Loading...

Media is loading
 

Paper Type

Complete

Abstract

Governing and overseeing cyber security strategy is an extremely important precondition to sustainable business continuity. This applies to all IT reliant enterprises and especially critical infrastructure. However, the inevitability of human behavioral limitations, imperfections in security-boosting technology, and adversarial evolution guarantee that businesses will regularly face cyber threats. Managing this complex dynamic nature of the modern cybersecurity landscape requires a different toolset. In our anonymized critical infrastructure case study – a financial fortune 500 organization – we augmented a cyber risk management approach, with a System Dynamics approach, to simulate future performance for the current cyber security strategy. We compared our results with their current reporting structure. Unlike this reporting structure, our simulation results were able to provide early warnings about future strategy failure, estimate the ‘shelf time’ of this strategy, identify multiple failing security measures (lapses in control), and foresee potential breach impacts.

Paper Number

1250

Comments

SIGSEC

Share

COinS
 
Aug 16th, 12:00 AM

Strengthening Managerial Foresight to Defeat Cyber Threats

Governing and overseeing cyber security strategy is an extremely important precondition to sustainable business continuity. This applies to all IT reliant enterprises and especially critical infrastructure. However, the inevitability of human behavioral limitations, imperfections in security-boosting technology, and adversarial evolution guarantee that businesses will regularly face cyber threats. Managing this complex dynamic nature of the modern cybersecurity landscape requires a different toolset. In our anonymized critical infrastructure case study – a financial fortune 500 organization – we augmented a cyber risk management approach, with a System Dynamics approach, to simulate future performance for the current cyber security strategy. We compared our results with their current reporting structure. Unlike this reporting structure, our simulation results were able to provide early warnings about future strategy failure, estimate the ‘shelf time’ of this strategy, identify multiple failing security measures (lapses in control), and foresee potential breach impacts.

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.