious threats compared with prescriptions provided by a classical defend–attack game‐theoretical approach. We present the approach and the results of its application to a nuclear CPS, specifically the digital instrumentation and control system of the advanced lead‐cooled fast reactor European demonstrator.

Suggested Citation

  • Wei Wang & Francesco Di Maio & Enrico Zio, 2019. "Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks," Risk Analysis, John Wiley & Sons, vol. 39(12), pages 2766-2785, December.
    • Handle: RePEc:wly:riskan:v:39:y:2019:i:12:p:2766-2785
    DOI: 10.1111/risa.13382
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.13382
    Download Restriction: no
    File URL: https://libkey.io/10.1111/risa.13382?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Ríos Insua, David & Cano, Javier & Pellot, Michael & Ortega, Ricardo, 2016. "Multithreat multisite protection: A security case study," European Journal of Operational Research, Elsevier, vol. 252(3), pages 888-899.
    2. Daniel Bernoulli, 2011. "Exposition Of A New Theory On The Measurement Of Risk," World Scientific Book Chapters, in: Leonard C MacLean & Edward O Thorp & William T Ziemba (ed.), THE KELLY CAPITAL GROWTH INVESTMENT CRITERION THEORY and PRACTICE, chapter 2, pages 11-24, World Scientific Publishing Co. Pte. Ltd..
    3. Grechuk, Bogdan & Zabarankin, Michael, 2016. "Inverse portfolio problem with coherent risk measures," European Journal of Operational Research, Elsevier, vol. 249(2), pages 740-750.
    4. R. Piccinelli & G. Sansavini & R. Lucchetti & E. Zio, 2017. "A General Framework for the Assessment of Power System Vulnerability to Malicious Attacks," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2182-2190, November.
    5. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    6. Vicki M. Bier & Naraphorn Haphuriwat & Jaime Menoyo & Rae Zimmerman & Alison M. Culpen, 2008. "Optimal Resource Allocation for Defense of Targets Based on Differing Measures of Attractiveness," Risk Analysis, John Wiley & Sons, vol. 28(3), pages 763-770, June.
    7. Levitin, G. & Gertsbakh, I. & Shpungin, Y., 2011. "Evaluating the damage associated with intentional network disintegration," Reliability Engineering and System Safety, Elsevier, vol. 96(4), pages 433-439.
    8. Casey Rothschild & Laura McLay & Seth Guikema, 2012. "Adversarial Risk Analysis with Incomplete Information: A Level‐k Approach," Risk Analysis, John Wiley & Sons, vol. 32(7), pages 1219-1231, July.
    9. Zare Moayedi, Behzad & Azgomi, Mohammad Abdollahi, 2012. "A game theoretic framework for evaluation of the impacts of hackers diversity on security measures," Reliability Engineering and System Safety, Elsevier, vol. 99(C), pages 45-54.
    10. Levitin, Gregory & Hausken, Kjell, 2009. "Intelligence and impact contests in systems with redundancy, false targets, and partial protection," Reliability Engineering and System Safety, Elsevier, vol. 94(12), pages 1927-1941.
    11. Viscusi, W Kip & Aldy, Joseph E, 2003. "The Value of a Statistical Life: A Critical Review of Market Estimates throughout the World," Journal of Risk and Uncertainty, Springer, vol. 27(1), pages 5-76, August.
    12. Jun Zhuang & Vicki M. Bier, 2007. "Balancing Terrorism and Natural Disasters---Defensive Strategy with Endogenous Attacker Effort," Operations Research, INFORMS, vol. 55(5), pages 976-991, October.
    13. Flage, Roger & Aven, Terje & Berner, Christine L., 2018. "A comparison between a probability bounds analysis and a subjective probability approach to express epistemic uncertainties in a risk assessment context – A simple illustrative example," Reliability Engineering and System Safety, Elsevier, vol. 169(C), pages 1-10.
    14. Javier Cano & Alessandro Pollini & Lorenzo Falciani & Uğur Turhan, 2016. "Modeling current and emerging threats in the airport domain through adversarial risk analysis," Journal of Risk Research, Taylor & Francis Journals, vol. 19(7), pages 894-912, August.
    15. J. S. Busby & B. Green & D. Hutchison, 2017. "Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk," Risk Analysis, John Wiley & Sons, vol. 37(7), pages 1298-1314, July.
    16. John C. Hershey & Paul J. H. Schoemaker, 1985. "Probability Versus Certainty Equivalence Methods in Utility Measurement: Are they Equivalent?," Management Science, INFORMS, vol. 31(10), pages 1213-1231, October.
    17. Fang, Yiping & Sansavini, Giovanni, 2017. "Optimizing power system investments and resilience against attacks," Reliability Engineering and System Safety, Elsevier, vol. 159(C), pages 161-173.
    18. Jesus Rios & David Rios Insua, 2012. "Adversarial Risk Analysis for Counterterrorism Modeling," Risk Analysis, John Wiley & Sons, vol. 32(5), pages 894-915, May.
    19. Aven, Terje & Zio, Enrico, 2011. "Some considerations on the treatment of uncertainties in risk assessment for practical decision making," Reliability Engineering and System Safety, Elsevier, vol. 96(1), pages 64-74.
    20. Aven, Terje, 2009. "Identification of safety and security critical systems and activities," Reliability Engineering and System Safety, Elsevier, vol. 94(2), pages 404-411.
    21. W. Viscusi, 2009. "Valuing risks of death from terrorism and natural disasters," Journal of Risk and Uncertainty, Springer, vol. 38(3), pages 191-213, June.
    22. Kreps, David M., 1990. "Game Theory and Economic Modelling," OUP Catalogue, Oxford University Press, number 9780198283812.
    23. Wang, Wei & Cammi, Antonio & Di Maio, Francesco & Lorenzi, Stefano & Zio, Enrico, 2018. "A Monte Carlo-based exploration framework for identifying components vulnerable to cyber threats in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 175(C), pages 24-37.
    24. Zio, E., 2018. "The future of risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 177(C), pages 176-190.
    25. Terje Aven & Louis Anthony Cox, 2016. "National and Global Risk Studies: How Can the Field of Risk Analysis Contribute?," Risk Analysis, John Wiley & Sons, vol. 36(2), pages 186-190, February.
    26. Jun Zhuang & Vicki Bier, 2011. "Secrecy And Deception At Equilibrium, With Applications To Anti-Terrorism Resource Allocation," Defence and Peace Economics, Taylor & Francis Journals, vol. 22(1), pages 43-61.
    27. Hu, Xiaoxiao & Xu, Maochao & Xu, Shouhuai & Zhao, Peng, 2017. "Multiple cyber attacks against a target with observation errors and dependent outcomes: Characterization and optimization," Reliability Engineering and System Safety, Elsevier, vol. 159(C), pages 119-133.
    28. Ramirez-Marquez, Jose E. & Rocco, Claudio M. & Levitin, Gregory, 2011. "Optimal network protection against diverse interdictor strategies," Reliability Engineering and System Safety, Elsevier, vol. 96(3), pages 374-382.
    29. Javier Cano & David Ríos Insua & Alessandra Tedeschi & Ug̃ur Turhan, 2016. "Security economics: an adversarial risk analysis approach to airport protection," Annals of Operations Research, Springer, vol. 245(1), pages 359-378, October.
    30. John C. Harsanyi, 1967. "Games with Incomplete Information Played by "Bayesian" Players, I-III Part I. The Basic Model," Management Science, INFORMS, vol. 14(3), pages 159-182, November.
    31. Martin J. Osborne & Ariel Rubinstein, 1994. "A Course in Game Theory," MIT Press Books, The MIT Press, edition 1, volume 1, number 0262650401, December.
    32. Aven, Terje & Krohn, Bodil S., 2014. "A new perspective on how to understand, assess and manage risk and the unforeseen," Reliability Engineering and System Safety, Elsevier, vol. 121(C), pages 1-10.
    33. repec:reg:rpubli:282 is not listed on IDEAS
    34. Jun Zhuang & Vicki M. Bier, 2010. "Reasons for Secrecy and Deception in Homeland‐Security Resource Allocation," Risk Analysis, John Wiley & Sons, vol. 30(12), pages 1737-1743, December.
    35. G Levitin & K Hausken, 2010. "Defence and attack of systems with variable attacker system structure detection probability," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 61(1), pages 124-133, January.
    36. Levitin, Gregory & Hausken, Kjell, 2009. "Parallel systems under two sequential attacks," Reliability Engineering and System Safety, Elsevier, vol. 94(3), pages 763-772.
    37. Zio, Enrico, 2016. "Challenges in the vulnerability and risk analysis of critical infrastructures," Reliability Engineering and System Safety, Elsevier, vol. 152(C), pages 137-150.
    38. Peng, R. & Levitin, G. & Xie, M. & Ng, S.H., 2010. "Defending simple series and parallel systems with imperfect false targets," Reliability Engineering and System Safety, Elsevier, vol. 95(6), pages 679-688.
    39. Insua, Insua Rios & Rios, Jesus & Banks, David, 2009. "Adversarial Risk Analysis," Journal of the American Statistical Association, American Statistical Association, vol. 104(486), pages 841-854.
    40. G. Quijano, Eduardo & Ríos Insua, David & Cano, Javier, 2018. "Critical networked infrastructure protection from adversaries," Reliability Engineering and System Safety, Elsevier, vol. 179(C), pages 27-36.
    41. Kjell Hausken, 2014. "Choosing what to protect when attacker resources and asset valuations are uncertain," Operations Research and Decisions, Wroclaw University of Science and Technology, Faculty of Management, vol. 24(3), pages 23-44.
    42. Hausken, Kjell & Levitin, Gregory, 2009. "Minmax defense strategy for complex multi-state systems," Reliability Engineering and System Safety, Elsevier, vol. 94(2), pages 577-587.
    43. Kriaa, Siwar & Pietre-Cambacedes, Ludovic & Bouissou, Marc & Halgand, Yoran, 2015. "A survey of approaches combining safety and security for industrial control systems," Reliability Engineering and System Safety, Elsevier, vol. 139(C), pages 156-178.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Tang, Daogui & Fang, Yi-Ping & Zio, Enrico, 2023. "Vulnerability analysis of demand-response with renewable energy integration in smart grids to cyber attacks and online detection methods," Reliability Engineering and System Safety, Elsevier, vol. 235(C).
    2. Eric DuBois & Ashley Peper & Laura A. Albert, 2023. "Interdicting Attack Plans with Boundedly Rational Players and Multiple Attackers: An Adversarial Risk Analysis Approach," Decision Analysis, INFORMS, vol. 20(3), pages 202-219, September.
    3. Zhaojun Hao & Francesco Di Maio & Enrico Zio, 2021. "Multi-State Reliability Assessment Model of Base-Load Cyber-Physical Energy Systems (CPES) during Flexible Operation Considering the Aging of Cyber Components," Energies, MDPI, vol. 14(11), pages 1-18, June.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Zio, E., 2018. "The future of risk assessment," Reliability Engineering and System Safety, Elsevier, vol. 177(C), pages 176-190.
    2. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    3. Vineet M. Payyappalli & Jun Zhuang & Victor Richmond R. Jose, 2017. "Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2229-2245, November.
    4. Mohammad E. Nikoofal & Mehmet Gümüs, 2015. "On the value of terrorist’s private information in a government’s defensive resource allocation problem," IISE Transactions, Taylor & Francis Journals, vol. 47(6), pages 533-555, June.
    5. Hunt, Kyle & Agarwal, Puneet & Zhuang, Jun, 2021. "Technology adoption for airport security: Modeling public disclosure and secrecy in an attacker-defender game," Reliability Engineering and System Safety, Elsevier, vol. 207(C).
    6. Mohammad E. Nikoofal & Jun Zhuang, 2012. "Robust Allocation of a Defensive Budget Considering an Attacker's Private Information," Risk Analysis, John Wiley & Sons, vol. 32(5), pages 930-943, May.
    7. Roponen, Juho & Ríos Insua, David & Salo, Ahti, 2020. "Adversarial risk analysis under partial information," European Journal of Operational Research, Elsevier, vol. 287(1), pages 306-316.
    8. Wang, Wei & Di Maio, Francesco & Zio, Enrico, 2020. "Considering the human operator cognitive process for the interpretation of diagnostic outcomes related to component failures and cyber security attacks," Reliability Engineering and System Safety, Elsevier, vol. 202(C).
    9. Wang, Wei & Cammi, Antonio & Di Maio, Francesco & Lorenzi, Stefano & Zio, Enrico, 2018. "A Monte Carlo-based exploration framework for identifying components vulnerable to cyber threats in nuclear power plants," Reliability Engineering and System Safety, Elsevier, vol. 175(C), pages 24-37.
    10. Peiqiu Guan & Jun Zhuang, 2016. "Modeling Resources Allocation in Attacker‐Defender Games with “Warm Up” CSF," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 776-791, April.
    11. Dan Kovenock & Brian Roberson, 2012. "Strategic Defense And Attack For Series And Parallel Reliability Systems: Comment," Defence and Peace Economics, Taylor & Francis Journals, vol. 23(5), pages 507-515, October.
    12. González-Ortega, Jorge & Ríos Insua, David & Cano, Javier, 2019. "Adversarial risk analysis for bi-agent influence diagrams: An algorithmic approach," European Journal of Operational Research, Elsevier, vol. 273(3), pages 1085-1096.
    13. Bier, Vicki M. & Hausken, Kjell, 2013. "Defending and attacking a network of two arcs subject to traffic congestion," Reliability Engineering and System Safety, Elsevier, vol. 112(C), pages 214-224.
    14. Abdolmajid Yolmeh & Melike Baykal-Gürsoy, 2019. "Two-Stage Invest–Defend Game: Balancing Strategic and Operational Decisions," Decision Analysis, INFORMS, vol. 16(1), pages 46-66, March.
    15. Nikoofal, Mohammad E. & Zhuang, Jun, 2015. "On the value of exposure and secrecy of defense system: First-mover advantage vs. robustness," European Journal of Operational Research, Elsevier, vol. 246(1), pages 320-330.
    16. Szidarovszky, Ferenc & Luo, Yi, 2014. "Incorporating risk seeking attitude into defense strategy," Reliability Engineering and System Safety, Elsevier, vol. 123(C), pages 104-109.
    17. Ben Yaghlane, Asma & Azaiez, M. Naceur, 2017. "Systems under attack-survivability rather than reliability: Concept, results, and applications," European Journal of Operational Research, Elsevier, vol. 258(3), pages 1156-1164.
    18. Yanling Chang & Alan Erera & Chelsea White, 2015. "A leader–follower partially observed, multiobjective Markov game," Annals of Operations Research, Springer, vol. 235(1), pages 103-128, December.
    19. Jie Xu & Jun Zhuang, 2016. "Modeling costly learning and counter-learning in a defender-attacker game with private defender information," Annals of Operations Research, Springer, vol. 236(1), pages 271-289, January.
    20. Michael Macgregor Perry & Hadi El-Amine, 2021. "Computational Efficiency in Multivariate Adversarial Risk Analysis Models," Papers 2110.12572, arXiv.org.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:39:y:2019:i:12:p:2766-2785. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.