Robust Optimal Maintenance Policies and Charts for Cyber Vulnerability Management

Cyber-attacks are considered the greatest domestic security threat in the United States and among the greatest international security threats. Hypothetically, every personal computer connected to the internet and many other types of devices could be attacked. Many organizations scan all their computers monthly and system administrators attempt to reduce or eliminate vulnerabilities, while juggling other demands on their time.

In the first part of this dissertation, we present data from three organizations about both vulnerabilities and remedial actions. We also synthesize sixty-seven articles relating to industrial engineering and operations research (IEOR) and cyber vulnerabilities. We conclude that persistent and critical vulnerabilities result in a large fraction of successful attacks. We then describe the activities and decisions faced by the system administrators and staff members who may be relied on for manual activities that address persistent and critical vulnerabilities. The resulting findings establish an important decision-support role for IEOR contributions to mitigating cyber threat. Also, by analyzing the 67 articles in the Science Citation Index on IEOR topics and cyber vulnerabilities, we are able to identify potential gaps in the existing literature.

The second part of the dissertation discusses robust maintenance and monitoring techniques for managing cyber vulnerability. One challenge hindering the effective application of existing models is the scarcity of available data partly because of security concerns. We propose a method based on Markov Decision Processes (MDP) for the generation and graphical evaluation of relevant maintenance policies for cases with limited data availability. The proposed method also provides an estimate of the cost benefit of collecting additional data. Both Bayesian and non-Bayesian formulations of the transition probabilities and cost models of the MDP are considered. We apply the proposed method to a real world cyber vulnerability dataset and generate specific guidance and cost predictions. We also illustrate the relevance of the proposed method to general Markov Decision Process modeling using a numerical example involving three levels of data scarcity.

Currently, the number of known cyber vulnerabilities continues to increase exponentially. This complicates the application of control charting which might otherwise be used for monitoring and evaluating the quality level of cyber systems. We describe the challenge and propose residual demerit charts for monitoring quality levels of organizational computer networks.

A tangential issue is the comparison of Bayesian and non-Bayesian control charts. Bayesian control charts permit the user to include expert knowledge about a system. However, the fair evaluation of such systems is complicated by the potential mismatch between built-in assumptions (fitting prior), including about the direction of the shift, and method evaluation assumptions (the sampling prior). We end the second part of the dissertation by providing a comparison between the two types of charting methods and conclude that non-directional non-Bayesian methods generally remain competitive.

The final part of the dissertation summarizes all results for the layperson and information technology (IT) system administrator. The general results uncovered are described and cases are used to illustrate the practical relevance of the technical methods.