Help
Cart
Skip main navigation

Available Issues

December 4, 2012 - March 5, 2026

Available Issues

December 4, 2012 - March 5, 2026

Measuring and Mitigating the Risk of Advanced Cyberattackers

Published Online:9 Sep 2024https://doi.org/10.1287/deca.2023.0072

References

  • Alderson DL, Brown GG, Carlyle WM (2014) Assessing and improving operational resilience of critical infrastructures and other systems. Bridging Data and Decisions (INFORMS, Catonsville, MD), 180–215.LinkGoogle Scholar
  • Arroyo MA, Kobayashi H, Sethumadhavan S, Yang J (2017) FIRED: Frequent inertial resets with diversification for emerging commodity cyber-physical systems. Preprint, submitted February 21, https://arxiv.org/abs/1702.06595.Google Scholar
  • Axelsson S (2000) Intrusion detection systems: A survey and taxonomy. Technical report, Department of Computer Engineering, Chalmers University of Technology, Göteborg, Sweden.Google Scholar
  • Bace R, Mell P (2001) NIST Special Publication on Intrusion Detection Systems (NIST, McLean, VA).CrossrefGoogle Scholar
  • Bagchi A, Bandyopadhyay T (2018) Role of intelligence inputs in defending against cyber warfare and cyberterrorism. Decision Anal. 15(3):174–193.LinkGoogle Scholar
  • Bodeau D, Graubart R, McQuaid R, Woodill J (2018) Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring Enabling Systems Engineers and Program Managers to Select the Most Useful Assessment Methods (Mitre Corp, Bedford, MA).Google Scholar
  • Brecht M, Nowey T (2013) A closer look at information security costs. The Economics of Information Security and Privacy (Springer Berlin Heidelberg, Berlin, Heidelberg), 3–24.CrossrefGoogle Scholar
  • Brown GG, Carlyle WM, Harney RC, Skroch EM, Wood RK (2009) Interdicting a nuclear-weapons project. Oper. Res. 57(4):866–877.LinkGoogle Scholar
  • Cavusoglu H, Raghunathan S, Cavusoglu H (2009) Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Inform. Systems Res. 20(2):198–217.LinkGoogle Scholar
  • Collado R, Papp D (2012) Network interdiction: Models, applications, unexplored directions. Research report, Rutgers University, New Brunswick, NJ.Google Scholar
  • Couce-Vieira A, Insua DR, Kosgodagan A (2020) Assessing and forecasting cybersecurity impacts. Decision Anal. 17(4):356–374.LinkGoogle Scholar
  • Crosignani M, Macchiavelli M, Silva AF (2023) Pirates without borders: The propagation of cyberattacks through firms’ supply chains. J. Financial Econom. 147(2):432–448.Google Scholar
  • Department of Energy (2022) Cybersecurity Capability Maturity Model (C2M2), Version 2.1 (U.S. Department of Energy, Washington, DC).Google Scholar
  • England WL (1988) An exponential model used for optimal threshold selection on ROC curves. Medical Decision Making 8(2):120–131.CrossrefGoogle Scholar
  • Ertem M, Bier VM (2021) A stochastic network-interdiction model for cyber security. Proc. 5th Internat. Sympos. Multidisciplinary Studies Innovative Tech. (IEEE, Piscataway, NJ), 171–176.Google Scholar
  • Fielder A, Panaousis E, Malacaria P, Hankin C, Smeraldi F (2016) Decision support approaches for cyber security investment. Decision Support Systems 86:13–23.CrossrefGoogle Scholar
  • FireEye (2019) Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation (FireEye, Milpitas, CA).Google Scholar
  • FIRST (2023) Common vulnerability scoring system version 4.0: Specification document. Accessed October 1, 2023, https://www.first.org/cvss/v4.0/specification-document.Google Scholar
  • Ford LR, Fulkerson DR (1956) Maximal flow through a network. Canadian J. Math. 8(3):399–404.CrossrefGoogle Scholar
  • Ganin AA, Quach P, Panwar M, Collier ZA, Keisler JM, Marchese D, Linkov I (2020) Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. 40(1):183–199.CrossrefGoogle Scholar
  • Gartner Inc (2018) Gartner forecasts worldwide information security spending to exceed $124 billion in 2019. Accessed May 21, 2023, https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019.Google Scholar
  • Gartner Inc (2019) Gartner says global IT spending to grow 3.7% in 2020. Accessed May 21, 2023, https://www.gartner.com/en/newsroom/press-releases/2019-10-23-gartner-says-global-it-spending-to-grow-3point7-percent-in-2020.Google Scholar
  • Gilad A (2020) Mitigating the risk of advanced cyberattacks. PhD thesis, Tel-Aviv University, Tel-Aviv, Israel.Google Scholar
  • Gilad A, Tishler A (2023) Mitigating the risk of advanced cyberattacks: The role of quality, covertness and intensity of use of cyberweapons. Defence Peace Econom. 34(6):726–746.Google Scholar
  • Gilad A, Pecht E, Tishler A (2021) Intelligence, cyberspace, and national security. Defence Peace Econom. 32(1):18–45.CrossrefGoogle Scholar
  • Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. Systems Security 5(4):438–457.CrossrefGoogle Scholar
  • Gordon LA, Loeb MP, Zhou L (2020) Integrating cost–benefit analysis into the NIST cybersecurity framework via the Gordon–Loeb model. J. Cybersecurity 6(1):1–8.CrossrefGoogle Scholar
  • Guan P, He M, Zhuang J, Hora SC (2017) Modeling a multitarget attacker–defender game with budget constraints. Decision Anal. 14(2):87–107.LinkGoogle Scholar
  • Hong S (2011) Strategic network interdiction. FEEM Working Paper No. 43.2011, Vanderbilt University, Nashville, TN.Google Scholar
  • Hutchins E, Cloppert M, Amin R (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Armistead L, ed. Proc. 6th Internat. Conf. Inform. Warfare Security (Academic Publishing International, Reading, UK), 113–125.Google Scholar
  • International Organization for Standardization (2013a) Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001:2013).Google Scholar
  • International Organization for Standardization (2013b) Information technology—Security techniques—Code of practice for information security controls (ISO/IEC 27002:2013).Google Scholar
  • Israel Securities Authority (2011) Financial instruments market: Continued reform. Accessed April 7, 2023, https://www.isa.gov.il/175/2011/Pages/FinancialInstrumentsMarket-ContinuedReform.aspx.Google Scholar
  • Kashyap AK, Wetherilt A (2019) Some principles for regulating cyber risk. AEA Papers Proc. 109(2):482–487.CrossrefGoogle Scholar
  • Kaspersky Laboratory (2021) Kaspersky IT security calculator. Accessed October 1, 2023, https://calculator.kaspersky.com.Google Scholar
  • Kerkdijk R, Samwel P (2017) Measuring cyber resilience. Harel R, Kerkdijk R, Wolthuis R, eds. Innovating in Cyber Security (Dutch Cyber Security Shared Research Program (SRP), Groningen, NL), 9–14.Google Scholar
  • Kodialam M, Lakshman TV (2003) Detecting network intrusions via sampling: A game theoretic approach. Proc. 22nd Annual Joint Conf. IEEE Comput. Comm. Soc., vol. 3 (IEEE, Piscataway, NJ), 1880–1889.Google Scholar
  • Kordy B, Piètre-Cambacédès L, Schweitzer P (2014) DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14(C):1–38.CrossrefGoogle Scholar
  • Koutsoupias E, Papadimitriou C (1999) Worst-case equilibria. Meinel C, Tison S, eds. STACS 1999, Lecture Notes in Computer Science, vol. 1563 (Springer, Berlin, Heidelberg), 404–413.CrossrefGoogle Scholar
  • Kroshl WM, Sarkani S, Mazzuchi TA (2015) Efficient allocation of resources for defense of spatially distributed networks using agent-based simulation. Risk Anal. 35(9):1690–1705.CrossrefGoogle Scholar
  • Krutilla K, Alexeev A, Jardine E, Good D (2021) The benefits and costs of cybersecurity risk reduction: A dynamic extension of the Gordon and Loeb model. Risk Anal. 41(10):1795–1808.CrossrefGoogle Scholar
  • Li X (2021) Decision making of optimal investment in information security for complementary enterprises based on game theory. Tech. Anal. Strategic Management 33(7):755–769.CrossrefGoogle Scholar
  • Lindsay JR (2013) Stuxnet and the limits of cyber warfare. Security Stud. 22(3):365–404.CrossrefGoogle Scholar
  • Lippmann RP, Ingols KW (2005) An annotated review of past papers on attack graphs (No. PR-IA-1). Technical report, Massachusetts Institute of Technology, Lincoln Laboratory, Lexington.Google Scholar
  • Mak V, Rapoport A (2013) The price of anarchy in social dilemmas: Traditional research paradigms and new network applications. Organ. Behav. Human Decision Processes 120(2):142–153.CrossrefGoogle Scholar
  • Mandiant (2013) APT1: Exposing one of China’s cyber espionage units. Appendix C: The malware arsenal. Accessed October 7, 2021, http://intelreport.mandiant.com/.Google Scholar
  • Matania E, Tal-Shir E (2020) Continuous terrain remodelling: Gaining the upper hand in cyber defence. J. Cyber Policy 5(2):285–301.CrossrefGoogle Scholar
  • Monnot B, Benita F, Piliouras G (2022) Routing games in the wild: Efficiency, equilibration, regret, and a price of anarchy bound via long division. ACM Trans. Econom. Comput. 10(1):1–26.Google Scholar
  • Moore JT, Bard JF (1990) The mixed integer linear bilevel programming problem. Oper. Res. 38(5):911–921.LinkGoogle Scholar
  • Musman S, Turner A (2018) A game theoretic approach to cyber security risk management. J. Defense Modeling Simulation Appl. Methodology Tech. 15(2):127–146.CrossrefGoogle Scholar
  • Nandi AK, Medal HR, Vadlamani S (2016) Interdicting attack graphs to protect organizations from cyber attacks: A bi-level defender-attacker model. Comput. Oper. Res. 75:118–131.CrossrefGoogle Scholar
  • National Institute of Standards and Technology (2020) NIST SP 800-53, Rev. 5: Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication, Gaithersburg, MD).Google Scholar
  • National Institute of Standards and Technology (2023) The NIST Cybersecurity Framework 2.0 (NIST, Gaithersburg, MD).CrossrefGoogle Scholar
  • Nettitude (2016) Threat advisory SWIFT banking. Accessed August 23, 2021, https://www.nettitude.com/wp-content/uploads/2016/12/Nettitude-SWIFT-Threat-Advisory-Report-client.pdf.Google Scholar
  • Pala A, Zhuang J (2019) Information sharing in cybersecurity: A review. Decision Anal. 16(3):172–196.LinkGoogle Scholar
  • Paté-Cornell ME, Kuypers M, Smith M, Keller P (2018) Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Anal. 38(2):226–241.CrossrefGoogle Scholar
  • Payyappalli VM, Zhuang J, Jose VRR (2017) Deterrence and risk preferences in sequential attacker–defender games with continuous efforts. Risk Anal. 37(11):2229–2245.CrossrefGoogle Scholar
  • Phillips C, Swiler LP (1998) A graph-based system for network-vulnerability analysis. Proc. Workshop New Security Paradigms (ACM, New York), 71–79.Google Scholar
  • Rakes TR, Deane JK, Paul Rees L (2012) IT security planning under uncertainty for high-impact events. Omega 40(1):79–88.CrossrefGoogle Scholar
  • Ransbotham S, Mitra S (2013) The impact of immediate disclosure on attack diffusion and volume. Economics of Information Security and Privacy III (Springer, New York), 1–12.Google Scholar
  • Romagnoli R, Krogh BH, Sinopoli B (2018) Design of software rejuvenation for CPS security using invariant sets. Proc. Amer. Control Conf. (IEEE, Piscataway, NJ), 3740–3745.Google Scholar
  • Rose S, Borchert O, Mitchell S, Connelly S (2020) NIST, Special Publication 800-207, Zero Trust Architecture (CRC Press, Gaithersburg, MD).Google Scholar
  • Sawik T (2013) Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems 55(1):156–164.CrossrefGoogle Scholar
  • Scherer FM (1967) Research and development resource allocation under rivalry. Quart. J. Econom. 81(3):359.CrossrefGoogle Scholar
  • Setter O, Tishler A (2007) Budget allocation for integrative technologies: Theory and application to the US military. Defence Peace Econom. 18(2):133–155.CrossrefGoogle Scholar
  • Stoneburner G, Goguen A, Feringa A (2002) NIST, special publication 800-30, risk management guide for information technology systems. Accessed March 28, 2015, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.Google Scholar
  • Symantec (2013) 2013 internet security threat report, vol. 18. Accessed March 28, 2015, http://www.symantec.com/security_response/publications/threatreport.jsp.Google Scholar
  • Symantec (2014) Regin: Top-tier espionage tool enables stealthy surveillance. Accessed March 28, 2015, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf.Google Scholar
  • Taleb NN (2007) Black swans and the domains of statistics. Amer. Statist. 61(3):198–200.CrossrefGoogle Scholar
  • Thales and Verint (2019) The cyberthreat handbook. Accessed March 28, 2011, https://thalesgroup-myfeed.com/THECYBERTHREATHANDBOOK.Google Scholar
  • Verizon (2020) 2020 data breach investigations report. Accessed February 16, 2021, https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf.Google Scholar
  • Viduto V, Maple C, Huang W, López-Peréz D (2012) A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems 53(3):599–610.CrossrefGoogle Scholar
  • Washburn A, Wood RK (1995) Two-person zero-sum games for network interdiction. Oper. Res. 43(2):243–251.LinkGoogle Scholar
  • Wortman PA, Chandy JA (2020) SMART: Security model adversarial risk-based tool for systems security design evaluation. J. Cybersecurity 6(1):1–8.CrossrefGoogle Scholar
  • Yadav T, Rao AM (2015) Technical aspects of cyber kill chain. Abawajy J, Mukherjea S, Thampi S, Ruiz-Martínez A, eds. Security in Computing and Communications. SSCC 2015, Communications in Computer and Information Science, vol. 536 (Springer, Cham, Switzerland), 438–452.Google Scholar
  • Yolmeh A, Baykal-Gürsoy M (2019) Two-stage invest–defend game: Balancing strategic and operational decisions. Decision Anal. 16(1):46–66.LinkGoogle Scholar
  • Zeng B, An Y (2014) Solving Bilevel Mixed Integer Program by Reformulations and Decomposition (Optimization Online).Google Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree