Search

You searched for: Content Type Working Paper Remove constraint Content Type: Working Paper Publishing Institution Center for International and Security Studies at Maryland (CISSM) Remove constraint Publishing Institution: Center for International and Security Studies at Maryland (CISSM) Political Geography Global Focus Remove constraint Political Geography: Global Focus Publication Year within 5 Years Remove constraint Publication Year: within 5 Years Topic Military Strategy Remove constraint Topic: Military Strategy
Number of results to display per page

Search Results

  • Author: Charles Harry, Nancy Gallagher
  • Publication Date: 03-2019
  • Content Type: Working Paper
  • Institution: Center for International and Security Studies at Maryland (CISSM)
  • Abstract: Faced with rapidly growing cyber threats, organizational leaders, and government officials cannot reliably secure all data and digital devices for which they are responsible. The best they can do is conduct strategic risk management. That requires a systematic way to categorize potential attacks and estimate consequences in order to set priorities, allocate resources, and mitigate losses. The 2018 U.S. National Cyber Strategy holds government officials accountable for doing cyber risk management based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and recommendations from not-for-profit organizations such as the Center for Internet Security (CIS) and ISACA. Yet, none of these policy documents and best practice guides actually provide the necessary analytical tools. As a result, public agencies, private companies, and non-profit groups that try to do risk assessment often feel overwhelmed rather than empowered to make strategic cybersecurity decisions. The Center for International and Security Studies at Maryland (CISSM) has developed an analytical framework that provides four essential building blocks needed to satisfy the principles in the NIST Standard Framework and other best practice guides: 1. A standardized system for classifying cyber threats and events by their effects. 2. Tools to associate organizational functions with IT topologies. 3. Algorithms to assess the severity of disruptive and exploitative cyber events. 4. A method to understand the integrated nature of risk across different parts of a simple organization, major divisions of a complex organization, or interconnected organizations in a complex system. These building blocks can be combined in different ways to answer critical questions, such as: • What is the range of cyber risks to different types of organizations? • Which threats pose the greatest risk to a specific department or organization? • How could an attack on one part of an IT network affect other organizational functions? • What is the accumulated risk across a critical infrastructure sector or geography? Using a comprehensive, consistent, and repeatable method to categorize and measure risk can enhance communication and decision-making among executives who make strategic decisions for organizations and their IT staff with day-to-day responsibility for cybersecurity. It can facilitate cooperation between public officials and private industry who share responsibility for different components of national critical infrastructure. It can inform media coverage and public debate about important policy questions, such as which decisions about cybersecurity should be purely private decisions, whether government should incentivize or mandate certain cybersecurity choices, and when a cyber attack warrants some type of military response.
  • Topic: Science and Technology, Military Strategy, Cybersecurity, Media
  • Political Geography: Global Focus
  • Author: Amy J. Nelson
  • Publication Date: 04-2018
  • Content Type: Working Paper
  • Institution: Center for International and Security Studies at Maryland (CISSM)
  • Abstract: For decades or longer, policy-makers have sought to use arms control to reduce the uncertainty endemic to the international security environment. Because uncertainty is pervasive in these situations, however, practitioners themselves are naturally vulnerable to its effects. This paper seeks to help policy-makers optimize arms control outcomes by providing improved theory and best practices for goal-setting and strategy selection using the judicious application of decision theoretic concepts. The paper first lays out a suitable role for decision theory in the study and analysis of arms control, arguing that “uncertainty” is a more appropriate concept for description and analysis here than is “risk.” Prior approaches that rely on “risk” have tended to drive the search for arms control best practices, but “risk” requires the use of probability estimates that are frequently not available or not a good indicator of potential outcomes. Second, the paper argues that decision-makers are vulnerable to the effects of missing information and the uncertainty it causes in the run-up to and during arms control negotiations. Consequently, they are subject to biases and resort to the use of security-specific heuristics, including worst-case scenario thinking, limited-theater-of-war thinking, and low-dimension (or non-complex) thinking when setting goals and employing strategies for negotiating arms control agreements. The paper discusses the origins of this uncertainty and the strategies that states could employ as a result of these security-specific heuristics, arguing that they can best be grouped into two types—risk reduction versus uncertainty management. Finally, the paper makes recommendations for optimizing outcomes—for getting efficient negotiations that result in robust, durable agreements, capable of managing uncertainty about security, despite the effects of missing information.
  • Topic: Arms Control and Proliferation, Diplomacy, Military Strategy
  • Political Geography: Global Focus