A Framework for Cyber Incident Modeling
Abstract
This paper proposes a framework to identify the history and current state of cyber incidents and lay the groundwork to forecast "future cyber history." Analysis of current cyber incident reporting is hindered by the inconsistency of data fields. There are numerous underutilized data sources of recorded cyber incidents. This paper proposes a cyber incident analytical framework that will first offer a taxonomy for cyber incidents. This allows establishing a common incident lexicon to transform multiple sources of data into a comparable form. By building a framework that defines common parameters, multiple sources of incident reports may be equalized and compared across many dimensions (e.g., time, locality, industry sector, attack type). A cyber incident is an observed risk that can be decomposed into two main components: susceptibility and consequence of impact. Susceptibility may be further broken down into known threats and known vulnerabilities. The consequence of the cyber incident that occurred is measurable in terms of cost, schedule, performance, and the change in behaviors. Trends can be determined by observing the resultant changes in behavior and capabilities from historical data. The change in technology/capabilities and the change in behaviors over time can then be used to forecast and provide insights into forecasting a "future cyber history." The proposed analytical framework helps to define, discover, and learn from past cyber incidents to drive future capabilities and future behaviors to better detect and respond to cyber incidents.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2012
- Accession Number
- AD1123847
Entities
People
- Brendan Farrar-foley
- Cameron Depuy
- Gilbert Iii Watson
- John W Thompson
- Rachel Greenspan
Organizations
- Institute for Defense Analyses