IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v37y2017i9p1644-1651.html

Resilience of Cyber Systems with Over‐ and Underregulation

Author

Listed:
  • Viktoria Gisladottir
  • Alexander A. Ganin
  • Jeffrey M. Keisler
  • Jeremy Kepner
  • Igor Linkov

Abstract

Recent cyber attacks provide evidence of increased threats to our critical systems and infrastructure. A common reaction to a new threat is to harden the system by adding new rules and regulations. As federal and state governments request new procedures to follow, each of their organizations implements their own cyber defense strategies. This unintentionally increases time and effort that employees spend on training and policy implementation and decreases the time and latitude to perform critical job functions, thus raising overall levels of stress. People's performance under stress, coupled with an overabundance of information, results in even more vulnerabilities for adversaries to exploit. In this article, we embed a simple regulatory model that accounts for cybersecurity human factors and an organization's regulatory environment in a model of a corporate cyber network under attack. The resulting model demonstrates the effect of under‐ and overregulation on an organization's resilience with respect to insider threats. Currently, there is a tendency to use ad‐hoc approaches to account for human factors rather than to incorporate them into cyber resilience modeling. It is clear that using a systematic approach utilizing behavioral science, which already exists in cyber resilience assessment, would provide a more holistic view for decisionmakers.

Suggested Citation

  • Viktoria Gisladottir & Alexander A. Ganin & Jeffrey M. Keisler & Jeremy Kepner & Igor Linkov, 2017. "Resilience of Cyber Systems with Over‐ and Underregulation," Risk Analysis, John Wiley & Sons, vol. 37(9), pages 1644-1651, September.
  • Handle: RePEc:wly:riskan:v:37:y:2017:i:9:p:1644-1651
    DOI: 10.1111/risa.12729
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.12729
    Download Restriction: no

    File URL: https://libkey.io/10.1111/risa.12729?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Jeremy Kepner & Vijay Gadepally & Pete Michaleas, 2015. "Percolation Model of insider threats to assess the optimum number of rules," Environment Systems and Decisions, Springer, vol. 35(4), pages 504-510, December.
    2. Matthew Bunn, 2004. "Thinking about How Many Guards Will Do the Job," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 949-953, August.
    3. Magat, Wesley A & Viscusi, W Kip & Huber, Joel, 1988. "Consumer Processing of Hazard Warning Information," Journal of Risk and Uncertainty, Springer, vol. 1(2), pages 201-232, June.
    4. Scott D. Sagan, 2004. "The Problem of Redundancy Problem: Why More Nuclear Security Forces May Produce Less Nuclear Security," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 935-946, August.
    5. Ogus, Anthony, 2002. "Comparing Regulatory Systems: Institutions, Processes and Legal Forms in Industrialised Countries," Centre on Regulation and Competition (CRC) Working papers 30609, University of Manchester, Institute for Development Policy and Management (IDPM).
    6. M. Mitchell Waldrop, 2016. "How to hack the hackers: The human side of cybercrime," Nature, Nature, vol. 533(7602), pages 164-167, May.
    7. Bauer, Johannes M. & van Eeten, Michel J.G., 0. "Cybersecurity: Stakeholder incentives, externalities, and policy options," Telecommunications Policy, Elsevier, vol. 33(10-11), pages 706-719, November.
    8. John S. Carroll, 2004. "Redundancy as a Design Principle and an Operating Principle," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 955-957, August.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Bell, Alison J.C. & Rogers, M. Brooke & Pearce, Julia M., 2019. "The insider threat: Behavioral indicators and factors influencing likelihood of intervention," International Journal of Critical Infrastructure Protection, Elsevier, vol. 24(C), pages 166-176.
    2. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    3. Poulin, Craig & Kane, Michael B., 2021. "Infrastructure resilience curves: Performance measures and summary metrics," Reliability Engineering and System Safety, Elsevier, vol. 216(C).
    4. Edward J. Oughton & Daniel Ralph & Raghav Pant & Eireann Leverett & Jennifer Copic & Scott Thacker & Rabia Dada & Simon Ruffle & Michelle Tuveson & Jim W Hall, 2019. "Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks," Risk Analysis, John Wiley & Sons, vol. 39(9), pages 2012-2031, September.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Navid Ghaffarzadegan, 2008. "How a System Backfires: Dynamics of Redundancy Problems in Security," Risk Analysis, John Wiley & Sons, vol. 28(6), pages 1669-1687, December.
    2. Cheng, Kuo-Tai & Hebenton, Bill, 2008. "Regulatory governance of telecommunications liberalisation in Taiwan," Utilities Policy, Elsevier, vol. 16(4), pages 292-306, December.
    3. René van Bavel & Nuria Rodríguez-Priego, 2016. "Nudging Online Security Behaviour with Warning Messages: Results from an Online Experiment," JRC Research Reports JRC103223, Joint Research Centre.
    4. Luzak, J. A., 2013. "Privacy notice for dummies? Towards European guidelines on how to give clear and comprehensive information on the cookies' use in order to protect the internet user's right to online privcy," 24th European Regional ITS Conference, Florence 2013 88468, International Telecommunications Society (ITS).
    5. Hoehn, John P. & Randall, Alan, 2002. "The effect of resource quality information on resource injury perceptions and contingent values," Resource and Energy Economics, Elsevier, vol. 24(1-2), pages 13-31, February.
    6. Teisl, Mario F. & Roe, Brian, 1998. "The Economics of Labeling: An Overview of Issues for Health and Environmental Disclosure," Agricultural and Resource Economics Review, Cambridge University Press, vol. 27(2), pages 140-150, October.
    7. Casey B. Mulligan, 2021. "The Incidence and Magnitude of the Health Costs of In-person Schooling during the COVID-19 Pandemic," NBER Working Papers 28619, National Bureau of Economic Research, Inc.
    8. Collins, J. Michael & Simon, Kosali I. & Tennyson, Sharon, 2013. "Drug withdrawals and the utilization of therapeutic substitutes: The case of Vioxx," Journal of Economic Behavior & Organization, Elsevier, vol. 86(C), pages 148-168.
    9. Minjung Lee & Myoungsoon You, 2020. "Safety Behaviors to Reduce Risk of Using Chemical Household Products: An Application of the Risk Perception Attitude Framework," IJERPH, MDPI, vol. 17(5), pages 1-14, February.
    10. Alain Mermoud & Marcus Matthias Keupp & Kévin Huguenin & Maximilian Palmié & Dimitri Percia David, 2019. "To share or not to share: A behavioral perspective on human participation in security information sharing," Post-Print hal-02147702, HAL.
    11. Jean‐Pierre Benoît & Juan Dubra, 2013. "On The Problem Of Prevention," International Economic Review, Department of Economics, University of Pennsylvania and Osaka University Institute of Social and Economic Research Association, vol. 54(3), pages 787-805, August.
    12. Burgess, Jacquelin & Nye, Michael, 2008. "Re-materialising energy use through transparent monitoring systems," Energy Policy, Elsevier, vol. 36(12), pages 4454-4459, December.
    13. Cheng, Kuo-Tai, 2016. "Test of the mediating effects of regulatory decision tools in the communications regulator," Telecommunications Policy, Elsevier, vol. 40(2), pages 277-289.
    14. Lenka Gregorová & Milan Žák, 2008. "Byrokratická bariéra kvality regulace [Bureaucratic constraint of the quality of regulation]," Politická ekonomie, Prague University of Economics and Business, vol. 2008(2), pages 196-228.
    15. Minogue, Martin, 2005. "Apples and oranges: problems in the analysis of comparative regulatory governance," The Quarterly Review of Economics and Finance, Elsevier, vol. 45(2-3), pages 195-214, May.
    16. Ted W. Yellman, 2006. "Redundancy in Designs," Risk Analysis, John Wiley & Sons, vol. 26(1), pages 277-286, February.
    17. Gary S. Becker & Yona Rubinstein, 2011. "Fear and the Response to Terrorism: An Economic Analysis," CEP Discussion Papers dp1079, Centre for Economic Performance, LSE.
    18. Steve Kennedy & Martina K. Linnenluecke, 2022. "Circular economy and resilience: A research agenda," Business Strategy and the Environment, Wiley Blackwell, vol. 31(6), pages 2754-2765, September.
    19. Malecki, Edward J., 2017. "Real people, virtual places, and the spaces in between," Socio-Economic Planning Sciences, Elsevier, vol. 58(C), pages 3-12.
    20. Teisl, Mario F. & Bockstael, Nancy E. & Levy, Alan S., 1997. "Preferences For Food Labels: A Discrete Choice Approach," Strategy and Policy in the Food System: Emerging Issues, June 20-21, 1996, Washington, D.C. 25955, Regional Research Project NE-165 Private Strategies, Public Policies, and Food System Performance.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:37:y:2017:i:9:p:1644-1651. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.