Abstract
The trend of digitization in various industrial systems has exposed them to an increasing number of cyberattacks. Therefore, it is of vital importance to reduce the cybersecurity risk of industrial systems through cost-effective decisions on cybersecurity investment. In making such decisions, the defender is usually faced with challenges that arise from incomplete information about the attacker. In this paper, we propose a Bayesian game approach to model the optimal cybersecurity investment strategy under such situations. In this approach, the defender categorizes the attacker into a finite number of types, e.g., various levels of capability, and assigns a probability distribution over the different types of attackers. Then, the defender optimizes his/her cybersecurity investment based on risk assessment considering the possible attack efforts of these various types of attackers, with the objective of minimizing the expected cyberattack loss and the cybersecurity investment cost. The proposed method is demonstrated using a numerical example. We perform a sensitivity analysis for model parameters that can be difficult to obtain in practical applications, e.g., the defender's loss caused by a successful attack. Key observations of the example include the threshold principle (i.e., the defender should not make any investment if the loss of a successful attack is below a certain threshold) and the conservation of loss (i.e., losses for one type of attacker may correspond to gains for another type of attacker). The proposed method can be used to support cybersecurity investment decisions by industrial system owners.
Original language | English (US) |
---|---|
State | Published - 2022 |
Event | 16th International Conference on Probabilistic Safety Assessment and Management, PSAM 2022 - Honolulu, United States Duration: Jun 26 2022 → Jul 1 2022 |
Conference
Conference | 16th International Conference on Probabilistic Safety Assessment and Management, PSAM 2022 |
---|---|
Country/Territory | United States |
City | Honolulu |
Period | 6/26/22 → 7/1/22 |
ASJC Scopus subject areas
- Safety, Risk, Reliability and Quality