Resilience of Cyber Systems with Over‐ and Underregulation
Abstract
Recent cyber attacks provide evidence of increased threats to our critical systems and infrastructure. A common reaction to a new threat is to harden the system by adding new rules and regulations. As federal and state governments request new procedures to follow, each of their organizations implements their own cyber defense strategies. This unintentionally increases time and effort that employees spend on training and policy implementation and decreases the time and latitude to perform critical job functions, thus raising overall levels of stress. People's performance under stress, coupled with an overabundance of information, results in even more vulnerabilities for adversaries to exploit. In this article, we embed a simple regulatory model that accounts for cybersecurity human factors and an organization's regulatory environment in a model of a corporate cyber network under attack. The resulting model demonstrates the effect of under‐ and overregulation on an organization's resilience with respect to insider threats. Currently, there is a tendency to use ad‐hoc approaches to account for human factors rather than to incorporate them into cyber resilience modeling. It is clear that using a systematic approach utilizing behavioral science, which already exists in cyber resilience assessment, would provide a more holistic view for decisionmakers.
Document Details
- Document Type
- Pub Defense Publication
- Publication Date
- Dec 09, 2016
- Source ID
- 10.1111/risa.12729
Entities
People
- Alexander A. Ganin
- Igor Linkov
- Jeffrey M Keisler
- Jeremy Kepner
- Viktoria Gisladottir
Organizations
- Engineer Research and Development Center
- MIT Lincoln Laboratory
- United States Army Corps of Engineers
- University of Massachusetts
- University of Virginia