strategic cyber cost effectiveness analysis
play

Strategic Cyber Cost- Effectiveness Analysis Robin Smith Brief - PowerPoint PPT Presentation

Jan 08, 2023 •20 likes •300 views

Strategic Cyber Cost- Effectiveness Analysis Robin Smith Brief Introduction Arke Cost analysis, cost effectiveness and cost benefit Aim to present our thinking Cost-Effectiveness/Cost-Benefit analysis of Cyber security

  1. Strategic Cyber Cost- Effectiveness Analysis Robin Smith

  2. Brief Introduction • Arke  Cost analysis, cost effectiveness and cost benefit • Aim to present our thinking… • Cost-Effectiveness/Cost-Benefit analysis of Cyber security … • Different to the norm? • Interesting challenges? • How to address challenges? To keep track: Defining Benefits Approach Process Future? Problem of Process

  3. Usual Spending Decisions Budget (Spend on…) Mitigations (Reduce the chance of…) Risks (Something bad happening to…) Assets Key aspects for usual cases… • Cost-Effectiveness directly related  value for money for taxpayer o Through defence perspective • Assets  Entirely defence • Assets  Not necessarily interconnections/interdependencies Defining Benefits Approach Process Future? Problem of Process

  4. Assets and Infrastructure: Strategic Level FRONTLINE • Representation: • Network of nodes Operational Base Destroyer • Nodes layered from the fighting end to the infrastructure that it depends Command upon in the long term Command & Control HQ • Usually, risk of ‘attacks’ considered at the operational end. Major Defence MOD Industry Infrastructure Company Critical National National Electricity Infrastructure Grid Defining Benefits Approach Process Future? Problem of Process

  5. Assets and Infrastructure at Risk • Representation: • Network of nodes Operational • Nodes layered from the Base Destroyer fighting end to the infrastructure that it depends upon Command Command • & Control Communication with each HQ FRONTLINE other and some might depend on others to function Major Defence MOD Industry • Usually, risk of attacks Infrastructure Company considered at the operational end. • All exposed to cyber Critical security risks National National Electricity Infrastructure Grid Defining Benefits Approach Process Future? Problem of Process

  6. Cyber Security Budget FRONTLINE (Spend on…) Mitigations (Reduce the chance of…) Risks (Something bad happening…) Assets Key aspects for cyber security… • Cost-Effectiveness directly related  value for money for taxpayer o Through defence, trade, energy.. Etc. • Assets  Not all entirely Defence • Assets  Have interconnections/interdependencies Defining Benefits Approach Process Future? Problem of Process

  7. Cyber Security FRONTLINE New problems with cyber security 1. Wider Impacts (than just defence) 2. Risks propagate (between nodes) Defining Benefits Approach Process Future? Problem of Process

  8. Approach – Framework/Process High-level understanding  Best way to spend money? o On reducing chance of successful cyber attacks Budget (Spend on…) Mitigations (Reduce the chance of…) Risks (Something bad happening to…) Assets Defining Benefits Approach Process Future? Problem of Process

  9. Approach Challenges Influencing our approach • Wider Impacts (than just military) • Reflect principles of assessing risks to information systems in the UK • “HMG Information Assurance Standard 1 – Technical Risk Assessment” (Government Standard) for information system risk assessment • Assess core goals of Information Assurance separately o Confidentiality -> Loss of privacy o Integrity -> Loss of trust o Availability -> Loss of presence • Assess relevant impact categories separately (‘Business Impact Levels’) e.g . o Military Operations o Trade o Energy… etc. Defining Benefits Approach Process Future? Problem of Process

  10. Assessing Cost-Effectiveness • Quantifying Risks 1 o a CHANCE of a successful attack o IMPACT of a successful attack b 2 • Effectiveness of mitigations o Highest reduction in probability of successful attack o (want to reduce risks where they have a high impact ) • 3 Cost o Estimated costs of implementing mitigations a o Estimated costs of risks affecting nodes b 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  11. Quantifying Risks 1 a CHANCE of a successful attack • Probability of successful attack – based on… o different parameters for different risks • Example Risks could be quite different Indicative Parameters 1. Compromised Hardware -> quantities procured, percentage compromised 2. IP Theft -> # of people security cleared, percentage threats 3. DOS attack – national scale -> SME judged /work-shopped quantities? • Parameters may have different values for each node in the network 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  12. Quantifying Risks 1 a CHANCE of a successful attack • Uncertainty – MUST capture the ‘error margins’ o Three point estimating E.g. ‘Best Case’, ‘Most Likely’, ‘Worst Case’  Weighted mean value o o Manually set distributions – eliciting uncertainty • Range of inputs Background work  through to  best judgement o • Identify and engage relevant Subject Matter Experts 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  13. Quantifying Risks 1 a CHANCE of a successful attack Risk Propagation - problem Nodes: Risk 1 • For Risk x 5x10 -4 2x10 -3 o Mean probability of occurrence at each node • Usually 1x10 -5 o (unmitigated) probabilities of occurrence 1x10 -3 3x10 -3 o ‘at risk’ assets not connected • Cyber o consider propagation of risks 1x10 -2 o ‘at risk’ assets are connected 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  14. Quantifying Risks 1 a CHANCE of a successful attack Risk Propagation - treatment Nodes: Risk 1 Low Security High Security • Two connection types? • Conditional probabilities o Per risk per connection? 5x10 -4 2x10 -3 5x10 -4 2x10 -3 0.2 0.1 o Two-way value, or one-way 0.1 0.1 0.2 0.2 values? 1x10 -5 1x10 -5 • Implications o Simulation/modelling of 0.1 0.3 0.4 probability 0.1 1x10 -3 3x10 -3 1x10 -3 3x10 -3 0.1 o Triggers an impact at the node 1x10 -2 1x10 -2 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  15. Quantifying Risks 1 a CHANCE of a successful attack • CHANCE of a successful attack Summary – o Detailed/not detailed info on risks o Capture uncertainty o Probabilities of Propagation o Use Subject Matter Expert judgement (where needed) 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  16. Quantifying Risks 1 b IMPACT of a successful attack Impact • How bad is the loss of an asset? 1. Categories e.g. … • Military Operations • Trade • Energy 2. Time scale 3. Confidentiality, Integrity or Availability (loss of privacy, loss of trust, loss of presence) Impacts Categories # Time scales? C/I/A 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  17. Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0  6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 5 5 Selection 1 ComHQ Availability 4 Selection 2 Short Term MOD Major Contractor For Category: 3 2 Military Ops NatGrid 0 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  18. Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0  6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 2 2 Selection 1 ComHQ Availability 6 Selection 2 Long Term MOD Major Contractor For Category: 5 5 Military Ops NatGrid 5 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  19. Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0  6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 4 5 Selection 1 ComHQ Confidentiality 3 Selection 2 Short Term MOD Major Contractor For Category: 2 2 Military Ops NatGrid 0 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  20. Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0  6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 2 3 Selection 1 ComHQ Confidentiality 6 Selection 2 Long Term MOD Major Contractor For Category: 5 3 Military Ops NatGrid 0 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  21. Quantifying Risks 1 b IMPACT of a successful attack • IMPACT of a successful attack Summary – o Minimum information to capture wider impacts: o Categories o Time Scales o Confidentiality, Integrity, Availability 1 2 3 Defining Benefits Approach Process Future? Problem of Process

  22. Effectiveness of Mitigations 2 2 • Effectiveness of mitigations o How much does CHANCE of a successful attack decrease? o (how high an impact might there be if attack is successful) • Similar to assessing CHANCE of a successful attack… • Summary – o Detailed/not detailed info on mitigations o Capture uncertainty o Probabilities of Propagation o Use Subject Matter Expert judgement (where needed) 1 2 3 Defining Benefits Approach Process Future? Problem of Process

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Designing a Cost-Effectiveness Analysis All aspects of the interventions that may affect their

Designing a Cost-Effectiveness Analysis All aspects of the interventions that may affect their

Designing CEAs Doug Owens, MD, MSc Recommendations of the Second Panel on Cost-Effectiveness in Health and Medicine Designing a Cost-Effectiveness Analysis All aspects of the interventions that may affect their cost or effectiveness

540 views • 16 slides
Decision support for cost-effectiveness analysis of healthcare interventions Bob Goeree 1 1

Decision support for cost-effectiveness analysis of healthcare interventions Bob Goeree 1 1

Decision support for cost-effectiveness analysis of healthcare interventions Bob Goeree 1 1 University of Groningen October 2, 2014 Outline Context Problems Cost-effectiveness analysis Live Demo Limitations Future work New interventions

373 views • 23 slides
Cost Effectiveness Analysis Lani Trenouth Research Officer ACF International March 2015

Cost Effectiveness Analysis Lani Trenouth Research Officer ACF International March 2015

Cost Effectiveness Analysis Lani Trenouth Research Officer ACF International March 2015 What is Cost-Effectiveness Analysis? Economic analysis to compare the relative total costs and effects of two or more interventions Typically

343 views • 11 slides
Cost-effectiveness analysis of catch-up hepatitis A vaccination among

Cost-effectiveness analysis of catch-up hepatitis A vaccination among

Cost-effectiveness analysis of catch-up hepatitis A vaccination among unvaccinated/partially-vaccinated children David B. Rein, PhD, MPA Director, Public Health Analytics Program NORC at the University of Chicago Meeting of the Advisory

409 views • 23 slides
Using FEMAs Benefit-Cost Analysis (BCA) Toolkit to Demonstrate Cost-Effectiveness of Hazard

Using FEMAs Benefit-Cost Analysis (BCA) Toolkit to Demonstrate Cost-Effectiveness of Hazard

Using FEMAs Benefit-Cost Analysis (BCA) Toolkit to Demonstrate Cost-Effectiveness of Hazard Mitigation Projects Washington, DC | November 2019 1 2019 CDBG-DR Program Welcome & Speakers Session Objectives Review CDBG-MIT

778 views • 60 slides
Croatian perspective cost effectiveness analysis of interferon free therapy for chronic HCV

Croatian perspective cost effectiveness analysis of interferon free therapy for chronic HCV

Croatian perspective cost effectiveness analysis of interferon free therapy for chronic HCV Neven Lovrinov, MSc.Pharm Terminal d.o.o. Croatia HCV treatment cost 2014 hot topic in media SVR rates in HCV Treatment Regimen Treatment

438 views • 39 slides
Extended Cost Effectiveness Analysis (ECEA) Carol Levin Presented at the Workshop of the

Extended Cost Effectiveness Analysis (ECEA) Carol Levin Presented at the Workshop of the

www.dcp-3.org info@dcp-3.org Extended Cost Effectiveness Analysis (ECEA) Carol Levin Presented at the Workshop of the Costing and Financing Studies of Routine Immunization Geneva, 4-6 November 2013 1/9/2014 1 Overview Background

562 views • 18 slides
Improving Naloxone Distribution in the Opioid Epidemic A cost-effectiveness analysis of naloxone

Improving Naloxone Distribution in the Opioid Epidemic A cost-effectiveness analysis of naloxone

Improving Naloxone Distribution in the Opioid Epidemic A cost-effectiveness analysis of naloxone distribution to first responders and laypeople Tarlise Townsend , Freida Blostein, Tran Doan, Sammie Madson-Olson, Paige Galecki, and David Hutton

784 views • 60 slides
Bayesian variable selection for identifying subgroups in cost-effectiveness analysis Elas Moreno

Bayesian variable selection for identifying subgroups in cost-effectiveness analysis Elas Moreno

Context Model Simulation exercise Results Application with real data Conclusions Bayesian variable selection for identifying subgroups in cost-effectiveness analysis Elas Moreno 1 FranciscoJavier Girn 2 FranciscoJos

266 views • 22 slides
Strategic Priorities Assurance Board Cyber and Cyber Enabled Crime Introduction Cyber

Strategic Priorities Assurance Board Cyber and Cyber Enabled Crime Introduction Cyber

Strategic Priorities Assurance Board Cyber and Cyber Enabled Crime Introduction Cyber Dependent crime examples of these offences are Distributed Denial of Service attack (DDOS), Account Compromise (hacking), Malware (virus) and

237 views • 7 slides
A B C Cost A Cost B Outcome A Outcome B Cost-effectiveness ratio Cost Cost i std

A B C Cost A Cost B Outcome A Outcome B Cost-effectiveness ratio Cost Cost i std

R ESULTS PRESENTATION O UTLINES Model transparency and validation (lecture 7) Deterministic results Incremental costeffectiveness ratio (ICER) Costeffectiveness plane and Efficiency frontier Deterministic sensitivity analysis

738 views • 44 slides
I. The evolution and basis for BCA (benefit cost analysis): What is BCA? What is BCA? Whence

I. The evolution and basis for BCA (benefit cost analysis): What is BCA? What is BCA? Whence

4/23/2010 Th F The Foundations and Methods for Evaluating d ti d M th d f E l ti Public Policy Effectiveness: Benefits and Costs Measures Dave Swenson Iowa State University I. The evolution and basis for BCA (benefit cost analysis):

803 views • 35 slides
Strategic Planning Strategy Management & Institutional Effectiveness Process Workshop

Strategic Planning Strategy Management & Institutional Effectiveness Process Workshop

Alia Mitkees Strategic Planning Strategy Management & Institutional Effectiveness Process Workshop 2020-2022 A GENDA Strategic Planning Process Requirements Cascade, Align and Track strategic Plans Components of a Strategic Plan

1.01k views • 42 slides
University of Alaska Board of Regents Cost Effectiveness January 18, 2019 Overview Context

University of Alaska Board of Regents Cost Effectiveness January 18, 2019 Overview Context

University of Alaska Board of Regents Cost Effectiveness January 18, 2019 Overview Context Unrestricted General Funds History Operating Budget Revenue by Source FY18 Operating Budget Revenues and Expenditures Strategic

342 views • 30 slides
Cost Effectiveness of Electrification with Air-Source Heat Pumps Jack Mayernik 8/20/2020

Cost Effectiveness of Electrification with Air-Source Heat Pumps Jack Mayernik 8/20/2020

Cost Effectiveness of Electrification with Air-Source Heat Pumps Jack Mayernik 8/20/2020 Drivers of Cost Effective of Electrification Climate Operating Cost Cost of Equipment and Instillation o New Construction o Retrofit/Upgrade o

599 views • 16 slides
Improving Nutrition through Agriculture: Cost-Effectiveness of Biofortification Dr. Howarth Bouis

Improving Nutrition through Agriculture: Cost-Effectiveness of Biofortification Dr. Howarth Bouis

Improving Nutrition through Agriculture: Cost-Effectiveness of Biofortification Dr. Howarth Bouis Director, HarvestPlus Chairs: Meera Shekar and Steven Jaffee October 6, 2015 Improving Nutrition through Agriculture: Cost-Effectiveness of

570 views • 46 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
GEOX GROUP 1Q19 SALES PRESENTATION MAY 10, 2019 1Q19 SALES | HIGHLIGHTS TOTAL SALES:EURO

GEOX GROUP 1Q19 SALES PRESENTATION MAY 10, 2019 1Q19 SALES | HIGHLIGHTS TOTAL SALES:EURO

GEOX GROUP 1Q19 SALES PRESENTATION MAY 10, 2019 1Q19 SALES | HIGHLIGHTS TOTAL SALES:EURO 260.9 MILLION, -1.3% (-1.6% AT COSTANT FOREX) MAINLY EXPLAINED BY: SLIGHT DECREASE FOR WHOLESALE (-1.9%) WITH AN IMPROVING TREND COMPARED TO THE

550 views • 11 slides
THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go

THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go

StreamableU Presentation THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go to one? 1 2 COLLEGE FAIR DOS AND DONTS HOW TO FIND A COLLEGE FAIR DONT DO NACAC - https://www.nacacfairs.org/

551 views • 5 slides
2018 Q3 sales October 30 th , 2018 Daniel Lalonde, CEO Philippe Gautier, CFO & Operations

2018 Q3 sales October 30 th , 2018 Daniel Lalonde, CEO Philippe Gautier, CFO & Operations

2018 Q3 sales October 30 th , 2018 Daniel Lalonde, CEO Philippe Gautier, CFO & Operations Director Disclaimer Certain information contained in this document may include projections and forecasts. These projections and forecasts are based on

607 views • 22 slides
Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST

Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST

Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST PAKCON 2004 Denial of Service Attacks Attempts to prevent or disturb legitimate access to co mputer resources Resources like bandwidth, services

557 views • 18 slides
Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have

Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have

Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have become prevalent in almost every aspect of our everyday lives However as the amount of wireless communication Introduction increases, the

817 views • 65 slides
Eclipse Attacks on Bitcoins Peer-to-Peer Netw ork Ethan Heilman, Alison Kendler Aviv Zohar,

Eclipse Attacks on Bitcoins Peer-to-Peer Netw ork Ethan Heilman, Alison Kendler Aviv Zohar,

Eclipse Attacks on Bitcoins Peer-to-Peer Netw ork Ethan Heilman, Alison Kendler Aviv Zohar, Sharon Goldberg Presented by Joonhyuk Lee ( slides adapted from Heilman ) CONTENTS 01. Introduction 02. Eclipse Attacks & Implications 03. How

759 views • 65 slides
Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert

Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert

Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert Cunningham MIT Lincoln Laboratory *This work is sponsored by the U.S. Air Force under Air Force Contract F19628-00-C-0002. Opinions, interpretations,

571 views • 34 slides

More recommend