€ 109,00

ePUB ebook

niet beschikbaar

PDF ebook

niet beschikbaar

Unravelling the dynamic complexity of cyber-security

Towards identifying core systemic structures driving cyber-security investment decision-making

Sander Zeijlemaker • Boek • paperback

  • Samenvatting
    Several recent security incidents show that decision-making on cyber-security
    can have consequences reaching far into the future. In a world of further
    digitalization, interconnectedness, and increasing activities of cyber-criminals,
    the question is how the decision-making needs to adapt to ensure security.
    More than 15 years of research has been conducted in the field of security
    economics on security investment decision-making. Although the field of
    security economics already recognizes static limitations (data quality and invalid
    inferences), we posit security investment decision-making is also impacted
    by dynamic limitations (understanding of feedback, time delay, accumulation
    effects in this domain of decision-making). These limitations may cause decision
    makers to use heuristics (simple mental rules) for making decisions in complex,
    dynamic, and uncertain situations. The use of heuristics can inadvertently and
    unconsciously lead to incorrect decisions. Therefore, our research focusses on
    obtaining more knowledge and insights on these dynamic limitations. The main
    research question of this thesis is: “Which systemic structures drive cyber-security
    investment decision-making, and how can security investment decision-making
    potentially be improved?”
  • Productinformatie
    Binding : Paperback
    Distributievorm : Boek (print, druk)
    Formaat : 210mm x 297mm
    Aantal pagina's : 344
    Uitgeverij : Sander Zeijlemaker
    ISBN : 9789083218809
    Datum publicatie : 01-2022
  • Inhoudsopgave
    Word of thanks 12
    Summary of the thesis 14

    1 Security investment decision-making research problem 30
    1.1 Summary of Chapter 1 31
    1.2 Security breaches and future concerns 31
    1.3 Static and dynamic limitations impact security investment decision-making 36
    1.4 Research question 40
    1.5 Definitions 41
    1.5.1 Security explained 41
    1.5.2 Systems explained 42
    1.5.3 Heuristics and decision-making explained 42
    1.6 Knowledge gap 42
    1.7 Contribution to society 43
    1.8 Structure of the thesis 45

    2 A literature review on current decision-making practices in cyber-security 46
    2.1 Summary of Chapter 2 47
    2.2 The role of security investment decision-making in the organisation 47
    2.3 The system design 49
    2.3.1 Understanding of the organisation as a designed system 50
    2.3.2 Controlling the organisation based on output (behaviour) of the organisation 52
    2.4 Current practices in security investment decision-making observed in literature 53
    2.4.1 Benchmarks and best-practices 55
    2.4.2 Frameworks and standards 56
    2.4.3 Adherence to compliance 57
    2.4.4 Investment metrics 58
    2.4.4.1 ROI calculations 58
    2.4.4.2 FUD 59
    2.4.5 Perceived risk reduction 59
    2.4.6 Consequences of current practices in decision-making 60
    2.5 The systemic structures of security investment decision-making 62
    2.5.1 The attacker-defender interaction 63
    2.5.2 The response of the resilient organisation 66
    2.5.3 The security investment decision-making financial optimum 68
    2.5.4 Security is a complex dynamic system 69
    2.5.5 Real life security organisation 70
    2.6 Current state of security investment decision-making 72

    3 Research methodology and approach 74
    3.1 Summary of Chapter 3 75
    3.2 Investigating complex systems 75
    3.2.1 Modelling and simulation techniques for investigating complex systems 76
    3.2.2 Characteristics of security investment decision-making 80
    3.2.3 Recommended method 81
    3.3 Our research mandate 83
    3.4 Our research approach and data gathering 84
    3.4.1 Our security taxonomy 85
    3.4.2 Perceived encountered uncertainty 87
    3.4.2.1 Attacker behaviour is limited to a range or intervals of possible values 88
    3.4.2.2 Defender oriented research excludes the deep uncertain aspects of the attacker 90
    3.4.2.3 A single underlying system 91
    3.4.2.4 A limited range of possible outcomes 92
    3.4.2.5 Evaluation 92
    3.4.3 Applying system dynamics methodology and data gathering 93
    3.4.3.1 System dynamics terminology 93
    3.4.3.2 Building system dynamics models 95
    3.4.3.3 Research execution and data gathering 100
    3.4.3.4 Reading instructions data chapter 101
    3.5 Approach to the empirical analysis 103

    4 Cyber–security game: ‘red versus blue’ game results 104
    4.1 Summary of Chapter 4 105
    4.2 The purpose of serious game 106
    4.3 The design process, structure, and setting of the game 108
    4.3.1 The design process 108
    4.3.2 The game structure 114
    4.3.3 The game settings 115
    4.4 The serious game research design 116
    4.5 Results 119
    4.6 First conclusion 126
    4.7 Discussion of the results from the serious game in the field of security investment
    decision-making 127

    5 Dynamic modelling and policy evaluation: explorative case study research 128
    5.1 Summary and introduction 129
    5.2 DDOS dynamics 129
    5.2.1 DDOS dynamics reference mode 130
    5.2.2 The DDOS dynamics system from an organisational perspective 131
    5.2.3 DDOS Dynamics model description 132
    5.2.3.1 View 1: Attacker behaviour 133
    5.2.3.2 View 2: Defence against bandwidth attacks 134
    5.2.3.3 View 3: Defence against targeted DDOS attacks 135
    5.2.3.4 View 4: Threat intelligence 136
    5.2.3.5 View 5: Incident response 137
    5.2.3.6 View 6: Client perspective 137
    5.2.3.7 View 7: Defender cost 138
    5.2.3.8 View 8: Financial evaluation 139
    5.2.3.9 Most important feedback loops 139
    5.2.4 DDOS dynamics model building and validation 140
    5.2.5 DDOS dynamics policy evaluation finding 143
    5.2.5.1 The artificial organisation 143
    5.2.5.2 Policy evaluation defenders’ perspective 144
    5.2.5.2.1 Defence scenario 1 – scrubbing and hardening 145
    5.2.5.2.2 Defence scenario 2 – Communication plan in place 146
    5.2.5.2.3 Defence scenario 3 – Number of responsive processes 147
    5.2.5.2.4 Defence scenario 4 – speed of implementing architecture upgrades 147
    5.2.5.2.5 Defence scenario 5 – strong hardware layer 148
    5.2.5.2.6 Defence scenario 6 –red team versus compliance DDOS testing 148
    5.2.5.2.7 Defence scenario 7 – size of cloud investment 149
    5.2.5.2.8 Defence scenario evaluation 150
    5.2.6 DDOS dynamics summary and reflection 152
    5.2.6.1 Systemic structures 152
    5.2.6.2 Policy evaluation insights 152
    5.3 Malware dynamics 154
    5.3.1 Malware dynamics reference mode 154
    5.3.2 The malware dynamics system from an organisational perspective 155
    5.3.2.1 Malware attack behaviour 155
    5.3.2.2 Malware defence behaviour 156
    5.3.2.3 Malware dynamics model description 158
    5.3.2.4 The prevention mechanism 159
    5.3.2.5 The spreading of malware 160
    5.3.2.6 Awareness, word-of-mouth effect and discovery 161
    5.3.2.7 Malware dynamics model – financial components 163
    5.3.3 Malware dynamics model building and validation 164
    5.3.4 Malware dynamics policy evaluation 168
    5.3.4.1 Defence effectiveness and asset infectivity 170
    5.3.4.2 Financial aspects of defence effectiveness 173
    5.3.4.3 Defence effectiveness against emerging sophisticated malware attacks 174
    5.3.4.4 The contribution of learning 175
    5.3.5 Malware dynamics summary and reflection 176
    5.3.5.1 Systemic structures 177
    5.3.5.2 Policy evaluation insights 178
    5.4 Detection dynamics 178
    5.4.1 Detection dynamics reference mode 179
    5.4.2 The detection dynamics system from an organisational perspective 180
    5.4.2.1 Detection from a defender’s perspective 180
    5.4.2.2 Detection from an attacker’s perspective 183
    5.4.3 Detection dynamics model description 183
    5.4.3.1 Detection dynamics model description 183
    5.4.3.2 Model description – Financial components 187
    5.4.4 Detection dynamics model building and validation 189
    5.4.5 Detection dynamics policy evaluation 192
    5.4.5.1 Policy evaluation: priority setting 193
    5.4.5.2 Policy evaluation: priority setting 199
    5.4.5.3 Policy evaluation: HR recruitment strategy 202
    5.4.5.4 Policy evaluation: financial effects 205
    5.4.6 Detection dynamics summary and reflection 207
    5.4.6.1 Systemic structures 208
    5.4.6.2 Policy evaluation insights 208
    5.5 Secure software development dynamics 210
    5.5.1 Secure software development dynamics reference mode 210
    5.5.2 The secure software development dynamics system from an organisational perspective 211
    5.5.2.1 The threat actors 212
    5.5.2.2 The employees 213
    5.5.2.3 Secure software development 213
    5.5.2.4 Finance 214
    5.5.3 Secure software development dynamics model description 215
    5.5.3.1 The details of the model 215
    5.5.3.2 Areas of the model affected by managerial software delivery decisions 219
    5.5.3.3 System traps positioned in the model 221
    5.5.3.4 Most important feedback loops 224
    5.5.4 Secure software development dynamics model building and validation 224
    5.5.5 Secure software development dynamics policy evaluation 226
    5.5.6 Secure software development dynamics summary and reflection 228
    5.5.6.1 Systemic structures 228
    5.5.6.2 Policy insights 229
    5.6 Insider threat dynamics 230
    5.6.1 Insider threat dynamics reference mode 231
    5.6.2 The insider threat dynamics system from an organisational perspective 232
    5.6.2.1 The development of the field of insider threat related research 232
    5.6.2.2 System dynamics insider threat model development 234
    5.6.3 Insider threat dynamics model description 235
    5.6.4 Insider threat dynamics model building and validation 240
    5.6.5 Insider threat dynamics policy evaluation 242
    5.6.6 Insider threat dynamics summary and evaluation 246
    5.6.6.1 Systemic structures 246
    5.6.6.2 Policy evaluation insights 247
    5.7 Summary and discussion of case study results 248
    5.7.1 Systemic structures identified in the case studies 249
    5.7.2 System traps identified in the case studies 253
    5.7.3 Generic policy levers identified in the case studies 254

    6 Summary and conclusion 258
    6.1 Overall conclusion and contributions 259
    6.2 Research conclusions 260
    6.3 Research contributions 263
    6.3.1 Scientific contributions 263
    6.3.2 Contributions to managerial practice 264
    6.4 Research limitations 267
    6.4.1 Research assumptions limitations 267
    6.4.2 Selected methodology limitations 267
    6.4.3 The security taxonomy that determined the scope limitation 268
    6.4.4 The serious gaming limitations 268
    6.4.5 The model boundaries and other limitations 269
    6.4.6 The research re-usability limitation 270
    6.4.7 The research contribution limitation 270
    6.5 Future research directions 271
    6.5.1 Interdisciplinary research 271
    6.5.2 Further research in security dynamics 273
    6.5.3 Correlation, causality and communication 275
  • Reviews (0 uit 0 reviews)
    Wil je meer weten over hoe reviews worden verzameld? Lees onze uitleg hier.

€ 109,00

niet beschikbaar

niet beschikbaar



3-4 werkdagen
Veilig betalen Logo
14 dagen bedenktermijn
Delen 

Fragment

Summary of the thesis

Several recent security incidents show that decision-making on cyber-security can
have consequences reaching far into the future. In a world of further digitalization,
interconnectedness, and increasing activities of cyber-criminals, the question is how the
decision-making needs to adapt to ensure security.
More than 15 years of research has been conducted in the field of security economics on
security investment decision-making. Although the field of security economics already
recognizes static limitations (data quality and invalid inferences), we posit security
investment decision-making is also impacted by dynamic limitations (understanding of
feedback, time delay, accumulation effects in this domain of decision-making). These
limitations may cause decision makers to use heuristics (simple mental rules) for making
decisions in complex, dynamic, and uncertain situations. The use of heuristics can
inadvertently and unconsciously lead to incorrect decisions. Therefore, our research
focusses on obtaining more knowledge and insights on these dynamic limitations.
The main research question of this thesis is: “Which systemic structures drive cyber-security
investment decision-making, and how can security investment decision-making potentially be
improved?”
Currently, many tools and approaches are available to support decision-making in the
field of cyber-security. Examples of these are risk management, benchmarks, standards,
frameworks, and acting after incidents. The key challenge to security investment
decision-making is that these tools and approaches merely address static limitations.
They focus more on policy setting, stakeholders’ goals, and intended output of decisions.
The underlying system that drives this output (performance) is only to a limited extent
captured by these tools. The structure-behaviour-paradigm implies that the operational
structure of any system drives the observed behaviour of that system. As a consequence,
decision makers often lack the means to estimate the long-term consequences of their
decision-making. The increasing costs of security are clear, while the benefits of avoiding
potential future attacks are vague, distant, and seemingly far away. This appearance
favours other business initiatives over security in investment decision-making.
On the basis of a literature study, we observe the following three important systemic
structures that drive security investment decision making: (1) “the attacker-defender
interaction”, (2) “the response of the resilient organisation”, and (3) “the security investment
decision-making financial optimum”. To better understand these systemic structures of
a complex and dynamic cyber-security decision-making system, we have developed a
‘red versus blue’ security awareness game grounded in system dynamics methodology.
This game provides insights into decision-making practices in an empirical setting.

Our game supports the existence of the attacker-defender interaction, the response
of the resilient organisation, and the security investment decision-making financial
optimum systemic structures, including the mutual interactions between these structures.
The analysis of game results confirms that decision-making in complex and dynamic
cyber-security decision-making systems is difficult. Experienced and knowledgeable
participants are not always aware of how their decisions impact the defenders’ future
security state. The game results show the usage of heuristics in complex and challenging
environments.
We tested how the three systemic structures observed in literature appear in different
cyber-security areas. We selected five key security topics closely related to the different
steps of the execution of a cyber-attack (kill chain). This approach allows us to have a
comprehensive empirical overview of the cyber-security field. We used a case study
approach grounded in group model building methodology. The topics of these case studies
were distributed denial of service (DDOS), malware, detection engines usage, insider
threat, and secure software development. Specific equation building techniques (following
system dynamics methodology) allowed us to replicate the observed behaviour of
organisational defence strategies across different domains (threat actor, security function,
business operations and finance). Doing so, we identified additional systemic structures
that drive this observed behaviour and were able to simulate the future effects of different
scenarios and security policy settings using identified controls. The case studies’ policy
analysis confirmed that the “attacker-defender interaction” structure will increase cost and
resources needed while “the response of the resilient organisation” may stabilise or lower
costs.
Building on the insights from our case studies, we were able to identify three core systemic
structures (in line with our literature research) that drive the cost of security, eleven
sub-structures that may act as a game changer (both for attacker or defender), and eight
generic policy options for the chief information security officer (CISO) to influence
the security strategy. The results are finally summarized in a sector specific archetype
describing the cyber-security investment decision-making dynamics. The contribution
to the system dynamics field is an expansion of the research in cybersecurity. In order
to be able to do this research, different academic fields had to be integrated: enterprise
architecture, system dynamics, finance and risk management. The contribution to the
security economics field is a first attempt to integrate different academic fields and
perform a systemic research approach to security investment decision-making.
Through our focus on dynamic limitations, we believe we were able to circumvent the
effects of certain observed static limitations in the field of security economics. However,
future research needs to confirm and deepen our insights. We did not execute any
comparative research on the current tools and approaches supporting the decisionmaking
process. Yet, we perceive this approach is complementary to them. We also found
several limitations in our research that provide possibilities for follow-up research. These
limitations are related to the research assumptions, the used methodology, the scoping,
the serious game, the case study models, and the research re-usability. ×
SERVICE
Contact
 
Vragen