CISAC - Publications Page
This book discusses issues in large-scale systems in the United States and around the world. The authors examine the challenges of education, energy, healthcare, national security, and urban resilience. The book covers challenges in education including America's use of educational funds, standardized testing, and the use of classroom technology. On the topic of energy, this book examines debates on climate, the current and future developments of the nuclear power industry, the benefits and cost decline of natural gases, and the promise of renewable energy.
Every day, security engineers cope with a flow of cyber security incidents. While most incidents trigger routine reactions, others require orders of magnitude more effort to investigate and resolve. How security operation teams in organizations should tune their response to tame extreme events remains unclear. Analyzing the statistical properties of sixty thousand security events collected over six years at a large organization, we find that the distribution of costs induced by security incidents is in general highly skewed, following a power law tail distribution.
Despite significant interest in cybersecurity, data on cyber security incidents remains scarce. On April 16, 2015, the US Department of Energy released data on 1,131 cybersecurity incidents through a Freedom of Information Act Request. While only containing the date, location, and type of incident, several interesting insights can be kneaded from the data. In this paper, we analyze the DOE security incident data and perform a statistical analysis on the rate of incidents.
Organizations often record cybersecurity incidents to track employee workload, satisfy auditors, fulfil reporting requirements, or to analyze cyber risk. While security incident databases are often neglected, they contain invaluable information that can be leveraged to assess the threats, vulnerabilities, and impacts of cyber attacks, providing a detailed view of cyber risk in an organization. This paper emphasizes what data is useful for a risk assessments and how data should be recorded.
Currently, significant uncertainty surrounds cyber security investments. Chief Information Security Officers do not have an effective framework to compare investments into various security safeguards, such as encryption technology, data loss prevention (DLP), or two-factor authentication. Further, there are not clear methods to assess the risk reduction associated with security investments, thus leaving organizations prone to purchasing ineffective products from security vendors.
Organizations routinely face risk trade-offs. Broadly modeling a system can act as decision support in the face of significant uncertainty about an organizations threats, vulnerabilities, and defenses. This paper gives an example of a policy brief discussing the security of different security configurations for laptops at a large organization.
Finding the best national strategy to prevent or delay a country from acquiring nuclear weapons continues to be a critical issue for U.S. policy makers. In this paper, we build on previous work to develop a model that addresses this question. This model identifies the strategy that minimizes the disutility of the overall cost of the strategy and the cost of the consequences resulting from the strategy. We illustrate the insights that the model provides with a case study of Iran's nuclear weapons program.