skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Cyber Third-Party Risk Management: A Comparison of Non-Intrusive Risk Scoring Reports
Cybersecurity is a concern for organizations in this era. However, strengthening the security of an organization’s internal network may not be sufficient since modern organizations depend on third parties, and these dependencies may open new attack paths to cybercriminals. Cyber Third-Party Risk Management (C-TPRM) is a relatively new concept in the business world. All vendors or partners possess a potential security vulnerability and threat. Even if an organization has the best cybersecurity practice, its data, customers, and reputation may be at risk because of a third party. Organizations seek effective and efficient methods to assess their partners’ cybersecurity risks. In addition to intrusive methods to assess an organization’s cybersecurity risks, such as penetration testing, non-intrusive methods are emerging to conduct C-TPRM more easily by synthesizing the publicly available information without requiring any involvement of the subject organization. In this study, the existing methods for C-TPRM built by different companies are presented and compared to discover the commonly used indicators and criteria for the assessments. Additionally, the results of different methods assessing the cybersecurity risks of a specific organization were compared to examine reliability and consistency. The results showed that even if there is a similarity among the results, the provided security scores do not entirely converge.  more » « less
Award ID(s):
1948261
PAR ID:
10315378
Author(s) / Creator(s):
; ; ; ;
Date Published:
Journal Name:
Electronics
Volume:
10
Issue:
10
ISSN:
2079-9292
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, 2019 IEEE International Conference on Web Services (ICWS))
    With the rapid adoption of web services, the need to protect against various threats has become imperative for organizations operating in cyberspace. Organizations are increasingly opting to get financial cover in the event of losses due to a security incident. This helps them safeguard against the threat posed to third-party services that the organization uses. It is in the organization’s interest to understand the insurance requirements and procure all necessary direct and liability coverages. This helps transfer some risks to the insurance providers. However, cyber insurance policies often list details about coverages and exclusions using legalese that can be difficult to comprehend. Currently, it takes a significant manual effort to parse and extract knowledgeable rules from these lengthy and complicated policy documents. We have developed a semantically rich machine processable framework to automatically analyze cyber insurance policy and populate a knowledge graph that efficiently captures various inclusion and exclusion terms and rules embedded in the policy. In this paper, we describe this framework that has been built using technologies from AI, including Semantic Web, Modal/ Deontic Logic, and Natural Language Processing. We have validated our approach using industry standards proposed by the United States Federal Trade Commission (FTC) and applying it against publicly available policies of 7 cyber insurance vendors. Our system will enable cyber insurance seekers to automatically analyze various policy documents and make a well informed decision by identifying its inclusions and exclusions. 
    more » « less
  2. ; ; (, 2017 55th Annual Allerton Conference on Communication, Control, and Computing (Allerton))
    We study the problem of designing cyber insurance policies in an interdependent network, where the loss of one agent (a primary party) depends not only on his own effort, but also on the investments and efforts of others (third parties) in the same eco-system (i.e., externalities). In designing cyber insurance policies, the conventional wisdom is to avoid insuring dependent parties for two reasons. First, simultaneous loss incidents threaten the insurer's business and capital. Second, when a loss incident can be attributed to a third party, the insurer of the primary party can get compensation from the insurer of the third party in order to reduce its own risk exposure. In this work, we analyze an interdependent network model in order to understand whether an insurer should avoid or embrace risks interdependencies. We focus on two interdependent agents, where the risk of one agent (primary party) depends on the other agent (third party), but not the other way around. We consider two potential scenarios: one in which an insurer only insures a primary party, and another one in which the insurer of the primary party further insures the third party agent. We show that it is in fact profitable for the primary party's insurer to insure both agents. Further, we show that insuring both agents not only provides higher profit for the insurer, but also reduces the collective risk. 
    more » « less
  3. ; ; ; ; ; ; ; (, Resilience Week Symposium (RWS))
    Cyber physical system (CPS) Critical infrastructures (CIs) like the power and energy systems are increasingly becoming vulnerable to cyber attacks. Mitigating cyber risks in CIs is one of the key objectives of the design and maintenance of these systems. These CPS CIs commonly use legacy devices for remote monitoring and control where complete upgrades are uneconomical and infeasible. Therefore, risk assessment plays an important role in systematically enumerating and selectively securing vulnerable or high-risk assets through optimal investments in the cybersecurity of the CPS CIs. In this paper, we propose a CPS CI security framework and software tool, CySec Game, to be used by the CI industry and academic researchers to assess cyber risks and to optimally allocate cybersecurity investments to mitigate the risks. This framework uses attack tree, attack-defense tree, and game theory algorithms to identify high-risk targets and suggest optimal investments to mitigate the identified risks. We evaluate the efficacy of the framework using the tool by implementing a smart grid case study that shows accurate analysis and feasible implementation of the framework and the tool in this CPS CI environment. 
    more » « less
  4. ; (, International Journal of Hydrogen Energy)
    Existing natural gas pipelines can facilitate low-cost, large-scale hydrogen transportation and storage, but hydrogen may entail safety challenges. These challenges stem from hydrogen’s different properties compared to natural gas, such as higher ignition probability, different flame behavior, and potential for hydrogen embrittlement. Although risk assessments for hydrogen pipelines are increasing, the impact of hydrogen on the risk of third-party excavation damage (TPD), the major cause of pipeline incidents in the U.S., has received little attention. This work presents the SHyTERP model for Safe Hydrogen Transportation and Excavation Risk Prevention for Pipelines. The model incorporates causal models, excavation damage and pipeline failure statistics, and validated physical models of hydrogen and natural gas release and jet flame behavior. Through four case studies, the model compares the TPD risks of hydrogen and natural gas pipelines, offering insights and recommendations for the safe implementation of hydrogen in existing pipelines. 
    more » « less
  5. ; ; ; (, SPIE)
    Harguess, Joshua D; Bastian, Nathaniel D; Pace, Teresa L (Ed.)
    Outsourcing computational tasks to the cloud offers numerous advantages, such as availability, scalability, and elasticity. These advantages are evident when outsourcing resource-demanding Machine Learning (ML) applications. However, cloud computing presents security challenges. For instance, allocating Virtual Machines (VMs) with varying security levels onto commonly shared servers creates cybersecurity and privacy risks. Researchers proposed several cryptographic methods to protect privacy, such as Multi-party Computation (MPC). Attackers unfortunately can still gain unauthorized access to users’ data if they successfully compromise a specific number of the participating MPC nodes. Cloud Service Providers (CSPs) can mitigate the risk of such attacks by distributing the MPC protocol over VMs allocated to separate physical servers (i.e., hypervisors). On the other hand, underutilizing cloud servers increases operational and resource costs, and worsens the overhead of MPC protocols. In this ongoing work, we address the security, communication and computation overheads, and performance limitations of MPC. We model this multi-objective optimization problem using several approaches, including but not limited to, zero-sum and non-zero-sum games. For example, we investigate Nash Equilibrium (NE) allocation strategies that reduce potential security risks, while minimizing response time and performance overhead, and/or maximizing resource usage. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email