CREATE FY2016 Statement of Work Rosoff, Defending against Cyber Attacks: New Models for Deterrence This project proposes a new method to model deterrent strategies that applies to cyber communications infrastructures. We suggest using value focused thinking and multi-attribute utility modeling to develop adversarial and defender decision models. The adversarial decision models evaluate adversaries’ cyber attack preference, as well as the effect of deterrence strategies on the adversaries’ attack preference. The defender decision model will evaluate the defender’s preference among deterrent strategies. Building models and conducting analyses that take into account the values of the adversaries and the defender provide a stronger foundation for future planning and decision making. 1. 2. 3. 4. 5. 6. Theme Area: Risk and Decision Analysis AND Risk Management/Operations Research Principal Investigators: Heather Rosoff Institution: University of Southern California Co-Investigators: Richard John and Detlof von Winterfeldt Transition Lead: Heather Rosoff Keywords: value-focused thinking, multi-attribute utility modeling 7. Brief Description: In a society that continues to increasingly rely on cyber infrastructures in our everyday lives and in particular in our defense systems, protecting these systems is critical for national security. These critical systems, however, have different challenges than national defense systems studied during the development of traditional deterrence models for Cold War adversaries. In this proposed research, we will expand upon this current stream of research and develop a new method to model deterrent strategies that applies to cyber communications infrastructures. We propose using value focused thinking (VFT) (Keeney, 1992) and multi-attribute utility (MAU) modeling to develop adversarial and defender decision models (Rosoff & John, 2009; Keeney & von Winterfeldt, 2010; John & Rosoff, 2011). The VFT approach will help to ensure a comprehensive and complete set of objectives (developed as objectives hierarchies) and hence generate a wider range of possible cyber-based attack methods for the adversaries, and a diversified set of deterrent strategies for the defender. From the objectives hierarchies, MAU models will be constructed for different adversary groups and for different defenders allowing for an assessment of the stakeholders’ uncertainties, risk attitudes, and trade-offs among conflicting objectives. For the adversary groups, the MAU models will be used to evaluate alternative cyber-based attack methods, and for the defenders, the MAU models will be used to evaluate alternative deterrence strategies. 8. Objectives: The objective of this research is to expand upon deterrence models that examine sequences of adversary and defender decisions and develop new methods to model deterrent strategies that apply to cyber infrastructures. We believe that for the nation to take effective steps in deterring cyber attacks, a new model of deterrence is needed that can assess behavioral decision making within the United States. Since deterrence strategies evolve over time (given advancements in technology and the global reach of these technologies), models of deterrence and the associated proposed deterrence strategies must also evolve. Analysis focusing on the values and preferences of adversaries and defenders will provide a more decision relevant evaluation of the benefits and consequences of alternative deterrent strategies. For instance, the MAU objectives identify a large range of activities that may be expected from an attacker, based on its strategic and fundamental objectives. They are relevant in that they Rosoff, Defending Against Cyber Attacks: New Models for Deterrance contribute to the identification of security needs in terms of status-quo deterrence strategies and alternative mitigation policies. Overall, the application of the proposed methodology will provide the DOD with a working approach for better evaluating deterrent strategies. 9. Transition Strategy: We will conduct a workshop in Washington D.C. with potential model users, decision makers and policy makers (as identified by the research team, main center, and per the recommendation of DHS and other federal agencies). This workshop will focus on the methodology used, findings, and model generalizability. 10. Interfaces to CREATE Projects: This work will maintain a close interface with CREATE’s Risk Management/ Operations Research efforts. The findings from our work can serve as inputs into RM/OR projects looking at tools for assessing deterrent effects; hence, evaluating the effectiveness of the deterrent strategies identified in our work. 11. Previous or current work relevant to the proposed project: This effort builds on research by Rosoff and John (2009) on estimating the relative likelihood of an adversary (terrorist leader) selecting a particular attack strategy, conditional on various countermeasures selected by the (US) defender using a value-focused decision framework and a random utility modeling approach. In addition, Rosoff and John have developed an expertise in the area of cyber security through their recent award of an NSF grant from the Security and Trustworthy Cyberspace (SaTC) division, as well as through conducting several cyber-related risk perception experiments under CREATE funding. 12. Major Products and Customers: Project deliverables will be: (a) objectives hierarchies developed for different adversaries and defenders, (b) MAU models constructed to evaluate alternative cyber attack methods and the effects of deterrent strategies on attack alternative selection, (c) MAU models constructed to evaluate alternative deterrent strategies for the defender, and (d) academic journal articles reporting on our advancements. In this work, we will coordinate closely with the National Protection and Programs Directorate (NPPD, Susan Stevens) in the Department of Homeland Security. We also believe a viable customer for this work is the Department of Defense (DOD) given that one of the department’s four primary objectives is to prevent and deter conflict and they have expressed an interest in this white paper. 13. Technical Approach: TASK 1.VALUE-FOCUSED THINKING (Objectives Hierarchies Structuring). In this task, we will extend the adversarial objectives hierarchy structuring approach to include multi-attribute representations of adversary leaders’ key objectives associated with cyber attack methods. We will consider the values and beliefs of a leader of an international-based attack (by an organized group), a home-grown attack (by an organized group), and a US-based lone wolf/hacker. For each cyber attacker, the development of objectives hierarchies and attack alternatives will involve two primary components: (1) publicly available writings, web sites, transcripts of terrorists and their spiritual leaders and (2) interviews with subject-matter experts with whom non-sensitive discussions and information can be exchanged. There is a large body of writings by terrorists and their spiritual 2 Rosoff, Defending Against Cyber Attacks: New Models for Deterrance leaders that can be used as source materials for developing adversary objectives. The statements within these sources have likely been reviewed and refined to best describe the adversary’s core beliefs and reasons for action. In addition, the leaders and theologians of adversary groups are often educated at a much higher level than the rank and file members of the organization and one can assume that their statements have been given a significant amount of thought. A similar process was carried out by Keeney and von Winterfeldt (2010) to establish the objectives for Al Qaeda. Interviews also will be conducted with subject matter experts (SMEs) from DOD who have studied the topic of terrorism and are familiar with the perspective and motivations of the adversary groups under consideration. The interviews with DOD SMEs are important for conducting a comprehensive evaluation/assessment of the values and beliefs of the adversaries. In addition, the selected SMEs will participate in elicitation sessions with the research team for assessment of the multi-attribute utility model parameters. Figure 1 is a sample objective’s hierarchy for an attacker hacking group. The primary objectives of the hacking group fall into three categories: (1) maintaining organizational strength, (2) managing benefits/gains from an attack, and (3) ensuring the attacker has an impact upon the perception of cyber security safety. Further investigation into the primary objectives resulted in a compilation of attributes, or sub-objectives, that are used to evaluate and measure the aforementioned primary objectives. For example, one objective of the group is to have fun by causing mayhem. This is a means to the larger objective of managing the group’s benefits/gains from an attack. This is also a means to contributing to the fear of a cyber-based data breach, as the perception of cyber chaos implies that the threat of hacking is in fact a reality. Figure 1. Sample Attacker Objectives Hierarchy Ultimately, the content of the hierarchies will also be used as the structure for the MAU models. Task 2. MULTI-ATTRIBUTE ADVERSARIAL MODELS. In this task we will develop MAU models from the adversarial groups’ objectives hierarchies. Functional forms, weights, and single-attribute utility functions will be elicited from SMEs to reflect adversary preferences as closely as possible. The integration of the VFT and MAU models will provide a quantified metric for evaluating the impact of deterrence strategies on adversary groups’ decision making. In addition, the MAU model development process will include the following steps (as illustrated in Figure 2): 3 Rosoff, Defending Against Cyber Attacks: New Models for Deterrance Values Attack Alternatives Attack Mode Attack Target Objectives hierarchy Trade-offs (weights) Uncertain Future Events P1 P2 Scales for each attribute P3 .. . Utility functions (risk attitude) Execution Consequences Figure 2. MAU model development process 1. Defining attributes and scales for the objectives hierarchy. We will define scales during elicitation sessions for each objective in the objectives hierarchy. 2. Eliciting single-attribute utility functions. We will elicit single-attribute utility functions over each attribute scale to represent marginal value preferences, as well as risk attitude (either risk aversion or risk proneness). 3. Eliciting scaling parameters (weights). We will elicit scaling parameters. These weights are the most value laden portion of the model, as they capture the trade-offs among conflicting objectives (and attributes). 4. Constructing MAU model scores for different attack methods. For each attack method alternative, MAU model metrics will be calculated for the different deterrence architectures. Note that the attribute scales, single-attribute utility functions, and scaling parameters (weights) remain constant across competing defense policies. The MAU model will produce a quantified attack preference. Task 3. A STUDY OF DETERRENCE IN MULTI-ATTRIBUTE ADVERSARIAL DECISIONS. In this task, we will evaluate the cyber-based attack method alternatives generated in Task 1 using the multi-attribute adversarial models developed in Task 2. We will begin by identifying specific deterrence strategies in response to the identified attacker objectives and alternatives. We will then evaluate the effect of deterrence strategies developed in this task on the cyber attack method chosen by the adversary. This also will allow us to compare different attack method preferences for each adversary across the different deterrence strategies. Note that prior to deterrence strategy analysis, discussions breaking down the potential deterrent strategies will be conducted with defender SMEs. The overall intent is to develop an optimal set of deterrent strategies during conversations with SMEs about defender values, beliefs and motivations. As such, Tasks 3 and 4 will be conducted simultaneously to meet the desired objectives of each task. Task 4. VFT AND MAU MODEL DEVELOPMENT FOR THE DEFENDER. The research team will expand the adversarial decision model approach to include multiple objectives and preferences for the defender. For model development, discussions will be held with stakeholders about deterrent strategies 4 Rosoff, Defending Against Cyber Attacks: New Models for Deterrance within the cybersphere and cyber security values, beliefs and motivations. Figure 3 is a sample objectives hierarchy for a defender. Compared to the attack who is deciding which attack strategy to pursue, the defender is likely exploring different alternatives for layered safety and security. As seen in Figure 3, the hypothetical defender is primarily concerned with maintaining the safety and security of their cyber system. In addition, the defender wants to maximize the effectiveness and quality of the security architecture, while also maintaining sensitivity to the cost of this effort. They are also interested in being sensitive to user needs and preferences by maximizing the customer’s trust in the security system, while also making sure the security protocol is not overly intrusive so as to deter customer usage. Defender Safety and Security Maximize trust/credibility among users Minimize cost Minimize intrusiveness to user Optimize effectiveness/quality of security Figure 3. Sample Defender Objectives Hierarchy 14. Major Milestones and Dates (from award date): Number Task Task 1 Interviewing experts and stakeholders (adversary and defenders) Task 2 Develop VFT and MAU model for the adversary Task 3 Study deterrence effect on adversarial models Task 4 Develop VFT and MAU models for the defender Months 2-4 4-10 8-10 7-10 Task 5 Complete adversary and defender models 10-12 Task 6 Deliver final reports and deliverables, presentation of recent findings at conferences & publish results in academic journals Total Duration of Project: 12 months 10-12 5 Rosoff, Defending Against Cyber Attacks: New Models for Deterrance 15. References John, R. and Rosoff, H. (April 2011). Modeling Effects of Counterterrorism Initiatives for Reducing Adversary Threats to Transportation Systems, Journal of Homeland Security, Retrieved from http://www.homelandsecurity.org/journal/Default.aspx?t=355&AspxAutoDetectCookieSupport=1 Keeney, R.L. (1992). Value-focused thinking: A path to create decisionmaking. Princeton, N.J.: Princeton University Press. Keeney, R. L. (2007). Modeling values for anti-terrorism analysis. Risk Analysis, 27(3), 585-596. Keeney, R. L., & von Winterfeldt, D. (2011). A value model for evaluating homeland security decisions. Risk Analysis, 31(9), 1470–1487. Rosoff, H. B. and John, R.S. (2009). Decision analysis by proxy for the rational terrorist. In Proceedings of the 21st International Joint Conference on Artificial Intelligence (IJCAI-09), Workshop on Quantitative Risk Analysis for Security Applications (QRASA), Pasadena, California, July 11-17. Dr. Richard John (CREATE) Richard John is associate professor of psychology at the University of Southern California, and a theme leader for risk perception and communication at CREATE. His research focuses on normative and descriptive models of human judgment and decision making and methodological issues in application of decision and probabilistic risk analysis (PRA). Richard has consulted on a number of large projects involving expert elicitation, including analysis of nuclear power plant risks (NUREG 1150) and analysis of cost and schedule risk for tritium supply alternatives. Richard has over 50 refereed publications, including top journals published by The Institute for Operations Research and Management Science (Management Science, Information Systems Research, Interfaces), The Society for Risk Analysis (Risk Analysis), and the American Psychological Association (Journal of Clinical and Consulting Psychology, Journal of Abnormal Psychology, and Journal of Family Psychology), and well as other top journals related to judgment and decision making, e.g., Organizational Behavior and Human Decision Processes and Law and Human Behavior. Richard received his PhD. in quantitative psychology from the University of Southern California, M.S. in applied mathematics from the University of Southern California, and B.S. in applied mathematics from the Georgia Institute of Technology. Dr. Heather Rosoff (CREATE) Heather Rosoff is Research Assistant Professor at the University of Southern California’s Sol Price School of Public Policy. Her research focuses on using risk and decision analytic techniques to study the uncertainties surrounding terrorism. More specifically, her risk perception work assesses the public's perceived risk of disaster events (terror and non-terror) and the influence this has on behavioral decision-making. She has developed several experiments to evaluate the perceived risk relationships across disaster characteristics and to predict public behavioral responses to an event, both immediately and in the long term. Her other research at CREATE has been on studying the terrorist threat from the adversary perspective and integrating terrorist challenges and vulnerabilities into policy making. In one project, she and her advisor, Detlof von Winterfeldt, analyzed possible radiological dispersion device attacks on the ports of Los Angeles and Long Beach. In a second project, she assessed how values motivate terrorist leader preferences for alternative attack modes. For the former project, she used a combination of probabilistic risk analysis tools and for the latter refined her knowledge of multi-attribute utility modeling and value-focused thinking. Dr. Detlof von Winterfeldt (CREATE) Detlof von Winterfeldt is a Professor in the Daniel J. Epstein Department of Industrial and Systems Engineering of the Viterbi School of Engineering and a Professor of Public Policy and Management at 6 Rosoff, Defending Against Cyber Attacks: New Models for Deterrance the Price School of Public Policy at the University of Southern California. From 2009 to 2012 he was on a leave of absence from USC as the Director of the International Institute for Applied Systems Analysis (IIASA) in Laxenburg, Austria. Concurrently with his term at IIASA, he was a Centennial Professor of Management Science at the London School of Economics and Political Science. Throughout his academic career he has been active in teaching, research, university administration, and consulting. He has taught courses in statistics, decision analysis, risk analysis, systems analysis, research design, and behavioral decision research. His research interests are in the foundation and practice of decision and risk analysis as applied to the areas of technology development, environmental risks, natural hazards and terrorism. His 1986 book, co-authored with Ward Edwards, “Decision Analysis and Behavioral Research” is widely considered to be a major scholarly contribution to prescriptive behavioral analysis of decision making. He is an elected Fellow of the Institute for Operations Research and the Management Sciences (INFORMS) and of the Society for Risk Analysis. In 2000 he received the Ramsey Medal for distinguished contributions to decision analysis from the Decision Analysis Society of INFORMS. In 2009 he received the Gold Medal from the International Society for Multicriteria Decision Making for advancing the field. In 2011 The Council of IIASA elected him as Honorary IIASA Scholar and in 2012 he received the distinguished achievement award by the Society for Risk Analysis. 7