Efforts to secure and defend public- and private-sector cyber systems rely in part on information sharing. Information sharing strengthens the nation’s cybersecurity posture by allowing participating entities to have the broadest possible understanding of the tactics, techniques, and...

Technological revolutions bring opportunities, but sometimes even greater threats. This ‘paradox of progress’ affects cyberspace and threatens the very principle and foundation of the open internet. The global debate on cyber-governance is currently in a stalemate on the norms for global...

Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how...

Beyond doubt the humanity has entered an age of data dominance. As the need for safety and predictability grows, it becomes increasingly difficult to balance security and individual civil liberties. Therefore, the balance between security and these liberties is not constant and perfect, given...

Cyber risk, a type of operational risk, is today considered a key component in the enterprise risk management framework. Under BASEL regulations, a bank could recognize the risk mitigating impact of the Cyber Liability Insurance (CLI) contract while calculating the minimum operational risk...

This paper presents mathematical models for cyber breach probability as function of security spending in protecting a firm's ICT systems. We derive optimal level of security investment as percentage of value-at-risk. We show that the upper bound of optimal investment can be 1/e, 1/√2π or...

In a world that is increasingly connected on-line, cyber risks become critical. Cyber risk management is very difficult, as cyber loss data are typically not disclosed. To mitigate the reputational risks associated with their disclosure, loss data may be collected in terms of ordered severity...

We build an analytical framework to model the strategic interactions between a firm and hackers. Firms invest in security to defend against cyber attacks by hackers. Hackers choose an optimal attack, and they share information with each other about the firm's vulnerabilities. Each hacker prefers...

Under-reporting in cyber incidents is a well-established problem. Due to reputational risk and the consequent financial impact, a large proportion of incidents are never disclosed to the public, especially if they do not involve a breach of protected data. Generally, the problem of...