Abstract
Hackers have used Distributed-Denial-of-Service attacks to overwhelm a firm’s cyber-resources resulting in disrupted access to legitimate end-users. Globally, DDoS attacks cost firms between US$ 120 K to US$ 2 M for each incident. Apart from the monetary loss, they also disrupt service quality and damage the brand reputation of firms. In 2018-2019, Massively Multiplayer Online Gaming (MMOG) firms witnessed 74% of the total DDoS attacks. MMOG firms form a lucrative segment for hackers because of their large customer base and the massive incentive to cause disruptions and losses. Our Feedforward Neural Network-based Cyber-risk Assessment and Mitigation (FNN-CRAM) model consists of three modules: assessment, quantification, and mitigation. The cyber-risk assessment module uses FNN, which takes seven inputs comprising DDoS attack intensity and duration for five DDoS attack types, vulnerability data (i.e., their counts and score), and the vulnerability trends over time. This layer is connected to a ten-neuron hidden layer and one neuron output layer that estimates the probability of these attacks. We also observe that the probability of these DDoS attacks follows a Weibull distribution. Next, our cyber-risk quantification module computes the expected loss. We note that expected losses due to these DDoS attacks follow a gamma distribution. Our cyber-risk mitigation module uses a heat matrix to help the CTO (i) prioritize the cyber-risk associated with a DDoS attack and (ii) decide whether to reduce, accept, or pass the cyber-risk using technological and cyber-insurance interventions.
This is a preview of subscription content, log in via an institution to check access.
References
Alberts, C., & Dorofee, A. (2002). Managing Information Security Risks, Pearson Education (US). https://www.ebook.de/de/product/3252338/christopher_alberts_audrey_dorofee_managing_information_security_risks.html. Accessed 12 Oct 2021
Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security, 26(3), 219–228. https://doi.org/10.1016/j.cose.2006.10.002
Allende, H., Moraga, C., & Salas, R. (2002). Artificial neural networks in time series forecasting: a comparative analysis. Kybernetika (88), 685–707
Arora, A., Telang, R., & Xu, H. (2008). Optimal policy for software vulnerability disclosure. Management Science, (54(4), 642–656. https://doi.org/10.1287/mnsc.1070.0771
Austin, R. D., & Darby, C. A. R. (2003). The myth of secure computing. Harvard Business Review (81:6), Harvard Business School Publication Corp., pp. 120–126
Avital, N., Zawoznik, A., Azaria, J., & Lambert, K. (2020). 2019 Global DDoS Threat Landscape Report: Imperva. Imperva Blog, Imperva, February. https://www.imperva.com/blog/2019-global-ddos-threat-landscape-report/. Accessed 12 Oct 2021
Balkanli, E., Zincir-Heywood, N., A., & Heywood, M. I. (2015). Feature selection for robust backscatter DDoS detection. In Proceedings - Conference on Local Computer Networks, LCN (Vol. 2015-Decem), IEEE, October, pp. 611–618. https://doi.org/10.1109/LCNW.2015.7365905
Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why IT managers don’t go for cyber-insurance products. Communications of the ACM, 52, 11. https://doi.org/10.1145/1592761.1592780
Baskerville, R. (1993). Information systems security design methods: implications for information systems development. ACM Computing Surveys (CSUR), 25(4), 375–414. https://doi.org/10.1145/162124.162127
Becker, G. (1990). The Economic Approach to Human Behavior. University of Chicago Press
Bezsonoff, N. (2017). The state of DDoS attacks in 2017: neustar blog. The State of DDoS Attacks in 2017 | Neustar Blog, Neustar, October. https://www.home.neustar/blog/neustar-global-attacks-and-cyber-security-insight-report. Accessed 12 Oct 2021
Biswas, B., & Mukhopadhyay, A. (2017). Phishing detection and loss computation hybrid model: a machine-learning approach. ISACA Journal (1), 22–29. https://www.isaca.org/Journal/archives/2017/Volume-1/Pages/phishing-detection-and-loss-computation-hybrid-model.aspx. Accessed 12 Oct 2021
Biswas, B., & Mukhopadhyay, A. (2018). G-RAM framework for software risk assessment and mitigation strategies in organisations. Journal of Enterprise Information Management, 31(2), 276–299. https://doi.org/10.1108/JEIM-05-2017-0069
Biswas, B., Mukhopadhyay, A., Bhattacharjee, S., Kumar, A., & Delen, D. (2021). A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums. Decision Support Systems, 113651. https://doi.org/10.1016/j.dss.2021.113651
Biswas, B., Mukhopadhyay, A., & Dhillon, G. (2017). GARCH-based risk assessment and mean-variance-based risk mitigation framework for software vulnerabilities. In AMCIS 2017: A Tradition of Innovation - 23rd Americas Conference on Information Systems
Biswas, B., Mukhopadhyay, A., & Gupta, G. (2018). ‘Leadership in Action: How Top Hackers Behave’ A big-data approach with text-mining and sentiment analysis. In Proceedings of the 51st Hawaii International Conference on System Sciences. https://doi.org/10.24251/hicss.2018.221
Biswas, B., Pal, S., & Mukhopadhyay, A. (2016). AVICS-eco framework: an approach to attack prediction and vulnerability assessment in a cyber ecosystem. In AMCIS 2016: Surfing the IT Innovation Wave - 22nd Americas Conference on Information Systems
Blau, A., Burt, A., Groysberg, B., & Yampolskiy, R. V. (2019). Cybersecurity, Harvard Business Review Press. https://www.ebook.de/de/product/35460600/harvard_business_review_alex_blau_andrew_burt_boris_groysberg_roman_v_yampolskiy_cybersecurity.html. Accessed 12 Oct 2021
Böhme, R. (2005). Cyber-Insurance Revisited. In Workshop on the Economics of Information Security (WEIS), Harvard
Böhme, R., & Kataria, G. (2006). Models and measures for correlation in cyber-insurance. In Workshop on the Economics of Information Security (WEIS). University of Cambridge
Böhme, R., & Schwartz, G. (2006). Models and measures for correlation in cyber-insurance. 2006 Workshop on the Economics of Information Security (WEIS), pp. 1–26
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly: Management Information Systems, (39(4), 837–864. https://doi.org/10.25300/MISQ/2015/39.4.5
Brown, J. (2016). How amazon responded to the Dyn DDoS attack. CIO Dive, October. https://www.ciodive.com/news/how-amazon-responded-to-the-dyn-ddos-attack/429050. Accessed 12 Oct 2021
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly: Management Information Systems (34:SPEC. ISSUE 3), pp. 523–548. https://doi.org/10.2307/25750690
Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448. https://doi.org/10.3233/JCS-2003-11308
Campbell, P. L., & Stamp, J. E. (2004). A Classification scheme for risk assessment methods. Sandia National Laboratories, Sandia Report
Cavusoglu, H., Cavusoglu, H., & Jun, Z. (2008). Security patch management: share the burden or share the damage? Management Science (54:4), INFORMS, pp. 657–670. https://doi.org/10.1287/mnsc.1070.0794
Cavusoglu, H., Raghunathan, S., & Cavusoglu, H. (2009). Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems. Information Systems Research, (20(2), 198–217. https://doi.org/10.1287/isre.1080.0180
CCTA (1991). SSADM-CRAMM subject guide for SSADM Version 3 and CRAMM Version 2, London
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends: a routine activity approach. American Sociological Review, (44, 4. https://doi.org/10.2307/2094589
Courtney, R. H. (1977). Security risk assessment in electronic data processing systems. In AFIPS Conference Proceedings - 1977 National Computer Conference, AFIPS 1977, pp. 97–104. https://doi.org/10.1145/1499402.1499424
Das, S., Mukhopadhyay, A., Saha, D., & Sadhukhan, S. (2019). A Markov-Based Model for information security risk assessment in healthcare MANETs. Information Systems Frontiers, (21(5), 959–977. https://doi.org/10.1007/s10796-017-9809-4
Desai, V. S., & Bharati, R. (1998). A comparison of linear regression and neural network methods for predicting excess returns on large stocks. Annals of Operations Research, (78, 0. https://doi.org/10.1023/A:1018993831870
Dhillon, G., & Backhouse, J. (2000). Information system security management in the new millennium. Communications of the ACM, 43(7), 125–128. https://doi.org/10.1145/341852.341877
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314. https://doi.org/10.1111/j.1365-2575.2006.00219.x)
Dowd, M., McDonald, J., & Schuh, J. (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley Professional
Dutta, K., & Perry, J. (2011). A tale of tails: an empirical analysis of loss distribution models for estimating operational risk capital. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.918880
Geurts, M., Box, G. E. P., & Jenkins, G. M. (1977). Time series analysis: forecasting and control. Journal of Marketing Research, 14. Wiley. https://doi.org/10.2307/3150485
Gordon, L. A., Loeb, M. P., & Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81–85, ACM. https://doi.org/10.1145/636772.636774
Gough, C. (2019). MMO Gaming - Statistics & Facts. https://www.statista.com/topics/2290/mmo-gaming/. Accessed 12 Oct 2021
Guarro, S. B. (1987). Principles and procedures of the LRAM approach to information systems risk analysis and management. Computers and Security, 6(6), 493–504, Elsevier. https://doi.org/10.1016/0167-4048(87)90030-7
Gujarati, D. (2009). Basic Econometrics. McGraw-Hill Irwin
Hagan, M. T., H. B. Demuth, M. H. Beale and O. De Jesús (2014). Neural Network Design, Martin Hagan
Han, J., Kamber, M., & Pei, J. (2017). Data Mining: Concepts and Techniques. Elsevier LTD
Herath, H. S. B., & Herath, T. C. (2011). Copula-based actuarial model for pricing cyber-insurance policies. Workshop on the Economics of Information Security, 2, 1
Hoffman, L. J., Michelman, E. H., & Clements, D. (1978). Securate - Security evaluation and analysis using fuzzy metrics.. In AFIPS Natl Comput Conf Expo Conf Proc, Vol. 47, 531–540
Hossack, I. B., Pollard, J. H., & Zehnwirth, B. (1999). Introductory statistics with applications in general insurance. Introductory Statistics with Applications in General Insurance. https://doi.org/10.1017/cbo9781139173322
Johansmeyer, T. (2021). Cybersecurity insurance has a big problem. Harvard Business Review, Harvard Business Review. https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem. Accessed 12 Oct 2021
Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726–740. https://doi.org/10.1287/mnsc.1040.0357
Karabacak, B., & Sogukpinar, I. (2005). ISRAM: Information Security Risk Analysis Method. Computers & Security, 24(2), 147–159. https://doi.org/10.1016/j.cose.2004.07.004
Kelleher, J. D., & Tierney, B. (2018). Data Science. MIT Press Ltd. https://www.ebook.de/de/product/30073177/john_d_academic_leader_of_the_information_communication_and_entertainment_research_institute_technological_university_dublin_kelleher_brendan_lecturer_at_the_school_of_computing_dublin_institute_of_technology_tierney_data_science.html. Accessed 12 Oct 2021
Kesan, J. P., Majuca, R., & Yurcik, W. (2005). Cyberinsurance as a market-based solution to the problem of cybersecurity - a case study. In Fourth Workshop on the Economics of Information Security (Vol. 2), pp. 97–120
Kesan, J., Yurcik, W., & Majuca, R. P. (2013). The economic case for cyberinsurance. Dissent (Vol. Aut / Win)
Kleindorfer, P. R., & Kunreuther, H. (1999). The complementary roles of mitigation and insurance in managing catastrophic risks. Risk Analysis. https://doi.org/10.1023/A:1007097906602
Krohn, J., Beyleveld, G., & Aglae, B. (2019). Deep learning illustrated: a visual, interactive guide to artificial intelligence. Addison-Wesley Professional (Vol. 53), Addison Wesley Pub Co Inc. https://www.ebook.de/de/product/33154294/jon_krohn_grant_beyleveld_aglae_bassens_deep_learning_illustrated_a_visual_interactive_guide_to_artificial_intelligence.html. Accessed 12 Oct 2021
Kunreuther, H. (1997). Managing catastrophic risks through insurance and mitigation. In 5th Alexander Howden Conference on “Financial Risk Management for Natural Catastrophes”, Gold Coast, Australia, pp. 1–31. https://core.ac.uk/download/pdf/6649681.pdf
Levenberg, K. (1944). A method for the solution of certain non-linear problems in least squares. Quarterly of Applied Mathematics, 2(2), 164–168. https://doi.org/10.1090/qam/10666
Liu, D., Li, X., & Santhanam, R. (2013). Digital games and beyond: what happens when players compete? MIS Quarterly: Management Information Systems, 37(1), 111–124. https://doi.org/10.25300/MISQ/2013/37.1.05
Majuca, R. P., Yurcik, W., & Kesan, J. P. (2006). The Evolution of Cyberinsurance. http://arxiv.org/abs/cs/0601020. Accessed 12 Oct 2021
McCarthy, B. (2002). New economics of sociological criminology. Annual Review of Sociology (28:1), Annual Reviews 4139 El Camino Way, PO Box 10139, Palo Alto, CA 94303-0139, USA, pp. 417–442
McKeay, M. (2017). Q4 2017 State of the Internet Security Report. Akamai Technologies. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-of-the-internet-security-report.pdf. Accessed 12 Oct 2021
Mukhopadhyay, A., Chakrabarti, B. B., Saha, D., & Mahanti, A. (2007). E-risk management through self insurance: an option model. In Proceedings of the Annual Hawaii International Conference on System Sciences, IEEE. https://doi.org/10.1109/HICSS.2007.192
Mukhopadhyay, A., Chatterjee, S., Bagchi, K. K., Kirs, P. J., & Shukla, G. K. (2019). Cyber Risk Assessment and Mitigation (CRAM) framework using logit and probit models for cyber insurance. Information Systems Frontiers, 21(5), 997–1018. https://doi.org/10.1007/s10796-017-9808-5
Nguyen, D., & Widrow, B. (1990). Improving the learning speed of 2-layer neural networks by choosing initial values of the adaptive weights. In IJCNN. International Joint Conference on Neural Networks (pp. 21–26). IEEE. https://doi.org/10.1109/ijcnn.1990.137819
O’Reilly, P. D., Rigopoulos, K., Witte, G., & Feldman, L. (2018). 2017 Annual Report: NIST/ITL Cybersecurity, & Program. Gaithersburg, MD, September. https://doi.org/10.6028/NIST.SP.800-203
Ozier, W. (1989). Risk quantification problems and bayesian decision support system solutions. Information Age (11:4). Westbury Subscription Services, pp. 229–234. http://dl.acm.org/citation.cfm?id=69134.69141. Accessed Oct 2021
Nelder, J. A. (1989). Generalized Linear Models. Taylor & Francis Ltd. https://www.ebook.de/de/product/3601523/p_university_of_chicago_chicago_illinois_usa_mccullagh_john_a_imperial_college_london_uk_nelder_generalized_linear_models.html. Accessed 12 Oct 2021
Peng, T., Leckie, C., & Ramamohanarao, K. (2007). Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys, 39(1), 3. https://doi.org/10.1145/1216370.1216373
Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective? MIS Quarterly, 36(1), 43. https://doi.org/10.2307/41410405
Rejda, G. E. (2007). Principles of Risk Management and Insurance, 10th Edition, Pearson
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803
Samtani, S., Chinn, R., Chen, H., & Nunamaker, J. F. (2017). Exploring emerging hacker assets and key hackers for proactive cyber threat intelligence. Journal of Management Information Systems, 34(4), 1023–1053. https://doi.org/10.1080/07421222.2017.1394049
Shahriar, H., & Zulkernine, M. (2012). Mitigating program security vulnerabilities. ACM Computing Surveys, 44(3), 1–46. https://doi.org/10.1145/2187671.2187673
Shani, T., & Imperva (2019). Imperva, June. https://www.imperva.com/blog/this-ddos-attack-unleashed-the-most-packets-per-second-ever-heres-why-thats-important/. Accessed 12 Oct 2021
Sharma, K., & Mukhopadhyay, A. (2020a). Cyber risk assessment and mitigation using logit and probit models for DDoS attacks. In 26th Americas Conference on Information Systems (AMCIS), 2020, Salt Lake City
Sharma, K., & Mukhopadhyay, A. (2020b). Assessing the risk of cyberattacks in the online gaming industry: a data mining approach. ISACA Journal (2)
Smith, D. (2014). Why hacker gang ‘Lizard Squad’ took down Xbox live and playstation network. Business Insider, December. http://www.businessinsider.com/why-hacker-gang-lizard-squad-took-down-xbox-live-and-playstation-network-2014-12. Accessed 12 Oct 2021
Smith, E., & Eloff, J. H. P. (2002). A prototype for assessing information technology risks in health care. Computers & Security, 21(3), 266–284. https://doi.org/10.1016/s0167-4048(02)00313-9
Stolen, K., Braber, F., den, Dimitrakos, T., Fredriksen, R., Gran, B. A., Houmb, S. H. … Aagedal, J. O. (2002). Model-Based Risk Assessment-the CORAS Approach
Tanenbaum, A. S., & Wetherall, D. J. (2010). Computer Networks, (5th ed.), Pearson. https://www.amazon.com/Computer-Networks-5th-Andrew-Tanenbaum/dp/0132126958?SubscriptionId=AKIAIOBINVZYXZQZ2U3A&tag=chimbori05-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=0132126958. Accessed 12 Oct 2021
Tripathi, M., & Mukhopadhyay, A. (2020). Financial Loss Due to a Data Privacy Breach: an empirical analysis. Journal of Organizational Computing and Electronic Commerce, 30(4), 381–400. https://doi.org/10.1080/10919392.2020.1818521
Wang, M., Lu, Y., & Qin, J. (2020). A dynamic MLP-based DDoS attack detection method using feature selection and feedback. Computers & Security, 88, 101645. https://doi.org/10.1016/j.cose.2019.101645
Wu, S. L., & Hsu, C. P. (2018). Role of authenticity in Massively Multiplayer Online Role Playing Games (MMORPGs): determinants of virtual item purchase intention. Journal of Business Research, 92, 242–249. https://doi.org/10.1016/j.jbusres.2018.07.035
Yahyavi, A., & Kemme, B. (2013). Peer-to-peer architectures for massively multiplayer online games. ACM Computing Surveys, 46(1), 1–51. https://doi.org/10.1145/2522968.2522977
Yue, W. T., Wang, Q. H., & Hui, K. L. (2019). See no evil, hear no evil? Dissecting the impact of online hacker forums. MIS Quarterly: Management Information Systems, 43(1), 73–95. https://doi.org/10.25300/MISQ/2019/13042
Zhang, Z., Nan, G., & Tan, Y. (2020). On-premises software: competition under security risk and product customization. Information systems research articles in advance. Information Systems Research, 1–17. https://doi.org/10.1287/isre.2019.0919
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
The authors declare that there is no conflict of interest.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sharma, K., Mukhopadhyay, A. Cyber-risk Management Framework for Online Gaming Firms: an Artificial Neural Network Approach. Inf Syst Front 25, 1757–1778 (2023). https://doi.org/10.1007/s10796-021-10232-7
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-021-10232-7