“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment

“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment

Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a r...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2021-04, Vol.103, p.102163, Article 102163
Hauptverfasser: Derbyshire, Richard, Green, Benjamin, Hutchison, David
Format: Artikel
Sprache:eng
Schlagworte:
Adversary
Cost
Cyber attack
Cybersecurity
Risk assessment
Threat actor
Threat assessment
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page 102163
container_title Computers & security
container_volume 103
creator Derbyshire, Richard
Green, Benjamin
Hutchison, David
description Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.
doi_str_mv 10.1016/j.cose.2020.102163
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2503172417</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404820304363</els_id><sourcerecordid>2503172417</sourcerecordid><originalsourceid>FETCH-LOGICAL-c372t-b017205d2ac6fdedb4a8f5047ffa32b3531dd274a23ae9ee7a548e26c6569bf53</originalsourceid><addsrcrecordid>eNp9kEtOwzAQhi0EEqVwAVaWWKf4kTgpYlNVvKRKbMraOPa4ctomxXYrsetB4HI9CQ5lzWqk0f-Y-RC6pmRECRW3zUh3AUaMsH7BqOAnaECrkmWCkeoUDZKozHKSV-foIoSGEFqKqhqg98P-a65WS9cusMLGWQse2ohnql1s1QIO--87PGmj026j4q_K7MAH5T-xilHpJU7NEdvOY_1Zg8fehSVWIUAI65R0ic6sWgW4-ptD9Pb4MJ8-Z7PXp5fpZJZpXrKY1ekgRgrDlBbWgKlzVdmC5KW1irOaF5waw8pcMa5gDFCqIq-ACS0KMa5twYfo5pi78d3HFkKUTbf1baqUrCA8pee0TCp2VGnfheDByo136_SMpET2JGUje5KyJymPJJPp_miCdP_OgZdBO2g1GOdBR2k695_9B4yHfy8</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2503172417</pqid></control><display><type>article</type><title>“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment</title><source>Elsevier ScienceDirect Journals</source><creator>Derbyshire, Richard ; Green, Benjamin ; Hutchison, David</creator><creatorcontrib>Derbyshire, Richard ; Green, Benjamin ; Hutchison, David</creatorcontrib><description>Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2020.102163</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Adversary ; Cost ; Cyber attack ; Cybersecurity ; Risk assessment ; Threat actor ; Threat assessment</subject><ispartof>Computers &amp; security, 2021-04, Vol.103, p.102163, Article 102163</ispartof><rights>2020</rights><rights>Copyright Elsevier Sequoia S.A. Apr 2021</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c372t-b017205d2ac6fdedb4a8f5047ffa32b3531dd274a23ae9ee7a548e26c6569bf53</citedby><cites>FETCH-LOGICAL-c372t-b017205d2ac6fdedb4a8f5047ffa32b3531dd274a23ae9ee7a548e26c6569bf53</cites><orcidid>0000-0001-6052-0559</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S0167404820304363$$EHTML$$P50$$Gelsevier$$Hfree_for_read</linktohtml><link.rule.ids>314,776,780,3537,27901,27902,65306</link.rule.ids></links><search><creatorcontrib>Derbyshire, Richard</creatorcontrib><creatorcontrib>Green, Benjamin</creatorcontrib><creatorcontrib>Hutchison, David</creatorcontrib><title>“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment</title><title>Computers &amp; security</title><description>Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.</description><subject>Adversary</subject><subject>Cost</subject><subject>Cyber attack</subject><subject>Cybersecurity</subject><subject>Risk assessment</subject><subject>Threat actor</subject><subject>Threat assessment</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><recordid>eNp9kEtOwzAQhi0EEqVwAVaWWKf4kTgpYlNVvKRKbMraOPa4ctomxXYrsetB4HI9CQ5lzWqk0f-Y-RC6pmRECRW3zUh3AUaMsH7BqOAnaECrkmWCkeoUDZKozHKSV-foIoSGEFqKqhqg98P-a65WS9cusMLGWQse2ohnql1s1QIO--87PGmj026j4q_K7MAH5T-xilHpJU7NEdvOY_1Zg8fehSVWIUAI65R0ic6sWgW4-ptD9Pb4MJ8-Z7PXp5fpZJZpXrKY1ekgRgrDlBbWgKlzVdmC5KW1irOaF5waw8pcMa5gDFCqIq-ACS0KMa5twYfo5pi78d3HFkKUTbf1baqUrCA8pee0TCp2VGnfheDByo136_SMpET2JGUje5KyJymPJJPp_miCdP_OgZdBO2g1GOdBR2k695_9B4yHfy8</recordid><startdate>202104</startdate><enddate>202104</enddate><creator>Derbyshire, Richard</creator><creator>Green, Benjamin</creator><creator>Hutchison, David</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>6I.</scope><scope>AAFTH</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0001-6052-0559</orcidid></search><sort><creationdate>202104</creationdate><title>“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment</title><author>Derbyshire, Richard ; Green, Benjamin ; Hutchison, David</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c372t-b017205d2ac6fdedb4a8f5047ffa32b3531dd274a23ae9ee7a548e26c6569bf53</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Adversary</topic><topic>Cost</topic><topic>Cyber attack</topic><topic>Cybersecurity</topic><topic>Risk assessment</topic><topic>Threat actor</topic><topic>Threat assessment</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Derbyshire, Richard</creatorcontrib><creatorcontrib>Green, Benjamin</creatorcontrib><creatorcontrib>Hutchison, David</creatorcontrib><collection>ScienceDirect Open Access Titles</collection><collection>Elsevier:ScienceDirect:Open Access</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers &amp; security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Derbyshire, Richard</au><au>Green, Benjamin</au><au>Hutchison, David</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment</atitle><jtitle>Computers &amp; security</jtitle><date>2021-04</date><risdate>2021</risdate><volume>103</volume><spage>102163</spage><pages>102163-</pages><artnum>102163</artnum><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>Typical cyber security risk assessment methods focus on the system under consideration, its vulnerabilities, and the resulting impact in the event of a system compromise. Cyber security, however, increasingly requires anticipating the moves of intelligent adversaries, who make decisions based on a range of factors including the cost of their attacks. A study of current risk assessment literature and industry practice shows that consideration of this cost is a notable gap in the understanding of adversaries. The factors of cost experienced by an adversary are established in this paper as Time, Finance, and Risk, supported by a practical study undertaken with relevant security practitioners. Using these factors as a base, a framework is proposed and developed to support the probabilistic determination of cost incurred by an adversary. This framework is an important extension to existing cyber security risk assessments, and is demonstrated in the paper through the use of a case study.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2020.102163</doi><orcidid>https://orcid.org/0000-0001-6052-0559</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0167-4048
ispartof Computers & security, 2021-04, Vol.103, p.102163, Article 102163
issn 0167-4048
1872-6208
language eng
recordid cdi_proquest_journals_2503172417
source Elsevier ScienceDirect Journals
subjects Adversary
Cost
Cyber attack
Cybersecurity
Risk assessment
Threat actor
Threat assessment
title “Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-05T06%3A50%3A55IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=%E2%80%9CTalking%20a%20different%20Language%E2%80%9D:%20Anticipating%20adversary%20attack%20cost%20for%20cyber%20risk%20assessment&rft.jtitle=Computers%20&%20security&rft.au=Derbyshire,%20Richard&rft.date=2021-04&rft.volume=103&rft.spage=102163&rft.pages=102163-&rft.artnum=102163&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2020.102163&rft_dat=%3Cproquest_cross%3E2503172417%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2503172417&rft_id=info:pmid/&rft_els_id=S0167404820304363&rfr_iscdi=true