Towards better management of organizational cybersecurity



Journal Title

Journal ISSN

Volume Title



Cybersecurity poses a serious risk to organizations. To manage and improve organizational cybersecurity, one needs to have a technical comprehension of security threats along with an economic understanding of strategies employed by cyber attackers and defenders. In this dissertation, we take both empirical and theoretical approaches to deepen our understanding on the strategies of cybersecurity in three related chapters. First, we conduct an empirical analysis on publicly observed security incidents and developed an organizational security rating system. The rating is composed of botnet, spam, and phishing data from four data sources. By conducting a large-scale field experiment using the rating system, we find a causal relationship between security awareness and protection level. Second, we develop a game-theoretical model that characterizes a real-time dynamic interaction between an unidentified attacker and a defender in Internet Service Provider (ISP) level. Specifically, we propose a Bayesian Nash game in a network security setting. In this game, a deceptive attacker tries to maximize its profit, and the defender tries to detect the attacker’s identity. Our equilibrium suggests that the strategic defense of ISP is necessary for the viability of an Internet-based society. Third, we develop a data-driven prediction model for security event detection. We construct a large composite dataset of externally observable organizational security posture and historical cyber incidents. In addition, we use LDA topic modeling on disclosed annual risk reports from organizations (Form 10-K Item 1A) to extract topic features. By leveraging these data, our model effectively predicts future security incidents.


LCSH Subject Headings