User:BlueBook4/sandbox

Cognitive Risk Framework for Cyber Security

From Wikipedia, the free encyclopedia

A Cognitive Risk Framework for Cyber Security is a framework drawn from a large body of research in multidisciplinary topics that includes behavioral economics, cognitive science, machine learning and artificial intelligence but is not an exhaustive list. Cognitive risk management is a sister discipline of a parallel body of science called Cognitive Informatics Security. Cognitive informatics includes two broad areas of research and development: Human-System Integration and Human Learning and Skill Development. Cognitive security is a term that examines an evolving frontier and suggests that in the future researchers, governments, social platforms, and private actors may be engaged in a continual arms race to influence — and protect from influence — large groups of users online.

Although cognitive security emerges from social engineering and discussions of social deception in the computer security space, it differs in a number of important respects. First, whereas the focus in computer security is on the influence of a few individuals, cognitive security focuses on the exploitation of cognitive biases in large public groups. Second, while computer security focuses on deception as a means of compromising computer systems, cognitive security focuses on social influence as an end unto itself. Finally, cognitive security emphasizes formality and quantitative measurement, distinct from the more qualitative discussions of social engineering in computer security.

The Cognitive Risk Framework for Cyber Security additionally incorporates Prospect Theory and [Risk perceptions] concepts to raise awareness about risks associated with the human-system integration and describe the way people choose between probabilistic alternatives that involve risk, where the probabilities of outcomes are known.

Content •	Background •	Cyber Risk Paradox •	The Five Pillars of a Cognitive Risk Framework •	Intentional Controls Design •	Cognitive Informatics Security •	Cognitive Risk Governance •	Cybersecurity Intelligence & Active Defense Strategies •	Legal "Best Efforts" Considerations in Cybersecurity

Background

Cyber risk professionals face a formidable challenge in keeping pace with the asymmetric nature of today's advanced threats in cyber security. Spending on cyber security has skyrocketed yet the threat continues to grow exponentially. This phenomenon is called the Cyber Paradox and describes what has become an entrenched battle for security professionals in defending against an increasingly sophisticated adversary that, to date, has adapted faster than defensive measures to prevent loss of data or access to sensitive information.

Conventional security defenses have proven less than effective resulting in a virtual "Maginot's Line" of increased fortification by hardening the enterprise yet resulting in greater vulnerability to achieving the goals of defending the organization from cyber threats ("Maginot's Line, n.d.). The Cognitive Risk Framework was created to address the causes of these misperceptions in security defense and to explore how research in decision science, intelligence and security informatics, machine learning, and the role of simplicity shapes a cognitive risk framework.

The findings conclude that the human-machine interaction is the greatest threat in cyber space yet very few, if any, security professionals are well versed in strategies to close this gap. The purpose of this article is to bring to light evolving new strategies with promising success and to reveal a few surprises in how simplicity is an under-appreciated strategy in cyber security.

The Cyber Risk Paradox

The digital transformation of technology has changes how we buy products and services, access information, experience entertainment and use a variety of mobile devices freeing people up to take information that was once land locked in desktop computers with them wherever they go. Modern warfare has also been impacted by the same transformational changes in technology. "Soldiers on the battlefield coordinate air strikes using digital datalink and a tablet. Headquarters commanders, once reliant on radios to receive battle updates, watch digital feeds of streaming videos on common operating pictures populated by terabytes of near real time digital data. Cruise missiles and bombs receive satellite relays of digital navigation and targeting updates to destroy enemy targets day and night, in rain and snow, in foliage-covered jungles and dense urban centers. Digital data and the networks that store, process, and disseminate that data have made the U.S. military extraordinarily capable."[1]

These same transformation have made the military equally vulnerable to attack as the capabilities are now being turned against us.[2] According to the FY 2014 Annual Report from the DoD’s Operational Test and Evaluation Director concluded, “the continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most DoD networks, and could be in a position to degrade important DoD missions when and if they chose to.” "As the DoD strives for greater digital capabilities, it becomes exponentially more effective on the battlefield and yet more vulnerable to pre-emptive attacks – both virtual and physical – on the digital networks and technologies that enable the U.S. military’s modern lethality. Further, as systems and tactics shift from digitally enhanced to digitally dependent, the United States may inadvertently place itself in a position to either take a debilitating first strike from adversaries or else strike first in order to preserve the digital capabilities necessary for modern warfare." Less sophisticated nation states now have the ability to neutralize the battlefield in ways less possible in traditional warfare.

The Cyber Risk Paradox has spread to public and private enterprise and the threat is growing. Unfortunately, traditional cyber defense strategies have changed very little while cyber vulnerabilities have become even more complex with some nations pursuing economic and financial goals in intellectual property and counterintelligence while targeting more advanced economies and the public and private sector complex responsible of innovation and development.

The Five Pillars of a Cognitive Risk Framework •	Intentional Controls Design •	Cognitive Informatics Security (Security Informatics) •	Cognitive Risk Governance •	Cyber Security Intelligence and Active Defense •	Legal "Best Efforts" Considerations in Cyber Space

Intentional Controls Design

Intentional controls design recognizes the importance of trust in networked information systems by systematically engineering automation into internal controls design, reducing "cognitive load" to ensure routine compliance and risk controls are performed without human intervention. Intentional controls design is the process of embedding information security controls, active monitoring, audit reporting, risk management assessments, and operational policy and procedure controls into network information systems through user-guided graphical interface (GUI) application design and a robust data repository to enable machine learning, artificial intelligence and other currently and future available smart system methodology. Intentional controls design is an explicit choice made by information security analysts to reduce or remove reliance on human intervention for routine compliance and risk controls through the use of automated controls.

Cognitive Informatics Security

"The International Journal of Cognitive Informatics and Natural Intelligence defines cognitive informatics as, "a transdisciplinary enquiry of computer science, information sciences, cognitive science, and intelligence science that investigates the internal information processing mechanisms and processes of the brain and natural intelligence, as well as their engineering applications in cognitive computing. Cognitive computing is and emerging paradigm of intelligent computing methodologies and systems based on cognitive informatics and perceptions mimicking the mechanisms of the brain" (Wang et al., 2011).

The terms cognitive security and cognitive informatics are used to describe advances in computing but mean very different things in practice and application so its important to distinguish the two. Cognitive security is a scaled down version of cognitive informatics that uses cognitive behavioral analytics, data science, and intrusion detection algorithms to detect patterns and deviations in network information systems. Cognitive informatics involves key application disciplines from two categories: "The first category of application disciplines uses informatics and computing techniques to investigate problems of intelligence science, cognitive science, and knowledge science, such as abstract intelligence, memory, learning and reasoning. The second category of applications includes the areas that use cognitive informatics theories to investigate problems in informatics, computing, software engineering, knowledge engineering, and computational intelligence." (Wang, 2012, p.16) The distinguishing characteristics draw from developments among the different disciplines in cognitive informatics many with much broader applications than cognitive security. The difference in cognitive security and cognitive informatics also explains why many are confused about how soon machine learning and AI will be available in cybersecurity. It should be not be a surprise that technology vendors have already started to promote cognitive security platforms for cybersecurity. Cognitive systems are self-learning systems that use data mining, machine learning, natural language processing, and human-computer interaction. Cognitive Risk Governance

Cognitive Risk Governance is concerned with the role of the Board of Directors and senior management in strategic planning and executive sponsorship of cybersecurity. The Board historically has delegated risk and compliance reporting to the Audit Committee although a few forward thinking firms have appointed a senior risk executive who reports directly to the Boards independently. The framework represents an transformational change in risk management, cybersecurity defense, and an understanding of decision making under uncertain conditions. Traditional risk management has lacked scientific rigor through quantitative analysis and predictive science.

Cognitive hacks - methods used to change the behavior of systems users to gain access to systems or to influence beliefs using fake news stories, press releases and other means. Cognitive hacks include phishing and social engineering however many cognitive hacks do not require a PC solely to exploit users. Boards must begin to understand that cognitive hacks are fundamentally different, requiring new strategic and better intelligence to effectively respond to asymmetric risks. Unlike qualitative risk assessments a cognitive risk framework is multidisciplinary providing the board with perspectives informed by technology, data science, and behavioral science creating insights grounded in proven methodology. These methods extend beyond narrowly defined Big Data solutions to animate offensive and defensive solutions in cybersecurity.

https://www.cnas.org/publications/reports/digitally-enabled-warfare-the-capability-vulnerability-paradox Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Resilient Military Systems and the Advanced Cyber Threat, January 2013, http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf.