Quantifying Risk for Decentralized Offensive Cyber Operations
Naval Postgraduate School Monterey United States
Pagination or Media Count:
As computer networks have become ubiquitous, the amount of information stored within government computer networks has grown exponentially. With the possibility of further decentralization of authorities to conduct offensive cyber operations, organizations below the national level are unable to adequately assess risks and the associated consequences of these offensive operations due to the lack of exposure, experience, and education of staff personnel. Compounding this problem are the heuristics and biases used in decision making when the requisite expertise is absent. This lack of understanding of risks and potentially faulty decision making presents a gap in command and control structures. This research explores the question How effective is a simulation framework incorporating both subject matter expertise and assessments of uncertainty at overcoming the inexperience of decision makers in assessing risk and subsequent decision making within new operations This research effort expands multi-criteria decision making theory by accounting and incorporating both the expertise and uncertainty of the experts into the framework. This proposed framework was tested at national-level cyber organizations and CCMD exercises. The results were then compared to see if the framework could mitigate inexperience. The results are that organizations unfamiliar with cyber operations are able to assess risks at a proficiency level equivalent to an experienced organization.
- Computer Systems Management and Standards