Skip to main content
Infrastructure Resilience Conference 2018

Full Program »

Designing Organizations for Cybersecurity Resilience

A growing number of Internet threats raise concerns of cyber existential risks, as an attack (resp. a series of attacks) may permanently damage an organization. Nowadays, every sizeable organization is exposed to thousands of daily cyber attacks, which must be handled by a security team : most attacks require little care or can be handled automatically in a programmatic way, some threats may temporarily overload the security team, a few may temporarily disrupt operations, while very few may be associated to existential danger, such as durable reputation damage, take-over by a competitor or operation shutdown.

With the continuous emergence of new threats, handling cybersecurity events involves resilience: new attacks require manual security research to elaborate efficient countermeasures. Meanwhile, the treatment of returning threats must quickly get more efficient before attacks scale in span and intensity. This learning-to-commoditization of security response is very common in cybersecurity. Yet, a number of threats and security “dragon-king” incidents require substantial effort, as we have documented using a dataset of more than 60’000 events, collected over 6 years at a large US organization [1].

Here, we question the resilience efforts required to minimize potential damage and to maintain existential risk at a residual level. We distinguish two situations : (i) un-correlated concomitant threats and (ii) a series systemic threats, which proceed from causality. The former requires to ensure that, at any time, the expected remediation time for any attack type is minimized, with an accurate provision of learning and preparedness. In the systemic risk situation, attackers actively test resilience capacities throughout a coordinated series of attacks. If a limited resilience capacity at an organization is detected by the attackers, then existential risk is significant.

Using our empirical data [1], we calibrate two risk models: (i) risk of significant remediation effort at a confidence level (e.g., 95th percentile) and (ii) existential risk, which is the chance that an organization will not manage to overcome a series of concomitant idiosyncratic or systematic threats.

As cybersecurity threats get more frequent, more efficient, and more adaptive, bringing a quantitative understanding of cyber resilience is critical for management, for the development of cyber risk transfer (e.g., cyber-insurance), as well as for the quantification of third-party risk.

[1] Kuypers, M., Maillart, T. & Paté-Cornell, E. An Empirical Analysis of Cyber Security Incidents at a Large Organization, Stanford Working Paper, 2016

Thomas Maillart
University of Geneva

Marshall Kuypers
Qadium Inc.
United States


Powered by OpenConf®
Copyright ©2002-2016 Zakon Group LLC