Managing cyber risks

Managing cyber security in an organisation involves allocating the protection budget across a spectrum of possible options. This process requires an assessment of the benefits and costs of these options. Professor Marie-Elisabeth Paté-Cornell from Stanford University gave a talk on 29 June 2018 at NUS. She shared her team’s work in this field and discussed the available options and approaches in managing cyber risk.

The presentation started with a description of a general model of cyber risk in a specified organisation, then Prof Paté-Cornell proceeded share five examples (“vignettes”) based on the work of her team. First, a probabilistic risk analysis framework, based on statistics when relevant data are available, for high-consequence attack scenarios that may not have happened yet. Second, a systems analysis of cyber risks for a smart, connected electric grid, showing that there is an optimal level of connectivity, and of use of human resources. Third, an analysis of sequential decisions and optimal timing to upgrade or change the software of an existing operating system to stay ahead of adversaries trying to find their way in. The fourth and the fifth are work in progress: one is designed to provide warnings at all stages of an attack (planning, entry, maneuver in the system, exfiltration and exploitation of stolen information), and the other is focused on the cyber aspects of fake news, and on ways to anticipate, recognise and react to the risk that they pose, in particular at the time of elections and in military situations.