Storyless cyber security: Modelling threats with economic incentives

Cyber risk management is about identifying, assessing and reducing risk to an acceptable level. With systems that have been in operation for some time, we might be able to make qualified risk estimations and treat them in a cost-efficient manner based on the previous events and experiences. However, with storyless systems, such estimations become more of a guesswork and it is hard to determine how much and what kind of security is good enough. Additionally, both old and new systems are exposed to an evolving threat environment where relying on the Maginot lines of the past could lead to brutal consequences in the future. The purpose of this PhD study has been to investigate new methods for managing cyber security risks without too much reliance on historical events. These methods belong to an area found in the intersection between threat modelling and security economics. The former is about anticipating attacks and imagining what can go wrong, often taking the mindset of an adversary. The latter is concerned about how economic mechanisms shape security. The overall research approach of the study leans towards practice-based research, where interventions and designs contribute to local practices as well as generalized knowledge. Following the principles of pragmatism, a mix of quantitative and qualitative research methods have been applied for empirical inquiry, covering problem investigation, artefact creation and evaluation. The study has complemented ongoing projects that are addressing threats and technology development within the aviation and maritime fields, and included cyber insurance as an application area for risk transfer to third parties. A general limitation is the assumed rational behaviour of both attackers and defenders, which do not cover all types of cyber threats. Furthermore, there are ethical concerns restricting the research methods and openness of results related to cyber crime investigations. The results have been published as a collection of papers and show that subjective estimations can be supported by economic incentives when identifying threats, the likelihood of their occurrence and ways of treating them. For instance, by focusing on the capabilities that are needed for the different attack stages, we can spend less time and obtain a higher degree of reusability compared to modelling specific attack paths. Just as there is no one-solution-fits-all for threat modelling, we cannot use data types and sources for economic incentives uncritically. We have documented some of these strengths and weaknesses related to a given set of threats, and encourage to expand this work to support the cyber risk management discipline.