IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v40y2020i1p183-199.html
   My bibliography  Save this article

Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

Author

Listed:
  • Alexander A. Ganin
  • Phuoc Quach
  • Mahesh Panwar
  • Zachary A. Collier
  • Jeffrey M. Keisler
  • Dayton Marchese
  • Igor Linkov

Abstract

Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk‐based decision‐making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision‐analysis‐based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.

Suggested Citation

  • Alexander A. Ganin & Phuoc Quach & Mahesh Panwar & Zachary A. Collier & Jeffrey M. Keisler & Dayton Marchese & Igor Linkov, 2020. "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management," Risk Analysis, John Wiley & Sons, vol. 40(1), pages 183-199, January.
    • Handle: RePEc:wly:riskan:v:40:y:2020:i:1:p:183-199
    DOI: 10.1111/risa.12891
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.12891
    Download Restriction: no
    File URL: https://libkey.io/10.1111/risa.12891?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Shackelford, Scott J., 2012. "Should your firm invest in cyber risk insurance?," Business Horizons, Elsevier, vol. 55(4), pages 349-356.
    2. Alfredo Garcia & Barry Horowitz, 2007. "The potential for underinvestment in internet security: implications for regulatory policy," Journal of Regulatory Economics, Springer, vol. 31(1), pages 37-55, February.
    3. Andjelka Kelic & Zachary A. Collier & Christopher Brown & Walter E. Beyeler & Alexander V. Outkin & Vanessa N. Vargas & Mark A. Ehlen & Christopher Judson & Ali Zaidi & Billy Leung & Igor Linkov, 2013. "Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks," Environment Systems and Decisions, Springer, vol. 33(4), pages 544-560, December.
    4. Daniel DiMase & Zachary A. Collier & Kenneth Heffner & Igor Linkov, 2015. "Systems engineering framework for cyber physical security and resilience," Environment Systems and Decisions, Springer, vol. 35(2), pages 291-300, June.
    5. Stanley Kaplan & B. John Garrick, 1981. "On The Quantitative Definition of Risk," Risk Analysis, John Wiley & Sons, vol. 1(1), pages 11-27, March.
    6. Matthew H. Henry & Yacov Y. Haimes, 2009. "A Comprehensive Network Security Risk Model for Process Control Networks," Risk Analysis, John Wiley & Sons, vol. 29(2), pages 223-248, February.
    7. Jennifer L. Bayuk & Barry M. Horowitz, 2011. "An architectural systems engineering methodology for addressing cyber security," Systems Engineering, John Wiley & Sons, vol. 14(3), pages 294-304, September.
    8. Eva Andrijcic & Barry Horowitz, 2006. "A Macro‐Economic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property," Risk Analysis, John Wiley & Sons, vol. 26(4), pages 907-923, August.
    9. Igor Linkov & Daniel A. Eisenberg & Kenton Plourde & Thomas P. Seager & Julia Allen & Alex Kott, 2013. "Resilience metrics for cyber systems," Environment Systems and Decisions, Springer, vol. 33(4), pages 471-476, December.
    10. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Gabriel Kuper & Fabio Massacci & Woohyun Shim & Julian Williams, 2020. "Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports," Risk Analysis, John Wiley & Sons, vol. 40(5), pages 1001-1019, May.
    2. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    3. Kong, Jingjing & Zhang, Chao & Simonovic, Slobodan P., 2021. "Optimizing the resilience of interdependent infrastructures to regional natural hazards with combined improvement measures," Reliability Engineering and System Safety, Elsevier, vol. 210(C).
    4. Alessandro Annarelli & Giulia Palombi, 2021. "Digitalization Capabilities for Sustainable Cyber Resilience: A Conceptual Framework," Sustainability, MDPI, vol. 13(23), pages 1-9, November.
    5. Wu, Xingli & Liao, Huchang, 2023. "A compensatory value function for modeling risk tolerance and criteria interactions in preference disaggregation," Omega, Elsevier, vol. 117(C).
    6. Howard Miller & Charla Griffy-Brown, 2021. "Evaluating risk for top-line growth and bottom-line protection: enterprise risk management optimization (ERMO)," Environment Systems and Decisions, Springer, vol. 41(3), pages 468-484, September.
    7. Vicki Bier, 2020. "The Role of Decision Analysis in Risk Analysis: A Retrospective," Risk Analysis, John Wiley & Sons, vol. 40(S1), pages 2207-2217, November.
    8. Schmidt, Adam & Albert, Laura A. & Zheng, Kaiyue, 2021. "Risk management for cyber-infrastructure protection: A bi-objective integer programming approach," Reliability Engineering and System Safety, Elsevier, vol. 205(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    2. Alessandro Annarelli & Giulia Palombi, 2021. "Digitalization Capabilities for Sustainable Cyber Resilience: A Conceptual Framework," Sustainability, MDPI, vol. 13(23), pages 1-9, November.
    3. Andjelka Kelic & Zachary A. Collier & Christopher Brown & Walter E. Beyeler & Alexander V. Outkin & Vanessa N. Vargas & Mark A. Ehlen & Christopher Judson & Ali Zaidi & Billy Leung & Igor Linkov, 2013. "Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks," Environment Systems and Decisions, Springer, vol. 33(4), pages 544-560, December.
    4. Jalal Ali & Joost R. Santos, 2015. "Modeling the Ripple Effects of IT‐Based Incidents on Interdependent Economic Systems," Systems Engineering, John Wiley & Sons, vol. 18(2), pages 146-161, March.
    5. Qianxiang Zhu & Yuanqing Qin & Chunjie Zhou & Weiwei Gao, 2018. "Extended multilevel flow model-based dynamic risk assessment for cybersecurity protection in industrial production systems," International Journal of Distributed Sensor Networks, , vol. 14(6), pages 15501477187, June.
    6. Zachary A. Collier & Igor Linkov & James H. Lambert, 2013. "Four domains of cybersecurity: a risk-based systems approach to cyber decisions," Environment Systems and Decisions, Springer, vol. 33(4), pages 469-470, December.
    7. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
    8. Daniel DiMase & Zachary A. Collier & Kenneth Heffner & Igor Linkov, 2015. "Systems engineering framework for cyber physical security and resilience," Environment Systems and Decisions, Springer, vol. 35(2), pages 291-300, June.
    9. Wood, Matthew D. & Wells, Emily M. & Rice, Glenn & Linkov, Igor, 2019. "Quantifying and mapping resilience within large organizations," Omega, Elsevier, vol. 87(C), pages 117-126.
    10. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    11. Dirk Wrede & Tino Stegen & Johann-Matthias Schulenburg, 2020. "Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 657-689, October.
    12. Gundula Glowka & Andreas Kallmünzer & Anita Zehrer, 2021. "Enterprise risk management in small and medium family enterprises: the role of family involvement and CEO tenure," International Entrepreneurship and Management Journal, Springer, vol. 17(3), pages 1213-1231, September.
    13. Benischke, Mirko H. & Guldiken, Orhun & Doh, Jonathan P. & Martin, Geoffrey & Zhang, Yanze, 2022. "Towards a behavioral theory of MNC response to political risk and uncertainty: The role of CEO wealth at risk," Journal of World Business, Elsevier, vol. 57(1).
    14. S. Cucurachi & E. Borgonovo & R. Heijungs, 2016. "A Protocol for the Global Sensitivity Analysis of Impact Assessment Models in Life Cycle Assessment," Risk Analysis, John Wiley & Sons, vol. 36(2), pages 357-377, February.
    15. K. Karthikeyan & S. Bharath & K. Ranjith Kumar, 2012. "An Empirical Study on Investors’ Perception towards Mutual Fund Products through Banks with Reference to Tiruchirapalli City, Tamil Nadu," Vision, , vol. 16(2), pages 101-108, June.
    16. Nicola Paltrinieri & Nicolas Dechy & Ernesto Salzano & Mike Wardman & Valerio Cozzani, 2012. "Lessons Learned from Toulouse and Buncefield Disasters: From Risk Analysis Failures to the Identification of Atypical Scenarios Through a Better Knowledge Management," Risk Analysis, John Wiley & Sons, vol. 32(8), pages 1404-1419, August.
    17. Bo Zou & Pooria Choobchian & Julie Rozenberg, 2021. "Cyber resilience of autonomous mobility systems: cyber-attacks and resilience-enhancing strategies," Journal of Transportation Security, Springer, vol. 14(3), pages 137-155, December.
    18. Louis Anthony (Tony) Cox, Jr., 2012. "Community Resilience and Decision Theory Challenges for Catastrophic Events," Risk Analysis, John Wiley & Sons, vol. 32(11), pages 1919-1934, November.
    19. Chen, Fuzhong & Hsu, Chien-Lung & Lin, Arthur J. & Li, Haifeng, 2020. "Holding risky financial assets and subjective wellbeing: Empirical evidence from China," The North American Journal of Economics and Finance, Elsevier, vol. 54(C).
    20. Niël Almero Krüger & Natanya Meyer, 2021. "The Development of a Small and Medium-Sized Business Risk Management Intervention Tool," JRFM, MDPI, vol. 14(7), pages 1-14, July.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:40:y:2020:i:1:p:183-199. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.