Various objectives, features, and advantages of the disclosed subject matter can be more fully appreciated with reference to the following detailed description of the disclosed subject matter when considered in connection with the following drawings, in which like reference numerals identify like elements.
The drawings are not necessarily to scale, or inclusive of all elements of a system, emphasis instead generally being placed upon illustrating the concepts, structures, and techniques sought to be protected herein.
By investing in cyber security projects, entities can reduce expected losses. Methods and Systems are disclosed herein for calculating the aggregate expected loss reduction from a portfolio of one or more cyber security related projects. Projects can include new and/or existing internal initiatives and/or market offerings. Projects can also include: tools and applications, internal initiatives, vendor solutions, frameworks, and other efforts to mitigate cyber security loss. In some embodiments, calculating the aggregate expected loss of a given portfolio of projects can compare distinct portfolios against each other in terms of Return on Investment (ROI). This approach can help management facing resource constraints to choose an optimal combination of projects from multiple projects in order to mitigate loss from cyber security events.
Quantification of cyber loss can include techniques that combine the likelihood of a cyber event with the impact of that event should it materialize. One example of such a technique is a Loss Distribution Approach (LDA). In an LDA framework such as that discussed in aspects of the disclosure, likelihood can be referred to as frequency and impact can be referred to as severity. The loss distribution approach (LDA) can be a process that uses frequency and severity distributions, and can be used to quantify a wide variety of cyber security threats. A scorecard approach can be a framework used to help assess the frequency and severity of these threats.
In some aspects of the disclosure, expected cyber loss can be calculated by combining frequency and severity. In addition, in some aspects, the expected loss reduction contributions of each selected project can be aggregated to a portfolio view. Furthermore, by considering the redundancies and synergies among selected projects, a more accurate portfolio level expected loss reduction can be calculated. For example, by removing project redundancies from expected loss reductions and reducing project costs through the identification of project synergies, a more accurate portfolio expected loss reduction can be estimated.
In some aspects of the disclosure, given a specific budget constraint, we can set up an integer optimization to select a subset of cyber security projects that will maximize the expected loss reduction from cyber security threats and help identify high ROI projects.
Loss Distribution Approach
In some aspects of the disclosure, an LDA approach can be used by an institution to calculate expected loss from operational risk. This technique first identifies a time horizon (e.g., one year, one month, one week, one day) where losses could occur from various operational risks. These operational risks can be separated into categories of business lines (e.g., corporate finance, sales & trading, retail banking, etc.) and risk types (e.g., internal fraud, external fraud, damage to physical assets, etc.). Expected loss from operational risk can then be calculated over the specified time period for each risk type within each business line. Within each business line/risk type pair, expected loss can be calculated through the convolution of frequency and severity distributions.
Frequency distributions can be forward looking and describe the probability that risk event(s) could happen. For example, a Poisson probability distribution can be used for frequency. The Poisson probability distribution can be a discrete probability distribution that gives the probability of a certain number of events occurring over a specified period of time. The mean and variance of the distribution can be given by one parameter, lambda (λ). Equation 1 describes how the probability of k events happening is calculated within a Poisson distribution for a given lambda.
Severity distributions can be forward looking, and can describe the loss that would be associated with a realized event categorized by the frequency distribution described above. The log-normal distribution can be used within the field of operational risk to express the range of potential losses. The mean and variance of the log-normal distribution can be mu μ and sigma squared σ2, respectively. Equation (2) calculates the probability of a loss (x) being realized from a log normal distribution with a given mean and standard deviation.
Estimation of Portfolio Losses
The loss frequency and loss distribution can be combined to simulate the expected loss distribution. This can be called convolution. A Monte Carlo simulation can be used to estimate the aggregate distribution of losses, with K simulations. The sequence of calculations can be as follows:
1) For k=1, . . . , K
The distribution of losses can then be used to compute the mean, VaR (q), and the expected shortfall, where q is the VaR threshold (e.g., the 95th or the 99th percentile).
The expected shortfall can be given by
ES(q)=E(Z|Z>VaR(q)), (3)
or, equivalently, the average losses above the calculated VaR.
Techniques for Deriving Parameters for Frequency and Severity Distributions
A challenge facing operational risk professionals is the lack of data required for the estimation of the parameters of the distributions described above. Given the idiosyncratic nature of operational risks, historical data, even if available, may not necessarily be a good predictor of future events. Accordingly, many practitioners may rely on expert judgement to arrive at the parameters of the requisite distributions. Below we describe an example of how to translate expert judgment into quantitative estimates.
A scorecard can be a common framework used to translate expert judgement into probabilities. First, a discrete number of opportunities can be identified per given period that are subject to cyber risk loss. For example, we could assume that 10 opportunities per month are subject to a cyber event. The scorecard in
Scorecards can be good for calibrating simple discrete frequency distributions such as the Poisson probability distribution where there is only one parameter to calculate (e.g., lambda). Continuous distributions (e.g., the log-normal distribution) that can require a mean and standard deviation, can use a more sophisticated approach. For example, a technique that calculates the parameters of a log-normal distribution by soliciting a cyber loss bound parameter can be used to determine lower and upper bounds. The bounds can be calculated such that the lower end of the bound and the upper end of the bound can be determined by a given percentage of the total loss curve that the two bounds would encapsulate.
For example, an expert could be asked what loss amounts she expected 80 percent of the potential loss to fall between. If the two loss amounts are believed to be 20 million and 160 million, then the bound parameter would be 80, the lower bound would be 20 and the upper bound would be 160. These three numbers (e.g., 20, 80, and 160) can be used to parameterize a log-normal distribution.
For example, the mean of the log-normal distribution can be described by Equation 4:
where
log zz(z)=2f(x,μ,σ)
and
normal distribution function
so that
log zz(z)=2f(x,0,1)
Assuming a mean of 0 and unit variance, we can obtain the following:
The standard deviation can be given by the following:
Portfolio Dynamics Project
Many cyber loss quantification approaches focus on the relationships and/or dependencies among the various cyber risks. In some aspects of the disclosure, we can model the relationships and/or dependencies among the various cyber risk mitigants.
Attempts to quantify the benefits of investing in cyber related projects can assume that the aggregated benefits of all of the projects can be merely a sum of the individual benefits. In practice, two projects may seem attractive on their own, but because they reduce expected loss redundantly, it may not be appropriate to include both in the same portfolio. Similarly, there may be two projects that individually are not attractive, but are synergistic and together they contribute more to expected loss reduction than individually.
By understanding the dynamics of each project within the project portfolio can a more accurate portfolio expected loss reduction be estimated. Here we can utilize redundancy and/or synergy matrices to adjust gross expected loss reduction to arrive at net expected loss reduction.
Only the lower left triangle of the matrix in
The weighted average redundancies or synergies within the portfolio can be calculated using the following formula:
Here ρi,j can be the full synergy or redundancy matrix, and wi, wj can be the weights of the individual project costs within the portfolio of project costs to which the relevant synergy/redundancy coefficient relates.
The calculated redundancies and synergies of the portfolio of project costs can then be used to obtain the ROI of investing in all of the cyber related projects. The ROI can be the total expected reduction in losses from cyber security threats less the cost of implementing the cyber security projects, or the return, divided by the cost of implementing the cyber security projects, or the investment. The total expected loss reduction can be the sum of all expected loss reductions less the fraction of portfolio redundancies calculated using equation (6). The cost of implementing all of the projects can be the sum of all project costs less the fraction of portfolio synergies calculated using equation (6). The resulting ROI can be:
where LR can be the expected loss reduction across all projects, adjusted for redundancies, and TC can be the total cost of all projects, adjusted for synergies.
Using equation (6) to calculate project redundancies, the expected loss reduction can be:
where ri can be the expected loss reduction for an individual project and ρav(red) can be the total portfolio redundancy coefficient.
Equation (6) can also be used to calculate the total cost. The total cost can be:
where ci can be the cost of an individual project, and ρav(syn) can be the total portfolio synergy coefficient.
This ROI approach can assume that the organization that is implementing these cyber security projects has a budget that can invest in every project in the portfolio of cyber security projects. Of course, most companies have a limited budget and can only select a subset of projects. Thus, in some aspects of the disclosure, an optimization can be set up to select the optimal set of projects that will maximize the expected loss reduction.
Portfolio Expected Loss Reduction
Equation (6) can be explained at a more general level as follows:
The project portfolio optimized expected loss reduction model (LR) can use the following variables as inputs:
LR=F(ri,ci,ρavr,ρavs) (10)
where:
ri can be the expected loss reduction for an individual cyber security project
ci can be the cost of an individual project
ρavr can be the full portfolio redundancy matrix; and
ρavs can be the full portfolio synergy matrix.
In more generalized terms, ρavr and ρavs can be functions of the following:
ρavx=F(wi,wj,ρi,j), (11)
where ρi,j can be the synergy or redundancy associated with each pair of cybersecurity projects i, j, and
x=r or s
where:
The optimization can be set up as an integer programming problem, and the optimization engine that can be used to solve the problem can be an evolutionary algorithm. The following steps describe an example set-up for the optimization:
The result of the optimization can give us a subset of projects that can maximize the expected loss reduction given the budget that has been set aside for cyber security projects.
Computer Configuration
Methods described herein may represent processing that occurs within a system for managing a configuration of an application. The subject matter described herein can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structural means disclosed in this specification and structural equivalents thereof, or in combinations of them. The subject matter described herein can be implemented as one or more computer program products, such as one or more computer programs tangibly embodied in an information carrier (e.g., in a machine readable storage device), or embodied in a propagated signal, for execution by, or to control the operation of, data processing apparatus (e.g., a programmable processor, a computer, or multiple computers). A computer program (also known as a program, software, software application, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program does not necessarily correspond to a file. A program can be stored in a portion of a file that holds other programs or data, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
The processes and logic flows described in this specification, including the method steps of the subject matter described herein, can be performed by one or more programmable processors (e.g., processor 510 in
The computer 505 can also include an input/output 520, a display 550, and a communications interface 560.
It is to be understood that the disclosed subject matter is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Accordingly, other implementations are within the scope of the following claims. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other structures, methods, and systems for carrying out the several purposes of the disclosed subject matter. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the disclosed subject matter.
Although the disclosed subject matter has been described and illustrated in the foregoing exemplary embodiments, it is understood that the present disclosure has been made only by way of example, and that numerous changes in the details of implementation of the disclosed subject matter may be made without departing from the spirit and scope of the disclosed subject matter.
In addition, it should be understood that any figures which highlight the functionality and advantages are presented for example purposes only. The disclosed methodology and system are each sufficiently flexible and configurable such that they may be utilized in ways other than that shown. For example, other steps may be provided, or steps may be eliminated, from the described flows, and other components may be added to, or removed from, the described systems. In addition, the steps, components, formulas, etc. may be used in a different order or configuration than that described in the specification and/or shown in the drawings.
Although the term “at least one” may often be used in the specification, claims and drawings, the terms “a”, “an”, “the”, “said”, etc. also signify “at least one” or “the at least one” in the specification, claims and drawings.
Finally, it is the applicant's intent that only claims that include the express language “means for” or “step for” be interpreted under 35 U.S.C. 112(f). Claims that do not expressly include the phrase “means for” or “step for” are not to be interpreted under 35 U.S.C. 112(f).
Number | Name | Date | Kind |
---|---|---|---|
8601587 | Powell | Dec 2013 | B1 |
8914880 | Lee | Dec 2014 | B2 |
9294498 | Yampolskiy | Mar 2016 | B1 |
20090281864 | Abercrombie | Nov 2009 | A1 |
20100153156 | Guinta | Jun 2010 | A1 |
20110252479 | Beresnevichiene | Oct 2011 | A1 |
20120004946 | Blackwood | Jan 2012 | A1 |
20120011077 | Bhagat | Jan 2012 | A1 |
20120191503 | Heiman | Jul 2012 | A1 |
20120232679 | Abercrombie | Sep 2012 | A1 |
20130055404 | Khalili | Feb 2013 | A1 |
20130282426 | Watters | Oct 2013 | A1 |
20140108089 | Abercrombie | Apr 2014 | A1 |
20150381649 | Schultz | Dec 2015 | A1 |
20160012235 | Lee | Jan 2016 | A1 |
20160205126 | Boyer | Jul 2016 | A1 |
20160239665 | Hamby | Aug 2016 | A1 |
20160248800 | Ng | Aug 2016 | A1 |
20160261628 | Doron | Sep 2016 | A1 |
20170346846 | Findlay | Nov 2017 | A1 |
20180020023 | Doron | Jan 2018 | A1 |
20180041533 | Chesla | Feb 2018 | A1 |
20180069882 | Vescio | Mar 2018 | A1 |
20180124091 | Sweeney | May 2018 | A1 |
20180189697 | Thomson | Jul 2018 | A1 |
20180375892 | Ganor | Dec 2018 | A1 |
20190034845 | Mo | Jan 2019 | A1 |
20190052671 | Doron | Feb 2019 | A1 |
20190098039 | Gates | Mar 2019 | A1 |
20190172073 | Wiig | Jun 2019 | A1 |
20210234885 | Campbell | Jul 2021 | A1 |
Number | Date | Country |
---|---|---|
2498198 | May 2017 | EP |
3343867 | Feb 2020 | EP |
Entry |
---|
Abercrombire, Robert K., Frederick T. Sheldon, and Michael R. Grimaila. “A Systematic Comprehensive Computational Model for Stake Estimation in Mission Assurance-Applying Cyber Security Econometrics System (CSES) to Mission Assurance Analysis Protocol (MAAP).” IEEE, 2010. (Year: 2010). |
Roy, Arpan, Dong Seong Kim, and Kishor S. Trivedi. “Cyber security analysis using attack countermeasure trees.” Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research. 2010. (Year: 2010). |
Rjaibi, Neila, and Latifa Ben Arfa Rabai. “Maximizing Security Management Performance and Decisions with the MFC Cyber Security Model: e-learning case study.” EAI Endorsed Transactions on e-Learning 4.15 (2017). (Year: 2017). |
Sheldon, Frederick T., Robert K. Abercrombie, and Ali Mili. “Methodology for evaluating security controls based on key performance indicators and stakeholder mission.” 2009 42nd Hawaii International Conference on System Sciences. IEEE, 2009. (Year: 2009). |
Guan, Y., and H. Liao. “Measuring and Optimizing Cybersecurity Investments: A Quantitative Portfolio Approach.” 2014 Industrial and Systems Engineering Research Conference. (Year: 2014). |
Sawik, Tadeusz. “Selection of optimal countermeasure portfolio in IT security planning.” Decision Support Systems 55.1 (2013): 156-164. (Year: 2013). |
Musman, Scott. “Assessing prescriptive improvements to a system's cyber security and resilience.” 2016 Annual IEEE Systems Conference (SysCon). IEEE, 2016. (Year: 2016). |
Zhuo, Yueran, and Senay Solak. “Cybersecurity investment optimization with risk: Insights for resource allocation.” 2015 International Conference on Industrial Engineering and Operations Management (IEOM). IEEE, 2015. (Year: 2015). |
Solak, Senay. “Cybersecurity Investment Optimization with Risk: Insights for Resource Allocation.” (2014). (Year: 2014). |
Aissa, Anis Ben, et al. “Defining and computing a value based cyber-security measure.” Information Systems and e-Business Management 10.4 (2012): 433-453. (Year: 2012). |
Musman, Scott, and Andrew Turner. “A game theoretic approach to cyber security risk management.” The Journal of Defense Modeling and Simulation 15.2 (2018): 127-146. (Year: 2018). |
Wyman, O., “Tamin Cyber Quantifying Cyber Risk Using a Structured Scenario Approach”, Total 10 pages, (Jan. 2018). |
“Built on the Fair Standard”, URL: https://www.risklens.com/why-risklens/built-on-the-fair-standard/, Total 6 pages. |