Student's Research Improves Cyber Risk Modeling

June 29, 2010

He doesn't have a crystal ball, but Shinichi Mori, an INI Master of Science in Information TechnologyInformation Security (MSIT-IS) student from Japan, may predict the future – of cyber attacks, at least. Supervised by Professor Nicolas Christin, INI associate director and faculty member, Mori is designing a better way to assess cyber risks, which companies could use to more accurately estimate the probability and cost of cyber attacks.

Building on current methods, which primarily measure historical data, Mori's proposed model predicts risk based on a history of software vulnerabilities. This approach acknowledges changes in technology and the sophistication of modern cyber attacks, which have increasingly become harder to detect.

Mori explains that software vulnerabilities are common points of attack. By understanding a system's past susceptibility to cyber threats, we can calculate the expected impact of attacks through new or undiscovered vulnerabilities.

Companies depend on cyber risk modeling to budget information security costs and to determine necessary countermeasures for particular types of attacks. Without countermeasures, if a company's server is compromised, and customer information is leaked, the company could experience serious consequences. For example, if an unauthorized person accesses customers' credit card information, the company may need to halt business to solve the issue, leading to lower profits for the company, more business for competitors or lawsuits filed by customers against the company. This domino effect of problems is just one reason why cyber risk assessment, and successful information security, is so important for companies.

"It's difficult for companies to spend money on something like information security because it doesn't have quantifiable profits," Mori said. "But by estimating cyber risks accurately, we can justify a company's costs on security and countermeasures."

Mori's research will continue through the summer and possibly until December, when he graduates. After graduation, Mori hopes to build a career in information security.

"Information security is important everywhere and to everyone," Mori said. "It unites people across different nationalities, locations and languages. I hope to stay connected to the people I've met at the INI and Carnegie Mellon and use the knowledge I've gained to further the field."

Pictured above: Shinichi Mori