Award Abstract # 1616575
TTP: Small: Network-Level Security Posture Assessment and Predictive Analytics: From Theory to Practice

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: REGENTS OF THE UNIVERSITY OF MICHIGAN
Initial Amendment Date: August 9, 2016
Latest Amendment Date: May 29, 2020
Award Number: 1616575
Award Instrument: Standard Grant
Program Manager: Rob Beverly
CNS  Division Of Computer and Network Systems
CSE  Directorate for Computer and Information Science and Engineering
Start Date: August 15, 2016
End Date: July 31, 2021 (Estimated)
Total Intended Award Amount: $499,982.00
Total Awarded Amount to Date: $515,982.00
Funds Obligated to Date: FY 2016 = $499,982.00
FY 2020 = $16,000.00
History of Investigator:
  • Mingyan Liu (Principal Investigator)
     mingyan@eecs.umich.edu
  • Manish Karir (Co-Principal Investigator)
Recipient Sponsored Research Office: Regents of the University of Michigan - Ann Arbor
 1109 GEDDES AVE STE 3300
 ANN ARBOR
 MI  US  48109-1015
(734)763-6438
Sponsor Congressional District: 06
Primary Place of Performance: University of Michigan Ann Arbor
 1301 Beal Avenue
 Ann Arbor
 MI  US  48109-2122
Primary Place of Performance
Congressional District:		 06
Unique Entity Identifier (UEI): GNJ7BBP73WE9
Parent UEI:
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001617DB NSF RESEARCH & RELATED ACTIVIT
01002021DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 025Z, 7434, 7923, 9102, 9178, 9251
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

This project addresses the following two key questions in cyber security: (1) how is the security condition of a network assessed, and (2) to what extent can we predict data breaches or other cyber security incidents for an organization. The ability to answer both questions has far-reaching social and economic impact. Recent data breaches such as those at Target, JP Morgan, Home Depot, Office of Personnel Management (OPM), and Anthem Healthcare, to name just a few, highlight the increasing social and economic impact of such cyber security incidents. Often, by the time a breach is detected, it is too late and damage has already occurred. Consequently, being able to predict such incidents accurately can greatly enhance an organization's ability to put preventative and proactive measures in place. The answers to these questions also have implications on public policy design - not only for the security policies themselves, but also for related incentive mechanisms. Such mechanisms might be aimed at encouraging adoption of better security policies and cybersecurity frameworks, including cyber insurance, liability limitation, and rate recovery among others. Presidential Policy Directive (PPD) 21, on Critical Infrastructure Security and Resilience, encourages efforts to strengthen and maintain secure, functioning, and resilient critical infrastructure. Understanding the potential attack vector presented by an enterprise or organization is a crucial part of achieving this goal.

This project follows a comprehensive agenda aimed at transitioning to practice technologies developed by the research team in the domain of quantitative assessment of the security posture at both a network and an organizational level. The use of such assessments enables more accurate forecasting of cyber security incidents. The technological innovation is a sound quantitative framework that combines a large collection of cybersecurity data, novel data processing methods, advanced machine learning techniques, and extensive cybersecurity domain expertise. The resulting framework produces accurate predictions of security incidents for a given organization, thereby providing tangible information and crucial input for decision makers such as an insurance underwriter, or an enterprise customer seeking to validate vendor specifications.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 20)
M. Khalili, and M. Liu "Effective Premium Discrimination for Designing Cyber Insurance Policies with Rare Losses" Conference on Decision and Game Theory for Security (GameSec) , 2019
M. Khalili, M. Liu and S. Romanosky "Embracing and Controlling Risk Dependency in Cyber- insurance Policy Underwriting" Journal on Cybersecurity , v.5 , 2019 10.1093/cybsec/tyz010
Khalili, Mohammad Mahdi and Zhang, Xueru and Liu, Mingyan "Incentivizing effort in interdependent security games using resource pooling" Proceedings of the 14th Workshop on the Economics of Networks, Systems and Computation , 2019 10.1145/3338506.3340272 Citation Details
A. Sarabi and M. Liu "Characterizing the Internet Host Population Using Deep Learning: A Universal and Lightweight Numerical Embedding" International Measurement Conference (IMC) , 2018
C. Xiao, A. Sarabi, Y. Liu, B. Li, M. Liu, and T. Dumitras "From Patching Delays to Infection Symptoms: Using Risk Profiles for an Early Discovery of Vulnerabilities Exploited in the Wild" USENIX Security Symposium , 2018
Khalili, Mohammad Mahdi and Naghizadeh, Parinaz and Liu, Mingyan "Designing Cyber Insurance Policies: The Role of Pre-Screening and Security Interdependence" IEEE Transactions on Information Forensics and Security , v.13 , 2018 10.1109/TIFS.2018.2812205 Citation Details
M. Khalili, M. Liu, and S. Romanosky "Embracing and Controlling Risk Dependency in Cyber Insurance Policy Underwriting" The Annual Workshop on the Economics of Information Security (WEIS) , 2018
M. Khalili, P. Naghizadeh, and M. Liu "Designing Cyber Insurance Policies in the Presence of Security Interdependence" The 12th Workshop on the Economics of Networks, Systems and Computation (NetEcon) , 2017
M. Khalili, P. Naghizadeh, and M. Liu "Designing Cyber Insurance Policies: Mitigating Moral Hazard Through Security Pre-Screening" International Conference on Game Theory for Networks (GameNets) , 2017
M. Khalili, P. Naghizadeh, and M. Liu "Designing Cyber Insurance Policies: The Role of Pre-Screening and Security Interdependence" IEEE Transactions on Information Forensics & Security (TIFS) , v.13 , 2018 , p.2226
M. Khalili, P. Naghizadeh, and M. Liu, "Embracing Risk Dependency in Designing Cyber-Insurance Contracts" Annual Allerton Conference on Control, Communication, and Computing (Allerton) , 2017
(Showing: 1 - 10 of 20)

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

The overall goal of this project is to transition to practice the quantitative org-level security posture/risk assessment and data breach prediction framework our research team has built over the past few years. The ability to do so has far-reaching social and economic impact: data has become an evermore important asset in any business, and the recent data breaches highlight the increasing social and economic impact of such cyber incidents. Finding practical ways of using our quantitative framework has enormous implications on policy design, not only security policies, but also various incentive mechanisms aimed at encouraging the adoption of better security policies and cybersecurity frameworks such as cyber insurance.

Within this context, specific research tasks performed under this project include: (1) translating incident probabilities into loss and cost estimates; (2) constructing exemplar insurance policies that utilize our breach prediction and quantitative risk assessment methodology; and (3) exploring other practical use cases of our risk assessment methodology.

The main outcomes of this project has had significant impact on security and incentive policy design. Our work on risk quantification and cyber insurance is gradually beginning to reach the risk management industry.  It is starting to bring about a paradigm shift by introducing new ways of designing cyber insurance policies, and new ways of thinking about network security and risk quantification at a much higher level and in a more holistic manner. In particular, our risk assessment technology is now in active use in vendor management, insurance underwriting, as well as by institutional investors.  

The project team has extensive experience in data collection, measurement, and analysis, as well as contract theory, game theory, mathematical modeling, and mechanism design.  Our research identified novel use and applications of these disciplines, as well as new techniques that need to be developed under these disciplines to further our goals.  Our cross-disciplinary research in integrating Internet data analysis and incentive design can lead to significant advances in network theory and practice. 

 


Last Modified: 08/30/2021
Modified by: Mingyan Liu

Images (1 of 6)

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top