Quantifying risk for decentralized offensive cyber operations

Abstract

Computer networks and the amount of information stored within government computer networks have become ubiquitous. With the possible decentralization of authorities to conduct offensive cyber operations, leaders and their respective staffs of organizations below the national level cannot adequately assess risks and consequences of these operations due to the lack of exposure, experience, and education. Compounding this problem are the heuristics and biases used in decision making when the requisite expertise is absent. This lack of understanding of risks and potentially faulty decision making presents a gap in command and control structures. This research explores the question: How effective is a simulation framework incorporating both subject matter expertise and assessments of uncertainty at overcoming the inexperience of decision makers in assessing risk and subsequent decision making within new operations? This research effort expands multi-criteria decision-making theory by accounting and incorporating both the expertise and uncertainty of the experts into the framework. This proposed framework was tested at national-level cyber organizations and CCMD exercises. The results were then compared to see if the framework could mitigate inexperience. The results are that organizations unfamiliar with cyber operations are able to assess risks at a proficiency level equivalent to an experienced organization.