Get documents about "DUNCAN
Document Sample
Policy and Management Research
• Incentives for organizations to disclose
cyberattacks and vulnerabilities
• Confidentiality of data from organizations
• Legal liability of ISPs in DDOS attacks
• Better management of software patches
(slammer worm case)
George Duncan, Heinz School,
Carnegie Mellon 1
Internet Security Decision
Making:“Mythical Numbers”
• FBI’s Uniform Crime Reports does not
separately report e-crime
• Accounting statements fail to show e-losses—
reputation damage, excess liability, diminished
productivity
• National Crime Victimization Survey does not
ask about cyber-loss
George Duncan, Heinz School,
Carnegie Mellon 2
Some Methodological Needs
• Statistical quality control with game theory
• Data analysis and visualization relevant to network
monitoring and anomaly detection
• Modeling heterogeneity of Internet traffic
• Combine visualization, graph theory algorithms and
statistical analysis
• Bayesian methods for massive data streams
• Analysis of multivariate spatial data
• Data confidentiality and data quality
George Duncan, Heinz School,
Carnegie Mellon 3
Examples of Data Needs
• Occurrence of cyber-attacks from e-risk management firms.
How common, how successful, what practices of attack and
defense work?
• What’s the relationship between actuarial probabilities and
perceived probabilities? Survey decision makers.
• Economic impact of security incidents? Not just “out-of-
pocket” losses.
George Duncan, Heinz School,
Carnegie Mellon 4
Responses at Carnegie Mellon
• Master of Science in Information Security Policy and
Management (www.heinz.cmu.edu/msispm)
• Digital Government Initiative in Confidentiality
• Software Industry Center, Sustainable Computing
Consortium, Institute for the Study of Information
Technology and Society
(www.heinz.cmu.edu/researchers/centers.html)
• Center for Computer and Communications Security
(http://www.ece.cmu.edu/c3s/)
• RAND/Carnegie Mellon Collaboration
George Duncan, Heinz School,
Carnegie Mellon 5
