Customized and Adaptive approach for Optimal Cybersecurity Investment

The proposed research aims to help organisations to make better cybersecurity investments. For example is it better in a given organization to prioritise a policy of changing passwords over patching software regularly? And how frequently should passwords be changed? Should all employees scan for malware all USB sticks? The answers to these kind of questions largely depends on the type of organization and the specific threats it faces. For example while requiring employees to change passwords often may decrease the threat from some kind of attacks, it also imposes costs on the organization both in terms of help desk workload and employee productivity. Are these costs justified? it depends on the specific organization and the threats it faces.
There is no one size fits all solution in cybersecurity, hence a cybersecurity investment plan should start with an appropriate model of the organization and its threat profile. We will build such a model which will capture in a formal way important aspects of the socio-human-technical characters of the organization and its exposure to attacks.
This model will inform our decision support engine, which will evolve from our recent research using optimisation and game theory. In this project we will refine our existing decision support engine.
One of the planned refinements is about the possible threats faced: is the attacker someone just exploring the web for weak websites or a criminal targeting that specific organization or maybe an employee from a foreign intelligence agency? The mathematical modelling of these different attackers presents challenges. Other refinements are in terms of dealing with different ways security controls can be combined, for example how to measure the effectiveness of changing password and encryption in relation to an attacker who wants to steal data - do they combine additively (i.e. are independent)? or multiplicatively (i.e. are totally correlated)?
We also want our engine to be resilient, i.e. we want to give meaningful advice even if the data is not very precise, and we want it to be robust, i.e. it should provide security guarantees even when the data is not very precise.
We will enrich our decision support engine with adaptivity so that once deployed it is capable to adapt to changes in the organisation, the threat profile and the general societal environment. For example the investment advice should change if a major new attack has been reported (for example the Heartbleed and Shellshock vulnerabilities in 2014), or if a new more effective security control is available.
Our research will both provide theoretical and practical advances to these challenging issues. The practical advance will be in the form of prototype tools. We will measure our achievements via validation of these prototype tools. The validation will start by comparing our calculated investment strategy with expert advice and will evolve to larger case studies involving our partners and careful deployment in the field.

The proposers have collaborated in the Games and Abstraction project which was part
of the Research Institute in Science of Cyber Security. The current proposal builds on the
experience that we have gained from that work. Through RISCS we have made good con-
tacts with industrial partners and government stakeholders which will inform the detailed
approach and case studies which we will develop in this project. It is expected that one
outcome of the work will be a toolset which could be commercialised.

The case studies may also have policy implications. We will assess these as they arise and
pursue this aspect through GCHQ and our links to other Government agencies, through
the Institute for Security Science and Technology at Imperial College.