A summary of the advancements beyond the state of the art to be provided in CYBECO are as follows:
Modeling intentionality in cybersecurity
A cyber security risk management framework based on Adversarial Risk Analysis, to cope with for intentional attacks, and standard Risk Analysis, to cope with nonintentional attacks. It incorporates findings from attacker behaviour. It will greatly improve attack forecasting approaches.
Lack of cybersecurity data, using structured expert judgements and behavioural economic experiments
Adopting Structured Expert Judgment methods allow us to better calibrate and debias experts in cyber-attacks in forecasting threats and their impacts. Combine them with ARA methods to account for intentionality. The design and development of behavioural economic experiments helps us to get reliable information beyond the ‘cyber security’ paradox, which leads to inappropriate models in support of decision-making.
Incorporate Structured Expert Judgment during the risk assessment phase. Project the potential outcome of risk scenarios based on the intentional modelling of threat actors to improve forecasts of their actions. Provide an integrated methodology for utilizing such risk assessment on real-world cyber insurance use-cases, with direct applications in the insurance industry.
Developing synergies of the methodology proposed and lessons learnt by the team in (1) safe / unsafe online behaviour -Bicyber project – (2) the CHAISE choice architecture project and (3) research and transfer of knowledge to behavioural insurance.
Tools for supporting decision making for cyber security
Integrating risk analysis and adversarial risk analysis, incorporating Structured Expert Judgment methods for forecasts and Multi-Attribute Utility Theory for evaluation, integrating cyber insurance in the security portfolio, in the modelling methodology. Turning the methodology into a prototype toolbox.
Identifying policy nudges in cyber security
Develop a methodology to assess cyber insurance-based policy nudges, building from the results and method of policy nudge analysis in other areas of Cybersecurity.