Risk
The accepted definition of risk in Cyber-systems is the probability of some negative outcome times the “cost” of its impact. Decision making under risk takes into account these probabilities and impacts when forming the optimal maneuver, e.g., maximizing payout while minimizing impact costs. For example, if the use of one kind of transmission medium for the image transfer in our example mission would introduce a high risk of failure or compromise, then another must be selected. Identifying these risks and making decisions based upon them are key to achieving successful outcomes (and avoiding negative side effects). Within the CRA, we are developing theories and models that relate fundamental properties and features of dynamic risk assessment algorithms to the fundamental properties of dynamic cyber threats, Army’s networks, and defensive mechanism. These risk models and metrics will then be integrated into risk calculations in the operational model. Here we combine traditional system and network risk metrics with human oriented risk metrics. In the latter, individuals (users, defenders, and attackers) and human-resource interfaces are directly integrated as a component of risk valuation. Attackers create risk; defenders mitigate risk; and users both create and mitigate risk. In the operation-based framework, each operation will include users, defenders, the user/defender interacting team, and attackers. Based on the probability of being attacked and that attack being detected, each combination of operation/user/defender/resources must select an appropriate mitigation path within the operation model. Thus, the risk related to an operation state transition is a vector of outcomes with consequences that may impact not only the task itself, but also the infrastructure, users, and other operation activities. This evaluation of risk requires us to model and verify not only individual risks, but also the interplay of risk at multiple layers and sources, and under different contexts.
CRA research has identified risk metrics for system level, human factors, and software vulnerabilities [42]. We have used human factors frameworks to identify defender trust metrics and attacker culture metrics [18][33][5] . Expertise surveys and extensive data collected during the National Guard CyberShield exercises (2015, 2016) are being used to develop defender models [19]. We have developed a Bayesian network analysis approach for risk quantification and decision-making, and demonstrated that it can capture the dynamic change in risk magnitude due to state change [17].
Having identified early candidate models, the CRA team is developing experiments for validating user metrics, systems and network metrics, risk quantification, effective representations of risk, and optimality of risk assessment vectors. For human related models, each model and sub-model are evaluated for predictability of the outcomes derived from test subjects in controlled and operational environments. These subjects will be tested as individuals and as teams (e.g., during Cyber-training events). The team is also experimenting with risk metrics in physical networked environments to measure their accuracy in multiple tactical and strategic networks and in the presence of attacks.