Demonstration and Evaluation of Defensive Cyber Operations Decision-Making Model

Abstract

As technology has evolved, the world has become more dependent on digital services. Businesses are digitalizing their core processes to better match their clients’ needs and critical infrastructure providers are seeking performance improvements from digitalization. When assets are digital, cybercriminals and nation-states are increasing their offensive activities in the cyber domain. As a result of this, cyberattacks are growing in complexity and speed, forcing defenders to advance in their capabilities to respond to these threats. One key element in developing defensive capabilities is to understand the underlying decision-making models providing the basis for more effective tooling, operation planning, and organizational models. The purpose of this paper is to address this need by demonstrating a Defensive Cyber Operations (DCO) decision-making model constructed based on a wargaming exercise, to assess the usability and transferability of the model to real-world cyber operations and to further develop the model based on the feedback received. The research is based on the Design Science Research methodology and focuses on the demonstration and evaluation phases of the selected methodology. The constructed decision-making model was presented to an expert panel, consisting of 17 experienced professionals of 7 nationalities. They were selected based on their known experience of cyber operations or by the recommendation of previously interviewed panel members. The panel contributed to the model with their evaluation and ideas for improvement. Based on the findings of the expert panel, the model was further developed to include a clear notion of escalation for activities requiring a higher mandate, stronger collaboration and reporting with upstream managers and external stakeholders. In addition, several minor improvements were made to improve the usability of the model. The improved DCO decision model presented in this paper is endorsed by the expert panel as applicable and transferable to real-life DCOs, thus laying the groundwork for future research into automation and artificial intelligence augmentation of faster and more accurate DCO decision-making.