An Adversarial Risk Analysis Framework for Cybersecurity.

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.

INTRODUCTION

At present, all kinds of organizations are being critically impacted by cyber threats (Anderson, 2008; Andress & Winterfeld, 2013). Risk analysis is a fundamental methodology to help manage such issues (Cooke & Bedford, 2001). With it, organizations can assess the risks affecting their assets and what security controls they should implement to reduce the likelihood of such threats and/or their possible impacts should they happen.

Numerous frameworks support cybersecurity risk management, including ISO 27005 (International Organization for Standardization [ISO], 2011), CRAMM (Central Communication and Telecommunication Agency [CCTA], 2003), MAGERIT (Ministerio de Hacienda y Administraciones Pblicas [MINHAP], 2012), EBIOS (Agence Nationale de la Scurit des Systems d'Information [ANSSI], 1995), SP 800‐30 (National Institute of Standards and Technology [NIST], 2012), and CORAS (Lund, Solhaug, & Stlen, 2010). Similarly, several compliance and control assessment frameworks, like ISO 27001 (ISO, 2013), Common Criteria (The Common Criteria Recognition Agreement Members [CCRA], 2009), and CCM (Cloud Security Alliance [CSA], 2016), provide guidance on the implementation of cybersecurity best practices. They have many virtues, particularly their extensive catalogues of threats, assets, and controls, and provide detailed guidelines for the implementation of countermeasures to protect digital assets. However, much remains to be done regarding risk analysis from a methodological point of view. Indeed, a detailed study of the main approaches to cybersecurity risk management reveals that it often relies on risk matrices, with shortcomings well documented in Cox (2008) and Thomas, Bratvold, and Bickel (2014): compared to more stringent methods, the qualitative ratings in risk matrices (likelihood, severity, and risk) are more prone to ambiguity and subjective interpretation and, very importantly for our application area, they systematically assign the same rating to risks that are very different risks qualitatively, potentially inducing suboptimal cybersecurity resource allocations. Hubbard and Seiersen (2016) and Allodi and Massacci (2017) provide additional critical views on the use of risk matrices in cybersecurity. Moreover, with few exceptions, like IS1 (National Technical Authority for Information Assurance [HMG], 2012), those methodologies do not explicitly take into account the intentionality of certain threats. This is in contrast with the relevance that organizations like the Information Security Forum (ISF, 2016) start to give to such threats, receiving the name adversarial in contrast to more standard ones defined as accidental or environmental. Thus, ICT owners may obtain unsatisfactory results in relation to the prioritization of cyber risks and the measures they should implement. In this context, a complementary way for dealing with cyber risks through risk transfer is emerging: cyber insurance products, of very different natures and not in every country, have been introduced in recent years by companies like AXA, Generali, and Allianz. However, cyber insurance has yet to take off (Marotta, Martinelli, Nanni, Orlando, & Yautsiukhin, 2017).

We aim at developing methods to support decisions in relation to cybersecurity resource allocation, including the adoption of cyber insurance. Fielder, Panaousis, Malacaria, Hankin, and Smeraldi (2016) review and introduce various approaches to such problems, focusing on optimization and game‐theory models and their combination. Schilling and Werners (2016) describe a combinatorial optimization approach for optimal selection of IT security safeguards, with no consideration of risk or adversarial aspects. Cavusoglu, Raghunathan, and Yue (2018) and Rao et al. (2015) provide game‐theoretic models for cybersecurity resource allocation under common knowledge assumptions that might not be realistic in our context. Thus, we propose an alternative framework for cybersecurity risk analysis, combining optimization with an adversarial risk analysis (ARA) approach to deal with adversarial agents; we emphasize adversarial aspects for a better prediction of threats as well as include cyber insurance within the cybersecurity portfolio. Section 2 presents our framework, supported by a simplified case study in Section 3, which may serve as a template for more complex problems. We conclude with a brief discussion. An appendix compares our approach with a standard game‐theoretic one in a stylized example.

A CYBERSECURITY ADVERSARIAL RISK ANALYSIS FRAMEWORK

We introduce our integrated risk analysis approach to facilitate cybersecurity resource allocation. Our aim is to improve current cybersecurity frameworks, introducing schemes that incorporate all relevant parameters, including decisionmakers' preferences and risk attitudes (Clemen & Reilly, 2013) and the intentionality of adversaries. Moreover, we consider decisions concerning cyber insurance adoption to complement other risk management alternatives through risk transfer. We present the framework stepwise, analyzing the elements involved progressively. We describe the models (Banks, Rios, & Rios Insua, 2015) through influence diagrams (ID) and bi‐agent influence diagrams (BAID) detailing the relevant elements: assets, threats, security controls, and impacts. At each step, we provide a brief description of the diagrams introduced and a generic mathematical formulation.

System Performance Evaluation

Fig. 1 describes the starting outline for a cyber system under study. designates the costs associated with its operation over the relevant period; they are typically uncertain and modeled with a probability distribution . We introduce a utility function over costs to account for risk attitudes (Ortega, Radovic, & Rios Insua, 2018). We evaluate system performance under normal conditions, that is, in absence of relevant incidents, through its associated expected utility (French & Ros Insua, 2000). This scheme can be sophisticated in several directions. For example, there could be several performance functions, leading to a multiattribute problem, as reflected in the case in Section 3. A typical example in cybersecurity is to consider attributes concerning information availability, integrity, and confidentiality (Mowbray, 2013).

Fig 1

Basic ID for system performance evaluation. indicates costs associated with system operation over the relevant planning period; the utility function accounts for risk attitudes. Note that in IDs, oval nodes represent uncertainties modeled with a probability distribution , and utility nodes represent preferences modeled with an utility function .

Cybersecurity Risk Assessment

Based on Fig. 1, we consider the cybersecurity risk assessment problem in Fig. 2. In general, we include m threats ; some of them could be physical (e.g., a fire) and others cyber (e.g., a DDoS attack ). Their occurrence is random variables. We also include l types of assets; some of them could be traditional (e.g., facilities) and others could be cyber (e.g., information systems). Impacts on them will be, respectively, designated and are typically uncertain. If the impacts are conditionally independent given the threats, the corresponding model would be of the form , where describes the probability of the threats happening, and describes the probability of impact on the ith asset, given the occurrence of various threats. We aggregate costs additively at the total cost node c. Then, the expected utility would be: We have assumed that consequences are additive, but we could have a generic utility . Finally, we evaluate the loss in expected utility . Alternatively, we could compare the difference in the corresponding certain equivalents (French, 1986). When such difference is sufficiently large, incidents are expected to harm the system significantly and we should manage such risks. Note that we could incorporate several utility nodes to describe multiple stakeholders' preferences.

Fig 2

Cybersecurity risk assessment. The threats (two in this example, t 1 and t 2) might impact on the organization's assets, causing costs (two in this example, and ). These costs, and those under normal conditions , are aggregated to determine the total costs c and evaluated through the utility function . Recall that in IDs, double‐lined ovals represent deterministic aspects.

Risk Mitigation in Cybersecurity Risk Management

As a next step, we add security controls. We introduce a portfolio of them to reduce the likelihood of threats and/or their impact. Examples include firewalls, employee training, or making regular backups. For simplicity, in Fig. 3, we assume that all controls have influence over all events and impacts. It will not always be so: a fire detector makes less harmful, but not less likely, a fire; resource accounting mechanisms (Mirkovic & Reiher, 2004) managing access based on user privileges make a successful DDoS attack less likely, but usually not less harmful. Node e describes the portfolio of controls, whose cost we model through the distribution . Controls might have influence on threat likelihoods , , as well as on asset impact likelihoods . We aggregate all costs through the total cost node c, under appropriate additivity assumptions. In this case, the organization's expected utility when we implement portfolio e is: We would then look for the maximum expected utility portfolio by solving , where E is the set of feasible portfolios, which should satisfy incumbent constraints like economic (e.g., not exceeding a budget), legal (e.g., complying with data protection laws), logistic, or physical.

Fig 3

Cybersecurity risk management. We add to Fig. 2 the security controls portfolio e (and its cost ) that the organization can implement to mitigate the threats or their impacts. Recall that rectangle nodes represent decisions.

Risk Transfer in Cybersecurity Risk Management: Cyber Insurance

As a relevant element of increasing interest, we introduce the possibility of acquiring a cyber insurance product. Its cost will typically depend on the implemented portfolio of controls, as in Fig. 4: the better such a portfolio is, the lower the insurance premium would be. This cost will also depend on the assets to be protected. We could include the insurance within the portfolio of controls; however, it is convenient to represent it separately, since premiums will usually depend on the controls deployed. The decision node i describes the cyber insurance adopted, with entailed costs with probability , although they will usually be deterministic. In addition, insurance and security controls will affect impacts, modeled through . The total cost node c aggregates the costs. The expected utility when we implement portfolio e together with insurance i is: We seek the maximum expected utility portfolio of security controls and insurance by solving , where I represents the catalogue of insurance products available. The pair could be further restricted jointly, for example, by compliance requirements or common budget constraints.

Fig 4

Cyber insurance for cybersecurity risk management. We add to Fig. 3 the insurance i (and its cost ) to which the organization can subscribe to mitigate the impacts that the threats can cause.

Adversarial Risk Analysis in Cybersecurity

As discussed, intentionality is a key factor when analyzing cyber threats. As an example, the ISF (2016) specifies a group of several adversarial threats within its catalogue. We use ARA (Banks et al., 2015) to model the intentions and strategic behavior of adversaries in the cybersecurity domain; see Merrick and Parnell (2011) for a comparison of various methods modeling adversaries in risk management. Under ARA, the attacker has his own utility function and seeks to maximize the effectiveness of his attack. This paradigm is applicable to multiple types of strategic interactions between attackers and defenders. Two of them are specially relevant in cybersecurity.

Defense–Attack Model

The original examples, Figs. 2 and 3, evolve into Fig. 5, modeling an adversarial case through a BAID with a Defender and an Attacker. The unintentional threat remains modeled through a probabilistic node, whereas we model the adversarial threat through a decision node for the Attacker, who needs to decide whether to launch an attack to his benefit. For simplicity, in the diagram we model the physical threat t 1 as unintentional and the cyber threat a as adversarial, although adversarial physical threats and unintentional cyber threats could be relevant in certain cases, as exemplified in the case study. Also for simplicity, we only consider one attacker and one attack, but the ideas extend to multiple attacks by one attacker or to multiple attackers.

Fig 5

Adversarial risk analysis in cybersecurity: defense–attack problem. We modify Fig. 3 by transforming the cyber threat into an adversarial one: an attacker is deciding whether to attack the organization (a) based on his own evaluation, , of the harm caused to the organization, and the cost of performing the attack. Lighter nodes refer to issues concerning solely the Defender; darker nodes refer to issues relevant only for the Attacker; nodes with stripped background affect both agents. Arcs have the same interpretation as in Shachter (1986).

We present a sequential defense–attack template model for cybersecurity. For the Defender problem, this converts the Attacker's decision nodes into chance ones and eliminates the Attacker's nodes not affecting it, as well as the corresponding utility node. For the Attacker, where we assume here that there is only one Attacker responsible for the adversarial threat a independent of the other threats, given the portfolio e. Fig. 3 essentially presents the Defender problem and we covered its resolution in Section 2.3. The cyber attack is described probabilistically through , which represents the probability that the Defender assigns to cyber threat a materializing, had portfolio e been adopted. However, given the strategic nature of this problem, rather than using a standard probability elicitation approach (Dias, Morton, & Quigley, 2018), we greatly facilitate and improve the assessment of the required distribution if we analyze the Attacker decision about which attack to perform, as argued in Rios, Insua, Banks, Rios, and Ortega (2019). Under the ARA paradigm, the Defender should analyze the Attacker strategic problem in Fig. 6.

Fig 6

Attacker problem in the defense–attack model.

Specifically, given portfolio e, and assuming that the Attacker maximizes expected utility, the Defender would compute, for each attack a, the expected utility for the Attacker: where and designate, respectively, the utility and probabilities of the Attacker. The Defender must then find the attack solving: where A is the set of attack options. However, the Defender will not typically know and . Suppose we are capable of modeling her uncertainty about them with random probabilities and a random utility function (Banks et al., 2015). Then, the optimal random attack, given e, is: Finally, the distribution over attacks we were looking for satisfies , assuming that the attack set is discrete (e.g., attack options). Similarly, if the attack space is continuous (e.g., attack efforts), the probability becomes a density function. We can estimate such attack distribution through Monte Carlo (MC) simulation as in Algorithm 1 (see the Appendix), where we designate the distribution of random utilities and probabilities through .

Defense–Attack–Defense Model

Cybersecurity risk management also comprises reactive measures that can be put in place to counter an attack, should it happen. Therefore, we split the security portfolio into two groups: preventive and reactive security controls, as in Fig. 7. This corresponds to our sequential defense–attack– defense template model, in which the first move is by the Defender (preventive portfolio ), the second one is by the Attacker (attack after observing preventive controls, ), and the third one is by the Defender (reactive portfolio ). We solve the Defender problem much as we did in Section 2.3, reflecting changes caused by splitting the security control node. Specifically, the expected utility when portfolio is implemented is: We would then look for the maximum expected utility portfolio: where and , respectively, define constraints for preventive and reactive portfolios, some of which could be joint.

Fig 7

Adversarial risk analysis in cybersecurity: defense–attack–defense problem.

The above represents a global view of the sequential problem, although we solve this kind of two‐stage problems sequentially, as in He and Zhuang (2017). We would solve the Attacker problem providing in a similar fashion as in Section 2.5.1.

A CASE STUDY TEMPLATE

We illustrate our cybersecurity risk analysis framework with a defense–attack case study, which can serve as a template for more complex problems. For confidentiality reasons, we have simplified the number of relevant issues and masked the data conveniently. This simplification will also allow us to better illustrate key modeling concepts and the overall scheme. Moreover, we include uncertain phenomena in which data are abundant and others in which they are not and, thus, we shall need to rely on expert judgment for its quantification (Dias et al., 2018). The Defender is an SME with 60 people and 90 computers. A cyber attack might affect its online services. Prices and rates in Euros refer to Spain, where the incumbent organization is located.

In essence, we first structure the problem, identifying assets, threats, and security controls. The latter may have implementation costs in exchange for reducing the threat likelihoods and/or possible impacts. Subsequently, we assess the impacts that may have an effect on asset values to find the optimal risk management portfolio. Since we include adversarial threats, we consider the Attacker decision problem. In this case, there is a single potential Attacker that contemplates a DDoS attack with the objective of disrupting the Defender services, causing an operational disruption and reputational damage and the consequent loss of customers, besides incurring contractual penalties potentially affecting its continuity. Then, we simulate from this problem to obtain the attack probabilities, which feed back into the Defender problem to obtain the optimal defense. We focus on finding the optimal security portfolio and insurance product for the company, in the sense of maximizing expected utility. Other formulations are discussed in Section 3.5. We consider a one‐year planning horizon.

Problem Structuring

We structure the problem through the BAID in Fig. 8 and describe its components next.

Fig 8

Case study as a BAID.

Assets

We first identify the Defender assets at risk. We could obtain them from catalogues like those of the methodologies mentioned in Section 1. Here we consider: Facilities, the offices potentially affected by threats; Computer equipment, the data center and workstations of the organization; Market share. Other assets not considered in this case include, for example, the company's development software, its business information, its mobile devices, or the staff.

Nonintentional Threats

We consider threats over the identified assets deemed relevant and having nonintentional character. This may include threats traditionally insurable as well as new ones potentially cyber insurable. We model each threat with a probabilistic node associated with the Defender problem. We extract two threats from the MAGERIT (MINHAP, 2012) catalogue: fire and computer virus. A fire may affect facilities and computers; we do not contemplate impact on market share, as the organization has a backup system; we assume that a fire can occur only by accident, not by sabotage. The computer virus is aimed at disrupting normal operations of computer systems; we consider this threat nonintentional, as most viruses propagate automatically: their occurrence tends to be random from the Defender perspective. Other nonintentional threats, not considered here, could be water damage, power outages, or employee errors.

Intentional Threats

This category may include both cyber and physical threats. Again, we could use catalogues from, for example, ISF (2016). We should first identify the attackers. We then integrate the attack options available to each attacker within a single decision node. In our case, we just consider one competitor, reflected in the competitor attack node. He may attempt a DDoS to undermine the availability of the Defender site, compromising its customer services. For this, he must decide whether to launch the attack and the number of attempts. Other intentional attacks, not modeled here, could include launching an advanced persistent threat, instigating the misbehaviour of insiders, or the use of bombs.

Uncertainties Affecting Threats

We consider now those uncertainties affecting the Defender's assets. We model each of them with a probabilistic node. In our case, these will be the duration of the DDoS attack, which will depend on the number of attacks and security controls deployed, and the fire duration, which can be reduced with an anti‐fire system. Other related uncertainties could come, for example, from a more detailed modeling of the virus (e.g., infection probability given the operating system) or the eventual propagation of the fire to adjacent buildings.

Attacker Uncertainties

We model the uncertainties that the Attacker might find relevant and that only affect him with probabilistic nodes (in his own color). In our case, we consider only the detection of the Attacker: if detected, his reputation would suffer and he might face legal prosecution. Other attacker uncertainties that might be included are the effectiveness of the DDoS platform or the number of customers affected by the DDoS.

Relevant Security Controls

We identify security controls relevant to counter the threats. For this, we may use listings from the above‐mentioned methodologies. We associate a Defender decision node with the security controls. In our case, we consider an anti‐fire system to detect a fire, facilitating early mitigation; a firewall to protect the network from malicious traffic; the implementation of risk mitigation procedures for cybersecurity and fire protection; and a cloud‐based DDoS protection, diverting DDoS traffic to an absorbing cloud‐based site. Other measures, not included here, could be a system resource management policy, a cryptographic data protocol, or a wiring protection.

Insurance

We also consider the possibility of purchasing insurance to transfer risk with the corresponding Defender decision node. The premium will depend on the protected assets and contextual factors such as location, company type and, quite importantly, the implemented controls. Table I displays the contemplated insurance products.

Table I

Insurance Product Features, Some of Them Referring to Cyber Impacts

Product	Coverage
No insurance	None.
Traditional insurance	80% of hired capital in buildings and contents, firefighters, and movement of furniture.
Cyber insurance	80% of cyber expenses related to: confidential data violation, investigation and legal costs, losses caused by threats and extortion, removal of computer viruses, measures related to data protection procedures, and computer fraud.
Comprehensive insurance	All of the above.

Impacts on Defender

Having identified the threats, we present their relevant impacts on the Defender's assets. We model each of them with a probabilistic node. We consider: Impact on facilities, the monetary losses caused by fire in or on them; Impact on computers, the monetary losses caused by fire or viruses split into insurable and noninsurable ones to assess the possible insurance coverage; Impact on market share. We also consider the impacts associated with safeguards as deterministic nodes: cost of security controls, cost of insurance, and insurance coverage. Finally, a deterministic total costs node aggregates the Defender's consequences to establish the final impact in the Defender problem. We could include other types of impacts such as the corporate image or the staff safety, although we do not do so here.

Impacts on Attacker

We consider the following impacts: Attacker earnings from increased market share, transferred from those lost by the defender; Costs when detected, covering possible sanctions by the regulator and legal costs, as well as loss of customers and reputation, if detected. The final Results of attack combines all previous impacts, as well as the costs of undertaking the attack. We model the Costs when detected as a probabilistic node. The remaining ones are deterministic.

Preferences

Value nodes describe how the corresponding agent evaluates consequences. We include one value node for each of the participating agents: the Utility of Defender node models the Defender preferences and risk attitudes over the total costs; the Utility of Attacker node models those of the Attacker.

Defender and Attacker Problems

Figs. 9 and 10, respectively, represent the Defender and Attacker problems derived from the strategic problem in Fig. 8. We use both diagrams to guide judgment elicitation.

Fig 9

Defender problem.

Fig 10

Attacker problem.

Assessing the Defender's Nonstrategic Beliefs and Preferences

We now provide the quantitative assessment of the Defender beliefs and preferences not requiring strategic analysis. Some of them will be based on data and expert judgment, others just on expert judgment due to the typical lack of data in cybersecurity environments (Hubbard & Seiersen, 2016). As a consequence, we populate most nodes in the model. Section 3.3 treats nodes that require strategic analysis. Finally, Section 3.4 analyzes the Defender problem to find the optimal controls and insurance. When incumbent, we provide the pertinent utility u, random utility , probability p, random probability , or deterministic model at the corresponding node.

Economic Value of Defender Assets

We consider the following values for the assets at risk: Facilities, with a value of € 5,000,000, reflecting only acquisition costs; Computer equipment, with a value of € 200,000, under similar considerations; Market share is estimated at 50%, which, translated into next‐year expected profits, is valued at € 1,500,000.

Modeling Security Controls

Security controls decision s. The security portfolios that the Defender could implement derive from the options in Section 3.1. For the DDoS protection, we have the choice of not implementing it or subscribing to a 2, 5, 10, or 1,000 gbps service. For the other security controls, the choice is binary. We thus have 40 portfolios that could be constrained by, for example, a budget, as in Section 3.5.

Cost of security controls . Table II provides them, from which we derive those of the portfolios.

Table II

Cost of Individual Security Controls

Security Control	Cost
Anti‐fire system	€ 1,500
Firewall	€ 2,250
Risk mitigation procedures	€ 2,000
Cloud‐based DDoS protection	2 gbps	5 gbps	10 gbps	1,000 gbps
	€ 2,400	€ 3,600	€ 4,800	€ 12,000

Modeling the Insurance Product

Insurance decision i. This refers to the insurance product that the Defender could purchase (Table III) once the controls have been selected.

Table III

Insurance Product Cost

	Security Controls
Prod.	None	Anti‐Fire	Firewall or DDoS prot.	Proc.
None	€ 0	€ 0	€ 0	€ 0
Trad.	€ 500	€ 300	€ 500	€ 500
Cyber	€ 300	€ 300	€ 200	€ 250
Compr.	€ 700	€ 500	€ 600	€ 650

Insurance cost, . It depends on the controls implemented by the organization (Table III).

Insurance coverage , as reflected in Table I.

Modeling the Fire Risk

Likelihood, . This node provides the annual probability of suffering a fire. We use data from Vitoria (DSC de Vitoria, 2009), concerning fire interventions in industrial buildings (Table IV). As the fire rate remains fairly stable over time, we estimate such probability with a beta‐binomial model with beta prior . The posterior would be: where is the number of fires affecting industrial buildings and the number of buildings in the ith year, . As the posterior variance is small, such distribution can be reasonably summarized through its posterior expectation, . The number f of fires can be approximated with a Poisson distribution. However, we consider only the probability that one fire occurs, since . Thus, .

Table IV

Industrial Fire Data in Vitoria (2005–2009)

Year	Buildings	Fires
2005	1,220	32
2006	1,266	29
2007	1,320	30
2008	1,347	28
2009	1,314	28

Duration, . It is a major fire impact determinant (Bagchi, Sprintson, & Singh, 2013): the longer the fire, the more damaging it will be. Fig. 11 presents the histogram of industrial fire durations, with mode [30,60] minutes. Adapting Wiper, Rios Insua, and Ruggeri (2001), we model the fire duration o with a gamma distribution. We assume a noninformative, but proper, exponential prior for and inverse gamma for . No expression for the posterior distribution is available, but we can introduce a Markov chain MC scheme to sample μ and γ from the data. Based on it, we estimate that E() ≈0.85 and E() ≈78.

Fig 11

Industrial fire duration histogram. Vitoria, Spain (2005–2009).

The only proposed control that may have an effect on fire duration is the anti‐fire system. Using expert judgment (Dias et al., 2018), we determine its threshold duration under the proposed system with, respectively, suggested minimum, modal, and maximum durations of 1, 10, and 60 minutes. To mitigate expert overconfidence (Galway, 2007), we consider a triangular distribution with quantiles 0.05 at 1 and 0.95 at 60 minutes, resulting in a triangular distribution , which models o if there is a fire () and the portfolio s contains the anti‐fire system. On the other hand, if the portfolio does not contain the anti‐fire system.

Impact. We assume that the amount lost is linearly related to the fire duration. After consulting with experts, we consider that a fire lasting 120 minutes would degrade the facilities by 100% in the absence of controls. To simplify, we assume that the effect of fire duration is linear. Additionally, the impact on computer equipment derives from the percentage of facility degradation caused by fire. Assuming that computers are evenly distributed through the premises, a fire lasting 120 minutes would also degrade computer equipment by 100%. This impact is potentially insurable and will be modeled in Section 3.2.7.

Modeling the Computer Virus Risk

Likelihood, . This node provides the number v of virus infections during a year. The distribution of the number of infected computers in a month follows a binomial distribution , with q the probability that a computer gets infected and h the number of computers. Various statistics suggest that the rate of virus infections worldwide is 33% (Panda Security, 2015), so we estimate . The organization has 90 computers, which we assume have the same security controls and are equally likely to be infected. Since the analysis is for 12 months, we use . Additionally, we consider the effect of our controls: if a firewall is implemented, the probability that a computer gets infected reduces to , not completely eliminating the threat, even if this includes continuous updating based on the latest virus signatures; if the mitigation procedures are implemented, the infection probability reduces by 50%, with firewall or not, as this control entails improvements in the organization such as imposing safety requirements on acquired systems. The number v of infections is, therefore, modeled as in Table V.

Table V

Number v of Annual Virus Infections

Sec. Controls in s	Distribution
Firewall and proc.	v∼B(1080,0.0025)
Firewall	v∼B(1080,0.005)
Procedure	v∼B(1080,0.1666)
Otherwise	v∼B(1080,0.33)

Impact. Viruses may impact the integrity and availability of computers, leading to information corruption or unavailability. Impacts on confidentiality are variable, as they depend on the stolen information. The average daily cost of these infections was estimated at € 2.683 (Solutionary, 2013), although this may vary depending on the monetary value of the information and services that the victim systems support. Bigger losses come from sophisticated campaigns (e.g., as with WannaCry) or targeted malware that, under our paradigm, we would better model as an adversarial threat. In our case, repairing a computer infected by a virus requires € 31, for two technician hours. Insurance options cover the removal of computer viruses. Therefore, we cover this impact within the insurable aspects in Section 3.2.7.

Additionally, most viruses entail performance reduction in aspects such as initialization of operating systems. Although small, this causes time losses to the user. We assume that most (70%) of the work time of the organization is in front of a computer and that it would take, on average, 40 hour to detect the problem. We therefore assume that when a computer is infected, 28 hour of its usage are affected by the virus. We model the time loss w with a uniform distribution that represents that the percentage of lost time caused by a virus is between 0% and 5%. The average hourly cost of the employees is € 20/hour. Therefore, for each virus infection, the cost would be . Our insurance options do not cover this loss and, thus, we model it within the noninsurable aspects in Section 3.2.7.

Modeling the DDoS Threat

We consider now the nonstrategic aspects of the DDoS threat.

Duration, . The duration l in hours of a successful DDoS attack will depend on the intensity of the attacking campaign, how well‐crafted the attack is, and the security controls implemented. An emerging type of control is cloud‐based systems absorbing traffic when a site becomes a victim of a DDoS. If no control is deployed, it would be virtually impossible to block such attack. Based on Securelist (2016) and Verisign (2017), the average attack lasts four hours, averaging 1 gbps, with peaks of 10 gbps. We model , the length of the jth individual DDoS attack, as a Γ(4, 1). This duration is conditional on whether the attack actually saturates the target, which depends on the capacity of the DDoS platform minus the absorption by the cloud‐based system. We assume that the Attacker uses a professional platform capable of 5 gbps attacks, modeled through a Γ(5, 1) distribution. We then subtract the traffic absorbed by the protection system to determine whether the attack is successful (its traffic overflows the protection system). Since the campaign might take a attacks, the output of this node is , with if , and , otherwise.

Impact. A DDoS attack might cause a reputational loss that would affect the organization's market share. We assume that all market share is lost at a linear rate until all value is gone, say, after five to eight days of unavailability: in the fastest case, the loss rate r would be per hour, whereas in the slowest one it would be 0.0026. We model r as a .

Modeling Impacts on the Assets

We recollect here the impacts on the assets.

Impact on facilities, . The monetary loss b due to degradation of facilities through fire is , following Section 3.2.4.

Insurable impacts on computers, . We model the monetary losses due to degradation of computers covered by insurance, either caused by fire, Section 3.2.4, or through repairing computers infected with viruses, Section 3.2.5, as .

Noninsurable impacts on computers, . The monetary losses caused by degradation of computers due to the lost time caused by viruses are not covered by insurance. Following Section 3.2.5, we model .

Impact on market share, . The monetary loss m due to a reduced market share, following Section 3.2.6, is .

Total Defender costs, . The costs suffered by the Defender are , where is the security controls cost, that of insurance, the insurance coverage (which reduces losses), and m, b, , and are the impacts on assets previously described.

Defender Utility,

The organization is constant risk averse over costs. Its utility function is strategically equivalent to . We calibrate it with three costs: worst, best, and an intermediate one. The worst reasonable loss is based on the sum of all costs and impacts (except that due to the computer virus) € 6,755,300. Computer virus impacts do not have an upper limit; based on simulations, it is reasonable to assume that they would not exceed € 50,000. Giving an additional margin, we assume that such maximum is 7, 000, 000. The best loss is 0. For the intermediate cost , we find its probability equivalent α so that (Ortega et al., 2018); based on information provided by the company, . We rescale the costs to the (0,1) range through . Then, the utility function is .

Assessing the Attacker's Random Beliefs and Preferences

In the Defender problem, the competitor attack is described through a probabilistic node modeling the number of attacks launched by the Attacker given the security controls that are implemented. To obtain the corresponding probabilities, we model the Attacker problem based on Fig. 10. Its solution would provide the Attacker's optimal action. However, as argued in Section 2.5, we model our uncertainty about his preferences and beliefs through random utilities and probabilities to find the random optimal attack; for this, we simulate from it to forecast his actions and obtain the required probability distribution.

Defender's security controls. This node is probabilistic for the Attacker. However, we assume that he may observe through network exploration tools whether the Defender has implemented relevant controls.

Competitor attack decision, . This decision node models how many attacks (between 0, doing nothing, and 30) the DDoS campaign will make. Attackers usually give up once the attack has been mitigated and move on to the next target or try other disruption methods. However, when the attack is targeted, the Attacker might continue the campaign for several days, causing an extensive impact.

Duration of the DDoS, . We base our estimate on that of the Defender (Section 3.2.6). We model the length of the jth individual DDoS attack as a random gamma distribution with and , adding some uncertainty around its average duration (between three and six hours) and dispersion. Similarly, we model the attack gbps through a random gamma distribution with and . Next, we subtract from to determine whether the DDoS is successful. As in Section 3.2.6, we use , with if , and  otherwise.

Impact on market share, . We base our estimate on that of the Defender (Section 3.2.7), adding some uncertainty. The market share value and percentage are not affected by uncertainty, as this information is available to both agents. However, we model uncertainty in the market loss rate: the fastest one (five days in the Defender problem) is between four and six days in the Attacker problem and the slowest one (eight for Defender) is between seven and nine. Therefore, the random distribution describing the market loss is with , , and .

Attacker earnings, . Being the sole competitor, we assume that the Attacker gain e in terms of market share is . The random uncertainty in earnings derives from the randomness of the preceding nodes.

Attacker Detection, . This represents the chance of the Attacker being detected. Detection probabilities are estimated via expert judgment at 0.2%, should the Attacker attempt a DDoS attack. Should there be a attacks, the detection has a binomial distribution . To add some uncertainty, we model the detection probability for each attack through a . Then, we model the Attacker's detection t through a random binomial distribution that outputs detected if with , and not detected, otherwise.

Cost for Attacker when detected, . As a competitor, if the Attacker is detected, he would face a serious discredit, together with compensation and legal costs as well as criminal responsibilities. We use this cost decomposition: € 550,000 of expected reputational costs, due to the communication actions required to preserve credibility; € 30,000 of expected legal costs; € 350,000 of expected civil indemnities and regulatory penalties; € 1,500,000 of expected suspension costs, related to losses derived from prohibition to operate for some time. We add some uncertainty, modeling the cost as a normal distribution with mean 2,430,000 and SD 400,000, that is, .

Result of attack, . This combines the Attacker earnings and costs if detected, and those of undertaking the attacks. We consider that using a botnet to launch the DDoS attack would cost on average around € 33 per hour (Incapsula, 2015) (€ 792 for a day). Therefore, .

Attacker's random utility, . We assume that the Attacker is risk prone, with a utility function strategically equivalent to , where , are the costs normalized to [0, 1], and the risk proneness parameter. We induce the random utility considering that follows a  distribution.

Simulating the Attacker Problem

Summarizing the earlier assessments, the distribution of random utilities and probabilities in the Attacker problem is . We calculate the random optimal attack, given the security controls s implemented through: To approximate it, we use an MC approach as in Algorithm 1 (Appendix A) with K=20,000, which we have implemented in R. For each size s of the DDoS protection system, we assess the distribution of the random optimal attack. Table VI displays the attack probabilities, conditional on the protection implemented. For instance, if the security portfolio does not contain a DDoS protection system (, none), an attack seems certain, and its duration would be between 18 and 30 attacks, 29 and 30 being the most likely attack sizes. We thus create the probability distribution . We have now fully specified the Defender problem and are ready to solve it.

Table VI

Conditional Probability Table for Random Optimal Attacks

	Number of Attempts
DDoS Prot. System	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
1,000 gbps	1.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000
10 gbps	0.000	0.001	0.003	0.003	0.004	0.005	0.012	0.012	0.015	0.013	0.017	0.024	0.024	0.022	0.030	0.035
5 gbps	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.001	0.001	0.001	0.002
2 gbps	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000
None	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000	0.000

Solving the Defender Problem

Summarizing earlier assessments about the Defender problem, we have that the involved distributions are . The Defender's expected utility when the security portfolio s is implemented together with insurance i is: The optimal resource allocation is the maximum expected utility pair . We use Algorithm 2 (Appendix A) to approximate the portfolio together with the optimal portfolio. We have implemented it in R with an MC sample size of K=20,000 and the results are summarized in Table VII. The best portfolio consists of a 1,000 gbps cloud‐based DDoS protection system, a firewall, an anti‐fire system, and the comprehensive insurance. Besides the ranking of countermeasures, we can obtain additional information from the simulation. For instance, the best portfolios tend to include a firewall, a 1,000 gbps DDoS protection with no risk management procedure. The best portfolios also include insurance, either traditional or comprehensive.

Table VII

Expected Utility for Three Best and Worst Combinations of Controls and Insurance

Anti‐Fire	Firewall	Procedure	DDoS Protection	Insurance	Expected Utility
Anti‐fire	Firewall	No procedure	1,000 gbps	Comprehensive	0.9954
Anti‐fire	Firewall	No procedure	1,000 gbps	Traditional	0.9950
Anti‐fire	Firewall	Procedure	1,000 gbps	Comprehensive	0.9949
…	…	…	…	…	…
No anti‐fire	No firewall	No procedure	No protection	Cyber	0.8246
No anti‐fire	No firewall	Procedure	No protection	No insurance	0.8246
No anti‐fire	No firewall	No procedure	No protection	No insurance	0.8242

Further Analysis

The previous ARA model can be used to perform other relevant analysis, as we briefly discuss.

Sensitivity Analysis

We can assess the robustness of the previous solution by checking whether variations in the inputs to the model alter the optimal solution. This is especially important in a case like ours with small differences in expected utility among top alternatives and many inputs being purely judgmental. The approach would require the implementation of additional algorithms for sensitivity analysis that indicate whether small deviations in input parameters may lead to a large effect in the model outcome (Rios, 1990). As an example, the optimal portfolio in Table VII will remain as such until we sufficiently reduce the value of , specifically . If is further reduced, the optimal portfolio will contain the same security controls and insurance as the optimal, except for the anti‐fire system.

Additionally, sensitivity analysis can be used to explore the maximum cyber insurance price that the Defender would be willing to pay. This may be used, inter alia, to price insurance products.

Introducing Constraints

As mentioned, we may introduce constraints over the security portfolios. For example, we could add to the problem a budget limit of, say, € 8,000. Then, our problem would involve only those portfolios satisfying that constraint. In such case, the optimal portfolio would consist of the firewall, the 10 gbps DDoS protection system, and the comprehensive insurance, with a cost of € 7,650. Another example could refer to constraints on compulsory security controls, as certain insurance policies might demand their implementation before a policy is issued.

Return on Security Investment

Our formulation focused on choosing the best security portfolio. An additional aspect that could be addressed is calculating the return on security investment (ROSI) to assess the cost effectiveness of a cybersecurity budget (ENISA, 2012; Schatz & Bashroush, 2017). Calculating the optimal solution over a range of budgets (e.g., from € 5,000 to € 25,000) generates a function that, for a given budget, provides the optimal solution and its expected utility to explore the return on risk mitigation investments. Additionally, we could find the optimal increase in the portfolio so as to attain a certain expected utility level or satisfy a certain risk appetite level.

Comparison with a Game‐Theoretic Approach

Appendix C provides a comparison between our framework and a standard game‐theoretic solution in a simplified cybersecurity example. The basic conclusions would be, first, that both approaches rely on different assumptions and, consequently, lead to different solutions; that the game‐theoretic approach requires more stringent common knowledge assumptions that might not hold in cybersecurity; given that, we may view the ARA approach as more robust. Additionally, the proposed framework may be more adaptable to realistic cybersecurity scenarios with several potential attackers and several accidental and environmental threats as it more duly apportions various sources of uncertainty, as discussed in Merrick and Parnell (2011).

DISCUSSION

Current cybersecurity risk analysis frameworks provide relevant knowledge bases for understanding cyber threats, security policies, and impacts on business assets with dependencies on the IT infrastructure. However, most of such frameworks provide risk analysis methods that are not sufficiently formalized, nor comprehensive enough. Indeed, most of them suggest risk matrices as their main analytic basis, which provide a fast but frequently rudimentary study of threats. Hence, we have presented a formal framework supporting all steps relevant to undertake a comprehensive cybersecurity risk analysis. It implies structuring the cybersecurity problem as a decision model based on a multiagent influence diagram. It enables the assessment of beliefs and preferences of the organization regarding cybersecurity risks as well as the security portfolio and insurance it can implement to treat such risks. It takes into account, in addition to nonintentional threats, the strategic behavior of adversarial threats with ARA. We model the intentional factors through the decision problems of the attackers. The case introduced is a simplification of a real example but serves as template for complex problems. Among other things, we had to rely on expert judgment to assess the uncertainty nodes for which we lacked data. From the decision support point of view, ARA enables the calculation of optimal cybersecurity resource allocations, facilitating the selection of security and insurance portfolios. Furthermore, it also enables sensitivity analysis to evaluate whether the optimal portfolio remains as such, in case different elements affecting risk change.

Future work involves the application of this paradigm to study other cybersecurity adversarial problems, including granting a cyber insurance product and cyber reinsurance issues. The problem proposed here refers to strategic/tactical decisions; it would be interesting to develop dynamic schemes integrating strategic and operational decisions. Similarly, we shall address the development of parametric cyber insurance schemes in order to obtain premiums that reflect better risk management. We shall also pursue optimization algorithms beyond enumeration to reduce the computational burden.

When compared with standard approaches in cybersecurity, our paradigm provides a more comprehensive method, leading to a more detailed modeling of risk problems, yet, no doubt, more demanding in terms of analysis. We believe though that at many organizations, especially in critical infrastructures and sectors, the stakes at play are so high that this additional work should be worth the effort. Therefore, another relevant activity would be the development of a software environment that supports the implementation of our cybersecurity framework based on the R routines elaborated.

APPENDIX C: COMPARISON WITH A GAME‐THEORETIC APPROACH

This appendix compares our ARA framework with a standard game‐theoretic (GT) approach by analyzing a simple example with both methods. We consider a defend–attack problem, in which a defender D has to decide (d) among three connecting options between two data centers in a campus shared with other institutions: using the campus network with encryption and other protection measures (d 1); using it without additional protection (d 2); or the most expensive, installing a dedicated line between the data centers (d 3). The danger resides in a potential targeted attacker A, insider to the campus, who decides whether to attack the defender's connection (a 1) or not (a 0). The result of the attack (r) leads to consequences related to data exfiltration, expressed as costs, for both the defender () and the attacker (). They evaluate these consequences through utility functions ( and ) that incorporate their risk attitude. Fig. C1 represents the problem as an ID and Table C1 details the problem for various relevant defense–attack combinations.

Fig C1

Influence diagram representing the connecting problem.

Table C1

Defender and Attacker Elements

Defender Decision d	Attacker Decision a	Attack Result r	Defender Consequences c_D	Attacker Consequences c_A	Defender Utility u(c_D)	Attacker Utility u(c_A)
d 1	a 1	r 1	s+kr_1	l−gr_1	1−e^λ(s+kr_1)	e^μ(l+gr_1)−1
	a 0	0	s	0	1−e^λs	0
d 2	a 1	r 2	kr_2	l−gr_2	1−e^λkr_2	e^μ(l+gr_2)−1
	a 0	0	0	0	0	0
d 3	a 1	–	–	–	–	–
	a 0	–	h	0	1−e^λh	0

Note: r 1 (r 2) is the attack result, in terms of fraction of data compromised, in case the defender uses the campus network with (without) protection d 1 (d 2); h is the cost of installing a new line between the data centers; s is the cost of taking the extra protection when using the campus network; k is the defender's cost relative to the fraction of data compromised; l is the attacker cost of executing the attack; g is the attacker's gain relative to the fraction of data extracted from the defender; λ is the defender risk aversion coefficient; μ is the attacker risk proneness coefficient.

Common ingredients to both approaches refer to the assessment of the defender elements. Suppose that we have , , and ; her risk aversion coefficient is ; the attack result r 1, given the protection, follows a beta distribution (mean 0.3), whereas the attack result r 2, given the lack of protection, follows a beta distribution (mean 0.7).

Game‐theoretic approach. Under common knowledge, we assume that the defender knows that the attacker's parameters are: ; ; ; r 1 follows a beta distribution (mean 0.2637); and r 2 follows beta distribution (mean 0.619).

We first compute the attacker's best response to the defender choice d, which is , where is the attacker's expected utility. Knowing , we compute the defender's optimal decision from the game‐theoretic perspective , where is the defender's expected utility, defined in a similar fashion to that of the attacker. In our case, we have , , and , that is, attacking is the best decision for the attacker only when the defender uses the campus network without protection. We then compute the respective expected utilities as to find . In our case, and, thus, , using the campus network with the protection measures.

Adversarial risk analysis approach. Without common knowledge, we model the defender's beliefs about the attacker's judgment with random probabilities and random utilities . Suppose that ; ; ; r 1 follows the random beta distribution ; and, similarly, r 2 follows .

We calculate the random optimal attack , given the defender's choice d, which is obtained through . This leads to estimates , , , and the corresponding complementary probabilities for a 0. Knowing this, we calculate the defender's expected utility, when d is her choice, as . The decisions' expected utilities are, respectively, and, thus, the ARA optimal defense is , installing a dedicated line, which is different from the game‐theoretic solution .

Comments. A first difference between the approaches is that GT assumes common knowledge. In our example, this entails that the defender knows the attacker's probability distributions and utility function. Alternatively, ARA does not assume such knowledge, but the defender needs to model her beliefs over the attacker judgments through random probability distributions and a random utility function. Consequently, a second difference is that GT informs the defender problem with the optimal decision of the attacker, whereas ARA provides a probability distribution of the attacker decision. Observe that the ARA approach may be seen as a way to induce robustness in the GT approach when we are not sure about the attacker assessments.

Similar comments hold for cases in which a game under a partial information approach is considered as common knowledge over the types prior and is required to approximate Bayes–Nash equilibria. See Rothschild, McLay and Guikema (2012) for additional discussion.