Defensibility in Risk Analysis

Defensibility - A New Concept In Risk Analysis Vicki M. Bier, Sasha Gutfraind, Ziyang Lu University of Wisconsin-Madison, Uptake Technologies

Introduction Numerous terms have been defined to characterize systems: Resilience (the ability of a system to return to normal rapidly) Robustness (ability to function despite damage) Redundancy (spare capacity) Security (measures to limit access) Vulnerability: Open to exploitation or susceptible to a given hazard Conditional probability of success for a given threat scenario But: can a system be defended?

Is this system defensible? 3

Defensibility ? ?,? =? ?,? ?(?,0) ?0 Where: ?0= value of the system to the defender before any disruption ? ?,? = residual value of the system to the defender when attacker has strength ? and defender has strength ?

Defensibility and asset valuations Highly defensible (concave) Moderately defensible Not highly defensible (convex) ?0

Defensibility of properties to optimal attack Metro Area Expected 100% Property Losses (src: Rand, $M) 413 115 57 36 80% New York Chicago San Francisco Washington, DC- MD-VA-WV Los Angeles- Long Beach Philadelphia, PA- 60% 34 40% 21 18 11 7 7 # of targets defended, b NJ Boston, MA-NH Houston Newark Seattle- Bellevue-Everett 20% 0% 0 1 2 3 4 5 6 7 8 9 10 Skewness = 2.8 Average defensibility (b=1 10) = 53%

Effect of skew on defensibility Residual value when a =1 100% Property losses: Skewness 2.8 Defensibility 53% 80% 60% 40% Air departures: Skewness 2.36 Defensibility 11% 20% 0% 0 1 2 3 4 5 6 7 8 9 10 # of targets defended, b Property Loss Air Departures

Random vs. optimal attack Residual value when a=1 (property loss) 100% Average defensibility: 80% Random attack 9% Optimal attack 53% 60% 40% 20% In this case, more defensible against optimal attack 0% 0 1 2 3 4 5 6 7 8 9 10 # of targets defended, b Optimal Attack Random Attack

Summary The existing concepts of vulnerability and resilience are useful, but incomplete Defensibility can help to compare systems and guide defensive investments Impact: find and protect systems that are high V and high D

Some analytical results 1. Defensibility is monotonically increasing in both a and b, regardless of whether the attacker is deterministic or random 2. Defensibility is higher against optimal than random attackers when the number of assets is sufficiently large, where large depends on attack effort a, and how quickly asset values decline

Effect of attacker strength 100% Defensibility more sensitive to defense effort b than to attack effort a when ? ? 80% 60% 40% 20% # of targets defended, b 0% 0 1 2 3 4 5 6 7 8 9 10 a=1 a=2 a=4 a=10

Hypothetical negatively skewed data Residual value when a=1 (negative skew) 100% Skewness of targets = -1.4 80% 60% Average defensibility (b=1 10) = 2.5% 40% 20% 0% 0 1 2 3 4 5 6 7 8 9 10 # of targets defended, b

Random vs. optimal attack (negative skew) Residual value when a=1 (negative skew) 100% Defensibility greater for random attack! 80% 60% Random attack 5.9% Optimal attack 2.5% 40% 20% 0% 0 1 2 3 4 5 6 7 8 9 10 # of targets defended, b Optimal Attack Random Attack

Effect of attacker strength (random attack) Residual value for a=1,...10 (property loss) Defensibility more sensitive to attack strength for random attack 100% 80% 60% 40% 20% 0% 0 1 2 3 4 5 6 7 8 9 10 # of targets defended, b a=1 a=2 a=3 a=4 a=5 a=6 a=7 a=8 a=9 a=10

Differing attacker and defender valuations Residual value Air departure data, but attacks based on population 100% 80% 60% Average defensibility for a = 1 is only 4% (vs. 11% when attacks are based on air departures) 40% 20% 0% 0 1 2 3 4 5 6 7 8 9 10 # of targets defended, b a=1 a=2 a=3 a=4 a=5 a=6 a=7 a=8 a=9 a=10