The security risks posed by electronics are numerous. There are typically a variety of risk-reducing countermeasures for a given system or across an enterprise. Each countermeasure is associated with both a level of risk reduction and its lifecycle costs. Given budgetary constraints, risk managers and systems engineers must determine what combinations of countermeasures cost-effectively maximize risk reduction, and what metrics best guide the investment process. In this paper, we seek to answer these questions through exploration of risk reduction metrics from the field of security economics, including the benefit/cost ratio, return on security investment (ROSI), expected benefit of information security (EBIS), and expected net benefit of information security (ENBIS). The results suggest that ratio-based metrics are not strongly correlated with risk reduction, while EBIS is equivalent to risk reduction and ENBIS is equal to risk reduction minus cost.
The modern economy, telecommunications, infrastructure and transportation systems, healthcare, and almost every aspect of our daily lives are enabled and enhanced by digital connectivity.1 This connectivity is made possible by microelectronics. Due to the critical nature of these components and their applications, assurance of the security and trust of these components, and of the global supply chain, is a national priority. A number of sources of risk can arise throughout an electronic component's life cycle. For example, electronic components in the supply chain may be counterfeit.2-4 There are seven basic counterfeit types: recycled, remarked, overproduced, out of specification/defective, cloned, forged documentation/part substitution, and tampered.5 Moreover, malicious Trojans can be inserted into microelectronics that can exfiltrate sensitive data or grant unauthorized access to a system.
There are a number of negative impacts associated with these lifecycle risks. Firms may lose revenue and may incur additional costs through the activities to identify and repair systems that may have been compromised by counterfeits. Legal liabilities, intellectual property (IP) theft, and reputational impacts must also be considered.6 Consumers may experience negative consequences as well, with potentially degraded performance of products and safety impacts. For government consumers of microelectronics, counterfeits and the lack of a trusted supplier base can impact the ability to meet national security objectives.7 Concerns over the security and trust of components in 5G telecommunications systems have prompted a reevaluation of the nation's global supply chain sourcing strategies.8
A number of trends and factors related to security and trust across a system's lifecycle are important for systems engineers to consider. One of the drivers is the extremely high capital costs associated with building and maintaining a foundry (on the order of tens of billions of dollars) which has resulted in horizontal integration and contract manufacturing.9 This has given rise to so-called “fabless” firms that focus only on the design portion of the lifecycle, and outsource the manufacturing to a foundry. These foundries are increasingly international. The U.S. share of global fabrication capacity has fallen from 37% to 12%, while Asia has grown to an 80% share.10 While ideally the foundry is trustworthy and secure, there may be cases where IP is stolen, reverse engineered, or overproduced and resold on the market for a discount, eroding the profits of the IP holder.11
End of life factors are also important for systems engineering, including the consideration of obsolescence.12 Obsolescence in general can occur for many reasons, including changes in consumer preferences and demand, sunsetting of support, or market entry of a competitor.13 For microelectronics, especially in defense platforms, the main driver of obsolescence is the fact that the end product or system tends to have very long lifetimes (on the order of several decades), and the rate of technological innovation of the electronic components outpaces the life of the product or system they enable.14 This is referred to as diminishing manufacturing sources and material shortages (DMSMS), that is, the “loss or impending loss of original manufacturers of items or suppliers of items or raw materials.”15 Since there is still demand for the electronics but lack of authentic supply, opportunities for counterfeiting emerge.
Sources of risk can occur during any of the phases of the system's lifecycle, and the task of identifying what specific countermeasures are used to reduce risk and increase security and trust is complicated by the many potential alternatives available. Methods for security and trust of hardware and the supply chain include the use of RFID tags, blockchain-based approaches, logic locking, IC camouflaging, split manufacturing, and watermarking.5 While one can take a “defense in depth” approach and implement many safeguards, the question remains as to which ones in particular accrue the most risk reduction benefits at the lowest cost across the “Systems Engineering V”.
Seeking an effective “mix” of countermeasures naturally lends itself to a portfolio modeling approach. A portfolio is simply a set of objects that are considered together.16 In particular, each security countermeasure is associated with a certain level of effectiveness in mitigating risks in exchange for an installation and/or upkeep cost. Risk management decisions must balance the benefits and costs and other concerns from upper management and organizational departments such as supply chain management, finance, and IT.
However, a number of risk reduction metrics can be used in prioritization of security countermeasures. In this paper, we compare a number of risk reduction metrics, representing various ways to rank order the potential “returns” or “benefits” of investment in hardware security. We explore how such metrics might guide the prioritization of countermeasures for risk reduction.
2.1 The economics of security
One of the fundamental questions surrounding security is how much should be spent to protect the organization. Spending too little may leave the organization vulnerable, while spending too much is a suboptimal use of resources. After all, “you don't want to secure yourself out of business.”17 Since budgets are finite, each dollar spent on security has an opportunity cost, and there are competing priorities within an organization that make justifying security investment necessary. Security investments must therefore be framed in terms of enterprise-wide objectives, including the impacts of security (or lack thereof) on productivity and profitability.18 Additionally, underinvestment in security exposes a firm to potential legal liability and accusations of negligence.19-21 Ultimately, “economics – not technology – determines what security technologies get used”.22
The need to justify security expenditures has prompted the burgeoning field of security economics, which posits that traditional economic insights, such as externalities, adverse selection, and moral hazard can be brought to bear on information security problems.23 A growing body of literature on cyber insurance has emerged,24-26 as well as innovative market-based solutions such as vulnerability-trading markets and exploit derivatives.27, 28
Notably, the vast majority of research in this area is applied to more “traditional” aspects of cyber security, such as software and network security, rather than hardware. Hardware security, however, suffers from a number of market failures, including information asymmetry, prisoner's dilemmas, misaligned incentives, and free riding.29 Research has been conducted using game theory to detect and protect against hardware Trojans.30 However, in general, the research on the economics of security investment for hardware security and trust is an undeveloped area.
The following sub-sections describe common metrics used in security economics.
2.2 Return on security investment
As discussed by European Network and Information Security Agency (ENISA), “security is not usually an investment that provides profit but loss prevention”.37 The return from a cyber countermeasure should be calculated based on the amount of loss avoided, or how much is expected to be saved. The ROSI metric is used to quantify the benefit, or return, from investments in security countermeasures (European Network and Information Security Agency, 37).
2.3 Expected net benefit of information security
A leading model within the field of security economics is the Gordon–Loeb model.38 Rather than taking a cost minimization approach, common in risk management, in which the sum of the expected losses and the security investment are minimized (Figure 1A), the Gordon–Loeb model takes a benefit maximization approach, where the benefits are expressed in terms of risk reduction. The authors define an expected loss function as a product of the monetary loss given a security breach, the probability of the threat, and the vulnerability of the asset, which is the probability that the threat will be successful, given that it is realized. By investing resources into information security, the value of the vulnerability probability can be decreased. Assuming that as security investment increases, security increases at a diminishing rate, Gordon and Loeb define the expected benefits of investment in information security (EBIS) as the difference between the vulnerability of the asset before and after security investment, multiplied by the expected loss (i.e., the threat probability multiplied by the monetary loss). The expected net benefits from the investment in information security (ENBIS) is the EBIS less the amount of money invested. The approach of the Gordon–Loeb model is shown in Figure 1(B).
Given several alternatives that exist, a risk manager or systems engineer must consider which risk reduction metric to use. Cox compared three such metrics using a set of generic risks simulated as uniform random variables.39 The first metric was risk itself, corresponding to the strategy of “address the largest risks first”. The second was risk reduction, corresponding to the strategy of “address the largest risk reductions first,” while the third was a risk reduction/cost ratio, corresponding to “address the largest risk reductions per unit cost first”.
- Risk reduction (EBIS): This figure of merit sets priorities based on the amount of risk reduced by the implementation of a countermeasure. It is equivalent to ALE-mALE.
- Risk reduction minus cost (ENBIS): This figure of merit is similar to EBIS but subtracts cost to give the net benefits. It is equivalent to ALE-mALE-Cost.
- Benefit/cost ratio: This figure of merit is a benefit cost ratio, where the benefit is the risk reduction, calculated as (ALE-mALE)/cost.
- Return on security investment: ROSI is a ROI metric, and is calculated as (ALE-mALE-cost)/cost.
Based on the illustration described in the next section, we rank-ordered the countermeasures from highest to lowest, corresponding to the various strategies implied by each of the four alternative metrics. We selected each countermeasure in order until a budget constraint was reached. The budget constraint was varied to allow us to compare portfolios of countermeasures across different costs.
4 ILLUSTRATION: IoT-ENABLED SMART WAREHOUSING FOR VACCINE STORAGE
With the advent of the Fourth Industrial Revolution, or Industry 4.0., characterized by ubiquitous connectivity and the internet of things (IoT), traditional warehouses are being transformed to “smart” warehouses. The key characteristics of a smart warehouse are automated, unmanned, and paperless activities for pickup, delivery, and bookkeeping functions, facilitated by connected cyber physical systems (CPS).40 Warehousing is an important logistics function in many supply chains, serving as a nexus for inbound, storage, and outbound activities, such as receiving, storing, tracking, planning, picking, and shipping.41, 42
Smart warehouses are examples of socio-technical systems comprising potentially thousands of CPS devices, depending on hardware, software, and human interactions. For example, in smart warehouses, each component of inventory may be affixed with tags or devices (such as RFID tags), along with Wi-Fi access points and Bluetooth beacons, cameras, and other sensors, as well as connected devices such as tablets and laptops. Smart warehouses may also utilize robots or other automated systems to carry out various tasks, and human workers monitoring and controlling the operations.40 Other assets such as pallets, forklifts, and machines may be IoT enabled.42 Coordination and tracking of items and activities is achieved through a warehouse management system (WMS), that facilitates receiving, location management, order picking, transport, and inventory management.42, 43 5G networks enable the transmission of larger quantities of data with less interference and interruption compared to 4G and Wi-Fi.44 An IoT-enabled smart warehouse architecture includes sensors connected to microcontrollers, that transmit to an IoT gateway, in turn communicating with servers, handheld devices, and cloud services.45 With potentially thousands of sensors and IoT-enabled devices within a smart warehouse, the need for secure and trusted hardware is a critical requirement.
For example, the warehouse environment must be maintained within certain temperature ranges while avoiding fluctuations that may cause spoilage or expiration for some temperature-sensitive goods such as certain foods, pharmaceuticals, and specialty paints and coatings.45 For example, for the COVID-19 vaccine to remain effective, depending on the manufacturer, it must be stored at temperatures ranging from −20 to −70°C, colder than the winter in Antarctica.46 “Freezer farm” warehouse facilities for the COVID-19 vaccine were constructed, and freezer boxes have been designed with GPS-enabled temperature sensors for shipping.47 The necessary cooling systems and temperature monitoring infrastructure require trusted, assured, and secure electronic hardware.
4.2 Expert elicitation
First, a realistic illustrative application for the model was created in order to frame the data elicitation exercise. The illustration considered a vaccine storage facility and its associated systems. Specifically, we introduced the problem of a smart warehouse used to store the extremely temperature sensitive COVID-19 vaccine. Building upon the research surrounding the structure of vaccine “cold chains”,48, 49 and their associated costs,50, 51 the illustration was developed. A generic architecture was presented (Figure 2) for a smart warehouse used for cold vaccine storage. The following question was posed: Suppose an adversary wanted to purposefully alter the storage temperatures (e.g., by changing the tolerances on the sensors). How would you protect the system from such malicious tampering?
Two experts in hardware security and trust with backgrounds in electrical engineering were recruited for the elicitation exercise. The interview was held via video conferencing software, wherein the experts were presented with an introduction to smart warehouse systems, information regarding the COVID-19 vaccine and its associated risks/costs, and the hypothetical warehouse in question. The AV at risk was estimated to be $2,250,000 using available market data.52, 53 This estimate accounts for a large warehouse holding approximately 150,000 doses.
The experts were asked to identify potential countermeasures, and for each mitigation, to estimate parameters such as the mitigation cost, its years of use, and the effectiveness (in terms of percentage of attacks successfully blocked). The inputs were entered into the model in real time.
It was assumed that any successful attack on the warehouse rendered the entire stock of vaccines unusable. Thus, the EF was assumed to be 100%, setting the SLE equal to the entire AV at risk. ARO values were set to 10 for the purposes of the illustration. The mitigation rate, or percentage of attacks blocked, was elicited from the experts as a point estimate. The cost and years of use of the security measure was assigned based on elicited data and supplemented by additional research.
Ten potential countermeasures were identified by the experts. Table 1 summarizes the elicited security countermeasures and associated economic values.
|Security measure||1 – Firewall Protection||2 –Wired sensors – platinum systems (peripherals of warehouse)||3 – Two part/factor authentication for firmware updates (IoT)||4 – Sensor redundancy measures (independent networks)||5 – Sensor polling processes (tests/monitors)||6 – Premium (trusted) sensors (i.e., domestically manufactured)||7 – Buddy system (handling protocol improvements)||8 – Security protocols (improved staff hygiene)||9 – Intermittent attack protection/monitoring||10 – Power grid protection/monitoring|
|mALE = ALE(1−MR)||$9,000,000||$19,125,000||$11,250,000||$225,000||$17,325,000||$6,750,000||$18,000,000||$9,000,000||$16,875,000||$10,800,000|
|Years of use||5||20||7||15||2||20||1||1||5||5|
|Risk reduction (EBIS)||$13,500,000||$3,375,000||$11,250,000||$22,275,000||$5,175,000||$15,750,000||$4,500,000||$13,500,000||$5,625,000||$11,700,000|
|Annual net return (ENBIS)||$13,496,000||$3,360,000||$11,214,285||$22,235,000||$5,174,500||$15,732,000||$4,420,000||$13,476,000||$5,622,281||$11,698,413|
- Abbreviations: ALE, annual loss expectancy; ARO, annual rate of occurrence; EBIS, expected benefit of information security; EF, exposure factor; ENBIS, expected net benefit of information security; MR, mitigation ratio; SLE, single loss expectancy; ROSI, return on security investment.
Table 2 describes the prioritization of countermeasures based on the various risk reduction metrics. We can see that the rankings for EBIS and ENBIS are mostly the same. The one exception is that countermeasure 1 and 8 have equal risk reduction values (i.e., EBIS), so they are tied at a rank of 3, whereas for the ENBIS value, countermeasure 1 is ranked third whereas countermeasure 8 is ranked fourth. For the purposes of portfolio selection, we assigned countermeasure 8 a rank of 4 since it is more expensive than countermeasure 1. Similarly, the rankings for the benefit/cost ratio and ROSI were equal. However, comparing across the two sets (EBIS and ENBIS vs. benefit/cost ratio and ROSI), we see differences in rankings. The ratio-based rankings diverge from the non-ratio rankings. For example, countermeasure 4 ranked first in terms of EBIS and ENBIS, but only seventh in terms of B/C ratio and ROSI, while countermeasure 5 was ranked eighth in terms of EBIS and ENBIS, but ranked first in terms of B/C ratio and ROSI. We find that countermeasures 5, 10, and 1 are the first, second, and fourth most inexpensive countermeasures. The ratio-based metrics, which calculate a risk reduction per unit cost, naturally favor small costs in the denominator of the expression. Therefore, while benefit/cost ratio and ROSI will identify countermeasures that have a large risk reduction per unit cost, a collection of such countermeasures may not necessarily deliver the largest total risk reduction, especially if the countermeasures that deliver large risk reductions happen to also be expensive.
|Counter-measure||EBIS||ENBIS||B/C ratio||ROSI||EBIS rank||ENBIS rank||B/C ratio rank||ROSI rank|
- Abbreviations: EBIS, expected benefit of information security; ENBIS, expected net benefit of information security; ROSI, return on security investment.
- aCountermeasures 1 and 8 are tied with respect to EBIS, and cost was used as a tie-breaker.
In terms of portfolio selection, using each set of metrics yielded different portfolio compositions (see Tables 3 and 4). Using EBIS and ENBIS, no projects were recommended until a budget of $40,000, when countermeasure 4 was recommended. On the other hand, using the benefit/cost ratio and ROSI, initially both countermeasures 5 and 10 were recommended with a $5000 budget, as they are both inexpensive, and in the next increment, countermeasures 1 and 9 were recommended. Figure 3 shows the number of countermeasures recommended as the budget is increased. The ratio-based metrics generally select more countermeasures as compared to EBIS and ENBIS. Figure 4 depicts the cost and surplus for each budget level, where surplus is defined as the portfolio budget minus the portfolio cost.
|Budget||Countermeasures selected||Cumulative cost||Surplus|
- Abbreviations: EBIS, expected benefit of information security; ENBIS, expected net benefit of information security.
|Budget||Countermeasures selected||Cumulative cost||Surplus|
The results suggest a limitation of using ratio-based metrics for prioritization of security countermeasures: the propensity of the cost/benefit ratio and ROSI to favor inexpensive countermeasures that may not be strongly correlated with risk reduction. One must think carefully about the risk reduction metrics to guide the prioritization of countermeasures. A portfolio optimization approach, such as an integer programming method, that maximizes risk reduction and uses cost as a constraint may be a better approach than to use cost/benefit ratio-based metrics for countermeasure selection.54
Additional general limitations are as follows. First, a systems engineer will need to have access to security experts who can identify particular countermeasures. When identifying countermeasures, one can use an aid such as the Cyber Defense Matrix (CDM).55 The CDM is an organizational construct for teams to identify their security needs as they head into the security vendor marketplace. The CDM identifies five operational functions (identify, protect, detect, respond, recover) and five asset classes (devices, applications, networks, data, users) to create a 5 × 5 grid. Therefore, each cell represents a category for a particular mitigation to perform an operational function relative to an asset class (e.g., a way to identify threats to devices).
Furthermore, the maturity of security economic calculations is still in the early stages. More research is needed to better parameterize the elements that go into the estimates of these risk reduction metrics. For example, estimating probability distributions that model the frequency of cyber-attacks is a difficult and ongoing area of research.56, 57 One approach is to utilize the triangular distribution58 which has the convenient property that it is simple to elicit – generally an expert is asked to provide a maximum, minimum, and most-likely value for some variable of interest.59
Empirical data are typically not available for certain parameters such as ARO and MR, and therefore experts must be consulted to estimate them. As the field of security economics evolves, methods to estimate and forecast such uncertain values should be investigated. The use of expert elicitation of uncertain parameters is well known to potentially introduce error based on a variety of human factors and cognitive biases, and best practices have been proposed about the calibration of experts and the weighting of their responses.60, 61 While such elicitation approaches have been applied to information security,62 parameterizing cybersecurity risk models remains difficult, in part due to the unique and evolving nature of cyber threats.63 Theories and methodologies to better understand the dynamic and quickly changing nature of cyber threats are needed, as well as tools to capture the current state of the cyber environment. While we can never be entirely sure of their costs, savings, frequency of incidents, etc., in the future (i.e., post investment), it has been argued that “something is better than nothing”.64
In this paper, we examined a number of risk reduction metrics for prioritizing hardware security countermeasures. We found that the benefit/cost ratio and ROSI are not strongly correlated to risk reduction. Ranking projects by EBIS and ENBIS closely mirrors the benefits of risk reduction, as EBIS is equivalent to risk reduction, and ENBIS is risk reduction less costs. As ratio-based metrics, the cost/benefit ratio and ROSI tend to favor inexpensive investments, leading to potentially misleading rankings of countermeasures.
The illustration has explored the above approach with a prioritization of hardware security countermeasures for integrated hardware and software (IoT) systems. While the illustration was based on a fictional system, which serves to concretize the methodology, future work will involve in-depth validation on real systems.
In terms of managerial implications, there will always be a need to justify security investment within an organization. Among the ways to justify security spending includes recognizing that security is an urgent problem, promoting an “action state of mind,” showing that investments will be effective in terms of performance, and that the investments will be cost effective.65 By framing security returns as avoided risks, one can recommend data-informed, economically sound investments in security countermeasures for the enterprise.
This effort was supported by the National Science Foundation under Grant 1916760 “Phase I IUCRC University of Virginia: Center for Hardware and Embedded Systems Security and Trust (CHEST),” and the Commonwealth Center for Advanced Logistics Systems (CCALS).
SIGNIFICANCE AND PRACTITIONER POINTS
For a given system, there may be a number of threats, and a large pool of potential security countermeasures. Systems engineers must be able to answer the question: “for a given budget, what countermeasures should I prioritize alone and in combination?” Based on insights from the emerging field of security economics, this paper explores several metrics that could be helpful to prioritize selection of countermeasures for risk reduction.
CONFLICT OF INTEREST STATEMENT
The authors declare no conflicts of interest.
Zachary A. Collier is Assistant Professor in the Department of Management at Radford University. He earned his PhD in Systems Engineering from University of Virginia (Charlottesville, VA), a Master of Engineering Management from Duke University (Durham, NC), and a Bachelor of Science in Mechanical Engineering from Florida State University (Tallahassee, FL). He is President of Collier Research Systems, a consultancy providing decision making and analytics services for clients across multiple industries. His prior work experience includes the U.S. Army Engineer Research and Development Center, where he was a member of the Risk and Decision Science Team and served as PI and Co-PI on a number of interdisciplinary research projects. Dr. Collier is a member of the Society for Risk Analysis, where he has served as President of the Decision Analysis and Risk Specialty Group and President of the Resilience Analysis Specialty Group. He currently serves as Co-Chair of the NDIA Electronics Division's Trust and Assurance Committee and is a member of the INFORMS Advocacy Governance Committee. Dr. Collier is a Fellow of the Center for Risk Management of Engineering Systems at University of Virginia, a Visiting Scholar at the Center for Hardware and Embedded Systems Security and Trust (CHEST), and contributes as a subject matter expert to the development of industry standards through SAE International. He is Managing Editor of the Springer journal "Environment Systems & Decisions", and is a member of the Editorial Board of "Risk Analysis".
Brett Briglia is a senior analyst with PGIM and is currently working in commercial real estate finance. He focuses on multifamily assets and has worked alongside his team to finance over $2 Billion dollars in volume. He has a background in real estate development and enjoys the application of economic and financial principles to the field. He is a 2020 graduate from the University of Virginia with degrees in Economics and Spanish.
Tom Finkelston is a Technology Consultant at Ernst & Young, and is currently based out of their New York City office. He functions predominantly within Banking, Capital Markets, and ESG, and has developed an affinity for Data Analytics and Technology Strategy focused projects. While at the University of Virginia, Tom received his bachelor degrees in Systems Engineering and Economics. He continues to enjoy the marriage of these two fields, and the application of analytics to financial services and environmental sustainability.
Mark Manasco is president and executive director for the Commonwealth Center for Advanced Logistics Systems (CCALS), a collaboration between industry and Virginia universities that works to improve logistics operations in the key areas of data analysis, cost control, quality assurance, security, and demand forecasting. Formerly director of workforce development for the Greater Richmond Chamber of Commerce and of the University of Richmond's Center for Systems Assurance, Manasco brings more than two decades of public policy, higher education, information technology, and human resource management experience to the leadership post at CCALS. He earned a BA in Economics from University of Richmond, and a MA in Economics from Virginia Commonwealth University.
Professor Slutzky is currently a Research Associate Professor in the Science, Technology and Society Program of the Department of Engineering and Society at the University of Virginia. David Slutzky has spent the last 35 years as an entrepreneur, and as a public policy expert. He founded ERC, which become the largest provider of Environmental Site Assessments in the US. Slutzky co-founded the nation's first environmental data company, ERIIS. David Slutzky later co-founded Skeo Solutions, a Virginia based environmental policy consulting firm, which employs 65 professionals and where he currently serves as Board Chairman. In 2011, Slutzky founded Fermata Energy, a tech start-up that is using Vehicle-to-Grid technologies to accelerate the adoption of electric vehicles while providing the energy storage needed to enable the transition of our electric power grid from coal and nuclear to renewables. Professor Slutzky is widely recognized as a thought leader in the V2G industry. Mr. Slutzky served as a Senior Policy Advisor at the U.S. EPA, and later at the White House, where he coordinated the International Task Force of the President's Council on Sustainable Development. Mr. Slutzky was elected to serve on the Albemarle County Virginia Board of Supervisors from 2005 to 2009, and was chosen to Chair the Charlottesville-Albemarle Metropolitan Planning Organization. Slutzky earned his BA and pursued graduate studies in Political Science at the University of Chicago, and received his law degree from the Program on Energy and the Environment at Chicago-Kent College of Law.
James H. Lambert is a Professor of Engineering Systems and Environment (Program in Systems Engineering, Program in Civil Engineering), Director of the Center for Risk Management of Engineering Systems, and Member of the Technical Advisory Council of the Commonwealth Center for Advanced Logistics Systems, each at the University of Virginia. He is a Site Director of the NSF funded Center for Hardware and Embedded Systems Security and Trust (CHEST). Professor Lambert's research interests are engineering systems and risk analysis. He is a Fellow of the AAAS (F.AAAS), Fellow of the IEEE (F.IEEE), Fellow of the ASCE (F.ASCE), Fellow of the SRA (F.SRA), Diplomate (D.WRE) of the American Academy of Water Resources Engineers, member of the American Association for the Advancement of Science, member of the International Council on Systems Engineering, and licensed Professional Engineer (P.E.). He is a Past President (2015–2016) of the Society for Risk Analysis (SRA). He is Editor-in-Chief of the Springer journal Environment Systems & Decisions. He is an Area Editor of the Wiley journal Risk Analysis. He is an Associate Editor of the ASCE/ASME Journal of Risk & Uncertainty in Engineering Systems. He represents the University of Virginia to the Council of Engineering Systems Universities (CESUN). He received a PhD and MS in Civil Engineering at the University of Virginia, and a BSE in Mechanical Engineering with a Certificate in Engineering Physics at Princeton University.
DATA AVAILABILITY STATEMENT
No new data were produced in this paper.
- 1, , , et al. Trust and security of electric vehicle-to-grid systems and hardware supply chains. Reliab Eng Sys Saf. 2022; 225: 108565.
- 2, , , , . Traceability and risk analysis strategies for addressing counterfeit electronics in supply chains for complex systems. Risk Anal. 2016; 36(10): 1834–1843.
- 3, , , , . A semi-quantitative risk assessment standard for counterfeit electronics detection. SAE Int J Aerosp. 2014; 7(1): 171–181.
- 4, , . Screening for counterfeit electronic parts. J Mater Sci. 2011; 22(10): 1511–1522.
- 5, , . A comprehensive framework for counterfeit defect coverage analysis and detection assessment. J Electr Test. 2014; 30(1): 25–40.
- 6, . Bogus: electronic manufacturing and consumers confront a rising tide of counterfeit electronics. IEEE Spectrum. 2006; 43(5): 37–46.
- 7. Department of Defense: A Departmentwide Framework to Identify and Report Gaps in the Defense Supplier Base Is Needed; 2008.
- 8. The worst possible day: U.S. telecommunications and Huawei. PRISM. 2020; 8(3): 15–35.
- 9, , , . Improving electronics manufacturing supply chain agility through outsourcing. Int J Phys Distrib Logist Manage. 2002; 32(7): 610–620.
- 10, , , . Government incentives and US competitiveness in semiconductor manufacturing. Boston Consulting Group and Semiconductor Industry Association; 2020.
- 11, , , . Decision model with quantification of buyer-supplier trust in advanced technology enterprises. Benchmarking: Int J. 2022; 29(10): 3033–3056.
- 12, . Managing obsolescence of embedded hardware and software in secure and trusted systems. Front Eng Manage. 2020; 7(2): 172–181.
- 13, . Managing inventory with the prospect of obsolescence. Oper Res. 1996; 44(1): 215–222.
- 14, . Obsolescence driven design refresh planning for sustainment-dominated systems. Eng Econ. 2006; 51(2): 115–139.
- 15. Design for obsolescence risk management. Proc CIRP. 2013; 11: 15–22.
- 16, . Managing A portfolio of risks. In: JJ Cochran, LA Cox, P Keskinocak, JP Kharoufeh, JC Smith, eds. Wiley Encyclopedia of Operations Research and Management Science; 2011.
- 17. An Overview of Economic Approaches to Information Security Management. Technical Report TR-CTIT-06-30. University of Twente; 2006.
- 18, , . Return on security investment (ROSI) – a practical quantitative model. J Res Pract Inform Technol. 2006; 38(1): 45–56.
- 19. How much is enough? A risk management approach to computer security. Consortium for Research on Information Security and Policy (CRISP); 2000.
- 20. The Carroll towing company case and the teaching of tort law. St. Louis Law J. 2001; 45: 731–758.
- 21, . Extending Learned Hand's negligence formula to information security breaches. ISJLP. 2007; 3(2): 237–271.
- 22. Beyond Fear: Think Sensibly About Security in an Uncertain World. Copernicus Books; 2003.
- 23, . The economics of information security. Science. 2006; 314: 610–613.
- 24. Should your firm invest in cyber risk insurance? Bus Horizons. 2012; 55: 349–356.
- 25, . What do we know about cyber risk and cyber risk insurance? J Risk Fin. 2016; 17(5): 474–491.
- 26, , , . Content analysis of cyber insurance policies: how do carriers price cyber risk? J Cybersec. 2019; 5(1): tyz002.
- 27, , , , . A market for trading software issues. J Cybersec. 2019; 5(1): tyz011.
- 28. A comparison of market approaches to software vulnerability disclosure. Proc ETRICS; 2006.
- 29, . WaC: a new doctrine for hardware security. Proc. 4th ACM Workshop Attacks Solutions Hardw. Sec.; 2020.
- 30, , , , , . A practical application of game theory to optimize selection of hardware trojan detection strategies. J Hardw Syst Sec. 2020; 4(2): 98–119.
- 31, . Resilience return on investment – an impossible argument? Homeland Sec Rev. 2013; 7(1): 49–64.
- 32 National Bureau of Standards. Guideline for Automatic Data Processing Risk Analysis, FIPS PUB 65. Washington, DC: U.S. General Printing Office; 1979.
- 33, , . The days before zero day: investment models for secure software engineering. Proc. 15th Workshop Econ. Inform. Sec.; 2016.
- 34, . Software security investment: the right amount of a good thing. 2016 IEEE Cybersec Dev; 2016.
- 35, , . Return on security investment for cloud platforms. 2013 IEEE Int Conf. Cloud Comput. Technol Sci.; 2013.
- 36. Measuring the returns on IT security investments. Intel Corporation; 2007.
- 37 European Network and Information Security Agency (ENISA). Introduction to Return on Security Investment, 2012. Accessed November 30, 2020. https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment
- 38, . The economics of information security investment. ACM Trans Inform Syst Sec. 2012; 5(4): 438–457.
- 39. Evaluating and improving risk formulas for allocating limited budgets to expensive risk-reduction opportunities. Risk Anal. 2012; 32(7): 1244–1252.
- 40, , , . CPS-based smart warehouse for industry 4.0: a survey of the underlying technologies. Computers. 2018; 7(13): 1–17.
- 41, , . Design of a reference architecture for developing smart warehouses in industry 4.0. Comput Indust. 2021; 124: 103343.
- 42, , , . A REST-based industrial web of things’ framework for smart warehousing. J Supercomput 2018; 74: 4419–4433.
- 43, , , , . Smart warehouse management system concept with implementation. 14th Symp. Neural Netw. Appl. (NEUREL), Belgrade, Serbia; November 20–21, 2018.
- 44, . 5G networks in the value chain. Wirel Pers Commun. 2020; 117(2): 1577–1599.
- 45, , , . A review of enabling technologies and solutions for IoT based smart warehouse monitoring system. In: I. Karabegović, ed. New Technologies, Development and Application III. NT. 2020. Lecture Notes in Networks and Systems, Vol 128. Springer; 2020.
- 46. Why does Pfizer's COVID-19 vaccine need to be kept colder than Antarctica? NPR; 2020. Accessed 04 January, 2021. https://www.npr.org/sections/health-shots/2020/11/17/935563377/why-does-pfizers-covid-19-vaccine-need-to-be-kept-colder-than-antarctica
- 47. How to ship a vaccine at -80°C, and other obstacles in the covid fight. New York Times; 2020. Accessed 04 January, 2021. https://www.nytimes.com/2020/09/18/business/coronavirus-covid-vaccine-cold-frozen-logistics.html
- 48, , , . Is freezing in the vaccine cold chain an ongoing issue? A Literature Review. Vaccine. 2017; 35(17): 2127–2133.
- 49, , , , , , , , . Costs of vaccine programs across 94 low-and middle-income countries. Vaccine. 2015; 33(Suppl 1): A99-A108.
- 50, , , , . The COVID-19 vaccine race: challenges and opportunities in vaccine formulation. AAPS PharmSciTech. 2020; 21: 225.
- 51, , , , , , , , . Costs of vaccine programs across 94 low-and middle-income countries. Vaccine. 2015; 33(Suppl 1): A99-A108.
- 52. Covid-19: what do we know about the late stage vaccine candidates? BMJ, 2020; 371: m4576.
- 53, , . Improving cold chain systems: challenges and solutions. Vaccine. 2017; 35(17): 2217–2223.
- 54, , . (2001). Linear programming to meet management targets and restrictions. In: AA Dijkhuizen, RS Morris, eds., Animal Health Economics: Principles and Applications. University of Sydney.
- 55. OWASP Cyber Defense Matrix. The OWASP® Foundation, 2020. Accessed 01 December, 2020. https://owasp.org/www-project-cyber-defense-matrix/
- 56, , . A Bayesian generalized Poisson model for cyber risk analysis. In: M Corazza, M Gilli, C Perna, C Pizzi, M Sibillo, eds. Mathematical and Statistical Methods for Actuarial Sciences and Finance. Springer, 2021.
- 57, , , . Statistical models for the number of successful cyber intrusions. J Defense Model Sim, 2018; 15(1): 49–63.
- 58. Triangular approximations for continuous random variables in risk analysis. J Oper Res Soc, 2002; 53: 457–467.
- 59. Subjective Probability Distribution Elicitation in Cost Risk Analysis: A Review. RAND Corporation; 2007.
- 60, . TU Delft expert judgement data base. Reliab Eng Syst.Saf. 2008; 93: 657–674.
- 61, , . Measures of discrimination skill in probabilistic judgement. Psych Bull. 1991; 110(3): 611–617.
- 62, , , , . Quantifying information security risks using expert judgment elicitation. Comput Oper Res. 2012; 39: 774–784.
- 63, , , , . Risk-based standards: integrating top-down and bottom-up approaches. Environ Syst Decis. 2014; 34(1): 134–137.
- 64. ROSI return on security investment - Is it possible to calculate it? 27001 Academy; 2011. Accessed December 01, 2020. https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/
- 65. How do you “sell” security? Intel Corporation; 2012. Accessed 22 April, 2021. https://itpeernetwork.intel.com/how-do-you-sell-security