1

Michael SiegelJames Houghton

Advancing Cybersecurity Using System Dynamics Simulation Modeling

For System Resilience, Patching, and Software

Development

Interdisciplinary Consortium for Improving Critical Infrastructure

Cybersecurity (IC)3

3 Sept 2014

Mission: Resiliency of Organizations & Markets Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational “ecosystem”—the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors

Key questions: • Behavioral: What are the attitudes and perceptions of the

private sector about cyber security? • Managerial: What solutions can feasibly be manipulated by

the firm or sector itself, and what can be encouraged or directed by outside actors?

• Technological: What is effecting product security of key IT components?

Modeling framework to unpack cyber dynamics and provide organizational framework

2

Brief Overview of System DynamicsSDM used as modeling & simulation method over 50 years

• Eliminate limitations of linear logics and over-simplicity• Based on system structure, behavior patterns,

interconnections of positive & negative feedback loops

SDM has been applied to numerous domains• Software development projects• Process Improvement projects• Crisis and threat in the world oil market• Stability and instability of countries• … many many others …

SDM helps to uncover ‘hidden’ dynamics in system• Helps understand ‘unfolding’ of situations, • Helps anticipate & predict new modes• Explore range of unintended consequences

3

Mission: Dynamics of Threats and Resilience

Systems Notat Risk

Systems AtRisk

AffectedSystems

Risk Promotion

Risk Reduction

Attack Onset

Recovery

Adverse Behaviors &Management Risk Management

ThreatManagement

Real-WorldImplications

Financial,Data,

Integrity,Reputation

* Verizon Data Breach Report

67% were aided by significant errors (of the victim)

How did breaches (threats) occur? *

64% resulted from hacking

38% utilized Malware

Over 80% of the breaches had patches available for more than 1 year

How are security and threat processes (resilience) managed? *

75% of cases go undiscovered or uncontained for weeks or months

4

Systems Notat Risk

Systems AtRisk

AffectedSystems

Risk Promotion

Risk Reduction

Attack Onset

Recovery

Adverse Behaviors &Management Risk Management

ThreatManagement

Real-WorldImplications

Financial,Data,

Integrity,Reputation

Relating Actions to Outcomes

Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive?

5

6

NotCompromised

Identified Attack Vectors

Compromised

AttackerCapabilities

Sector Performance

Firm KnowledgeAnd

Awareness

Indentifying Exploits

• Resources• Motivation• Skills• Awareness

• Visibility• Technical Capabilities• Process• Architecture • Info Sharing

Patching

Attack Vector Identification

Reverse Engineering

Firm Performance

VendorResilience and

Responsiveness

7

Architecture Resilience

NotCompromised

Identified Attack Vectors

Compromised

AttackerCapabilities

Sector Performance

Firm KnowledgeAnd

Awareness

System Compromising

Firm Performance

EstablishingFootholds

Remediating

Compromising

• Availability• Data Security• Public Awareness

DefensiveProcedures

Simulation Modeling Overview

NotCompromised

IdentifiedAttack Vectors

IndentifyingVulnerabilities

Compromised

Compromising

RecoveryReducingVulnerabilities

System Change

Change in Systems

<VulnerabilityIdentification Rate>

<CompromisingRate>

<Recovery Rate>

Total Systems

FractionVulnerable

FractionCompromised

<Action to ReduceVulnerabilities>

ApplicationSoftwareSecurityChange in Security

Initial ApplicationSecurity

Effect of Investment onApplication Security

Effect of Application SoftwareSecurity on Vulnerability

Identification

Base ApplicationSoftware Security

NormalizedSoftware Security

Function for Effect ofNormalized Software

Security

Test for Change inApplication Security

ApplicationSecurity Height

ApplicationSecurity Time

Application SecurityDuration

Software Security

Patch DelayChange in Patch

DelayBase Patch Delay

New Patch Delay

Time to UpdatePatch Delay

Patching

CompromisingRate

Test Input forCompromising Rate

Change inCompromising Rate

CompromisingRate Height

CompromisingRate Time

Compromising RateDuration

<Attack VectorGap>

ImpliedCompromising Rate

CompromisingDelays

Attacking

8

Making the Case

200

150

100

50

00 10 20 30 40 50 60 70 80 90 100

Week

200

170

140

110

800 10 20 30 40 50 60 70 80 90 100

Week

200

170

140

110

800 10 20 30 40 50 60 70 80 90 100

Week

Not Compromised Attack Vectors Infected

Technical

10

7.5

5

2.5

0

0 10 20 30 40 50 60 70 80 90 100Week

20

17

14

11

8

0 10 20 30 40 50 60 70 80 90 100Week

“Upstream Costs” “Downstream Costs”

Managers

2,000

1,500

1,000

500

0

0 10 20 30 40 50 60 70 80 90 100Week

Total Costs

Senior Management (CIO)

Blue is base case; red case is patching with configuration standards; green is current case

9

Summary of Results Solving problems “upstream” is more effective than

fixing them “downstream.”

Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions.

Nonlinearities and tipping points may exist due to inertia and path-dependence in systems.

10

BACKUP

11

Valuing Software Portfolios Using System Dynamics Models

Project value changes over time depending on maintenance• At first the value rises as

application development takes shape

• It then adjusts overtime according to the maintenance spend

A project may have a high initial expected value, but maintenance dynamics may erode that value over time

The graph shows the value of one application given different maintenance

Application Task Backlog

400

300

200

100

0

0 6 12 18 24 30 36 42 48 54 60Time (Month)

pac

kag

esApplication Task Backlog : test2Application Task Backlog : test1Application Task Backlog : test4Application Task Backlog : test3

Time

Value

0

100

We plan for the blue case when the red case may be more likely

Patching Dynamics

13

Downstream Dynamics

14