IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v37y2017i9p1644-1651.html
   My bibliography  Save this article

Resilience of Cyber Systems with Over‐ and Underregulation

Author

Listed:
  • Viktoria Gisladottir
  • Alexander A. Ganin
  • Jeffrey M. Keisler
  • Jeremy Kepner
  • Igor Linkov

Abstract

Recent cyber attacks provide evidence of increased threats to our critical systems and infrastructure. A common reaction to a new threat is to harden the system by adding new rules and regulations. As federal and state governments request new procedures to follow, each of their organizations implements their own cyber defense strategies. This unintentionally increases time and effort that employees spend on training and policy implementation and decreases the time and latitude to perform critical job functions, thus raising overall levels of stress. People's performance under stress, coupled with an overabundance of information, results in even more vulnerabilities for adversaries to exploit. In this article, we embed a simple regulatory model that accounts for cybersecurity human factors and an organization's regulatory environment in a model of a corporate cyber network under attack. The resulting model demonstrates the effect of under‐ and overregulation on an organization's resilience with respect to insider threats. Currently, there is a tendency to use ad‐hoc approaches to account for human factors rather than to incorporate them into cyber resilience modeling. It is clear that using a systematic approach utilizing behavioral science, which already exists in cyber resilience assessment, would provide a more holistic view for decisionmakers.

Suggested Citation

  • Viktoria Gisladottir & Alexander A. Ganin & Jeffrey M. Keisler & Jeremy Kepner & Igor Linkov, 2017. "Resilience of Cyber Systems with Over‐ and Underregulation," Risk Analysis, John Wiley & Sons, vol. 37(9), pages 1644-1651, September.
    • Handle: RePEc:wly:riskan:v:37:y:2017:i:9:p:1644-1651
    DOI: 10.1111/risa.12729
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.12729
    Download Restriction: no
    File URL: https://libkey.io/10.1111/risa.12729?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Scott D. Sagan, 2004. "The Problem of Redundancy Problem: Why More Nuclear Security Forces May Produce Less Nuclear Security," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 935-946, August.
    2. Jeremy Kepner & Vijay Gadepally & Pete Michaleas, 2015. "Percolation Model of insider threats to assess the optimum number of rules," Environment Systems and Decisions, Springer, vol. 35(4), pages 504-510, December.
    3. Ogus, Anthony, 2002. "Comparing Regulatory Systems: Institutions, Processes and Legal Forms in Industrialised Countries," Centre on Regulation and Competition (CRC) Working papers 30609, University of Manchester, Institute for Development Policy and Management (IDPM).
    4. M. Mitchell Waldrop, 2016. "How to hack the hackers: The human side of cybercrime," Nature, Nature, vol. 533(7602), pages 164-167, May.
    5. Matthew Bunn, 2004. "Thinking about How Many Guards Will Do the Job," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 949-953, August.
    6. Bauer, Johannes M. & van Eeten, Michel J.G., 0. "Cybersecurity: Stakeholder incentives, externalities, and policy options," Telecommunications Policy, Elsevier, vol. 33(10-11), pages 706-719, November.
    7. John S. Carroll, 2004. "Redundancy as a Design Principle and an Operating Principle," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 955-957, August.
    8. Magat, Wesley A & Viscusi, W Kip & Huber, Joel, 1988. "Consumer Processing of Hazard Warning Information," Journal of Risk and Uncertainty, Springer, vol. 1(2), pages 201-232, June.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Edward J. Oughton & Daniel Ralph & Raghav Pant & Eireann Leverett & Jennifer Copic & Scott Thacker & Rabia Dada & Simon Ruffle & Michelle Tuveson & Jim W Hall, 2019. "Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks," Risk Analysis, John Wiley & Sons, vol. 39(9), pages 2012-2031, September.
    2. Bell, Alison J.C. & Rogers, M. Brooke & Pearce, Julia M., 2019. "The insider threat: Behavioral indicators and factors influencing likelihood of intervention," International Journal of Critical Infrastructure Protection, Elsevier, vol. 24(C), pages 166-176.
    3. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    4. Poulin, Craig & Kane, Michael B., 2021. "Infrastructure resilience curves: Performance measures and summary metrics," Reliability Engineering and System Safety, Elsevier, vol. 216(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Navid Ghaffarzadegan, 2008. "How a System Backfires: Dynamics of Redundancy Problems in Security," Risk Analysis, John Wiley & Sons, vol. 28(6), pages 1669-1687, December.
    2. Becker, Gary S. & Rubinstein, Yona, 2011. "Fear and the response to terrorism: an economic analysis," LSE Research Online Documents on Economics 121740, London School of Economics and Political Science, LSE Library.
    3. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    4. Rosie Collins & Cavan O’Connor-Close & Aria Zhang, 2020. "Cyber incident cost estimates and the importance of building resilience," Reserve Bank of New Zealand Bulletin, Reserve Bank of New Zealand, vol. 83, pages 1-17, February.
    5. Cassey Lee, 2007. "Legal Traditions and Competition Policy," Chapters, in: Paul Cook & Raul Fabella & Cassey Lee (ed.), Competitive Advantage and Competition Policy in Developing Countries, chapter 4, Edward Elgar Publishing.
    6. Cheng, Kuo-Tai & Hebenton, Bill, 2008. "Regulatory governance of telecommunications liberalisation in Taiwan," Utilities Policy, Elsevier, vol. 16(4), pages 292-306, December.
    7. Marc Quintyn, 2009. "Independent agencies: more than a cheap copy of independent central banks?," Constitutional Political Economy, Springer, vol. 20(3), pages 267-295, September.
    8. Mario F. TEISL & Nancy E. BOCKSTAEL & Alan S. LEVY, 1997. "Preferences For Food Labels: A Discrete Choice Approach," Department of Resource Economics Regional Research Project 9614, University of Massachusetts.
    9. René van Bavel & Nuria Rodríguez-Priego, 2016. "Nudging Online Security Behaviour with Warning Messages: Results from an Online Experiment," JRC Research Reports JRC103223, Joint Research Centre.
    10. Luzak, J. A., 2013. "Privacy notice for dummies? Towards European guidelines on how to give clear and comprehensive information on the cookies' use in order to protect the internet user's right to online privcy," 24th European Regional ITS Conference, Florence 2013 88468, International Telecommunications Society (ITS).
    11. Thorben Kaul & Tobias Meyer & Walter Sextro, 2017. "Formulation of reliability-related objective functions for design of intelligent mechatronic systems," Journal of Risk and Reliability, , vol. 231(4), pages 390-399, August.
    12. Hoehn, John P. & Randall, Alan, 2002. "The effect of resource quality information on resource injury perceptions and contingent values," Resource and Energy Economics, Elsevier, vol. 24(1-2), pages 13-31, February.
    13. Tatjana JOVANOVIÆ & Aleksander ARISTOVNIK & Tereza ROGIÆ LUGARIÆ, 2016. "A Comparative Analysis Of Building Permits Procedures In Slovenia And Croatia: Development Of A Simplification Model," Theoretical and Empirical Researches in Urban Management, Research Centre in Public Administration and Public Services, Bucharest, Romania, vol. 11(2), pages 5-23, May.
    14. Teisl, Mario F. & Roe, Brian, 1998. "The Economics of Labeling: An Overview of Issues for Health and Environmental Disclosure," Agricultural and Resource Economics Review, Cambridge University Press, vol. 27(2), pages 140-150, October.
    15. Kuo-Tai Cheng, 2006. "Telecommunications privatisation in Taiwan: A beautiful mistake?," Working Papers id:764, eSocialSciences.
    16. Azadegan, Arash & Modi, Sachin & Lucianetti, Lorenzo, 2021. "Surprising supply chain disruptions: Mitigation effects of operational slack and supply redundancy," International Journal of Production Economics, Elsevier, vol. 240(C).
    17. Casey B. Mulligan, 2021. "The Incidence and Magnitude of the Health Costs of In-person Schooling during the COVID-19 Pandemic," NBER Working Papers 28619, National Bureau of Economic Research, Inc.
    18. Collins, J. Michael & Simon, Kosali I. & Tennyson, Sharon, 2013. "Drug withdrawals and the utilization of therapeutic substitutes: The case of Vioxx," Journal of Economic Behavior & Organization, Elsevier, vol. 86(C), pages 148-168.
    19. Minjung Lee & Myoungsoon You, 2020. "Safety Behaviors to Reduce Risk of Using Chemical Household Products: An Application of the Risk Perception Attitude Framework," IJERPH, MDPI, vol. 17(5), pages 1-14, February.
    20. Casey B. Mulligan, 2021. "The incidence and magnitude of the health costs of in-person schooling during the COVID-19 pandemic," Public Choice, Springer, vol. 188(3), pages 303-332, September.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:37:y:2017:i:9:p:1644-1651. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.