Security Behaviours and Risk Quantification (available)

Starting Date: June 2019
Duration: 3 months
Time commitment: Full-time
Prerequisites: Statistics, behavioural studies

Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. Apart from improving the infrastructure and hardware through better technology, one of the most important security aspects is the risk assessment of potential breaches, in an ever increasingly complex threat landscape.

Most current risk assessment methods do not follow a quantitative approaches, but rather rely on extremely subjective qualitative approaches, which have been proven suboptimal and counterproductive for the decision-making process. D. Hubbard and R. Seiersen suggested a different direction towards cybersecurity, based on quantification of risk in their book “How to measure anything in Cybersecurity Risk”. Their approach makes use of mathematical methods while incorporating the security expert’s judgement, and has been shown to provide substantially better results.

The subjective element of the human factor, however, can still negatively affect the risk management process due to, for example, overconfidence of experts in assessing threats. Research results, e.g. by D. Kahneman and A. Tversky, suggest that a “calibration” process can significantly improve the decision-making skills of trained individuals. This is based around the concept of the dual process theory, which suggests that any thought can be attributed to one of two systems: the impulsive and low effort System 1, and the reflecting, computationally expensive System 2. The aim of the aforementioned calibration procedure is to minimise potential exposure to behavioural biases.

The goal of this project is to review the existing risk management methodologies used, as well as to seek further utilising mathematical tools to aid the decision-making process. Furthermore, considering the results of prospect theory, we aim to propose further research experiments to improve the Hubbard model, focusing on points in the model’s architecture that include the human component. The results will be very useful for the exponentially expanding field of cyber risk management.

The student should have good knowledge of mathematical and statistical models. Familiarity with statistical analysis software, as well as interest in prospect theory and behavioural studies are important. Furthermore, the student should have willingness to study the literature on risk management, experimental economics and related topics.