Measuring and Mitigating the Risk of Advanced Cyberattackers

Abstract

Sophisticated cyberattackers (commonly known as advanced persistent threats (APTs)) pose enormous risks to organizations such as financial institutions, industrial and commercial firms, government institutions, and power grids. This study presents a method and an index to measure the vulnerability of organizations to APT risk and shows why a one-size-fits-all solution to mitigate APT risk does not exist. Our vulnerability index is based on a model that describes the optimal behavior of a cyberattacker (APT) with research and development capabilities aspiring to attack a network that manages the organization and a network operator that deploys blocking and detection measures to protect its organization from the attack. We demonstrate how our vulnerability index, which accounts for the network’s structure and the APTs’ resources and strategy, can be used in realistic risk assessments and optimal resource allocation procedures and serve as a benchmark for organizations’ preparedness against APTs’ cyberattacks. We also propose that regulatory agencies of financial (and other) institutions provide the parameters that define an APT’s profile and request, as part of their periodic assessments of the organizations that they regulate, that our (or similar) vulnerability index will be reported to them by the regulated institutions. Finally, the viability of our index in modeling modern cybersecurity defense procedures shows that not only there is no silver bullet defense against all types of APTs, it is also imperative to account for APTs’ heterogeneity because detection and blocking measures can be complements, substitutes, or even degrade each other. For example, when the attacker’s (defender’s) budget is extremely large (small), the defender should deploy only detection measures, strongly advocating Zero Trust practices. Supplemental Material: The online appendix is available at https://doi.org/10.1287/deca.2023.0072 .