Skip to main content

Research

Research Statement (Concise Version)

In an increasingly service interconnected enterprise world with time dynamic business processes, a pervasive reliance on technology (including IT/IoT, ICS, AI) to deliver business value propositions has significantly amplified enterprise cyber-risk. The inevitability of human behavioral limitations, imperfections in security boosting technology, and adversarial evolution guarantees that public and privately owned businesses (including those supported by critical infrastructures) will regularly face (major) cyber threats over time.

The Need for a Principled Focus on Sustainable Cyber Resilience Management

In the age of “not if but when” of enterprise cyber-attacks, governing effective cyber-resilience management is essential to continuously deliver business value. Managing resilience via planning, absorbing, adjusting, and recovering peak process performance post enterprises being adversely impacted by cyber-incidents is key.

This necessitates developing an economically sustainable cyber-resilience management governance framework to

  1. Align strategies that improve enterprise cyber resilience with business needs,
  2. Increasing managerial cyber risk foresight capabilities to prioritize and optimize cyber-risk mitigation investment in dynamic enterprise processes for ensuring sustainable business performance, and
  3. Hedge inevitable residual (aggregate) cyber-risk via cyber insurance and securitization products.

The Desired Outcome – All together, this will ensure that enterprises will perennially remain ‘steered’ on the direction of cyber-resilient behaviour in the face of continuously evolving cyber-threats while maintaining sustainable strategic business performance amid organisational dynamics. This in turn will result in board-accepted cyber-resilience management principles sustaining resilience of organizations and their eco-systems.

Enter A Next Generation Approach to Cyber-Resilience Management

My research is focused on developing an economically sustainable approach for governing cyber-resilience management for enterprises. It is built upon the decision, data, computer sciences and being validated using data gathered from Fortune 1000 companies. The essential high-level components for a strategic management approach are:

  • A box of cyber-risk driven enterprise cyber-resilience metrics from the individual perspective of CXO’s, investors, and engineers alongside the managerial value propositions these metrics bring forth.
  • A new principled management framework to strengthen managerial cyber risk foresight capabilities and decide upon appropriate board-approved investment amounts that optimize enterprise cyber-resilience.
  • A new decision toolbox promoting enterprises to work with cyber (re-)insurance and securitization firms that result in multi-party cyber-risk transfer markets optimizing cyber-resilience across enterprise groups.
  • A strategic data sharing solution and taxonomy for enterprises to privately aggregate required resilience boosting information (e.g., controls effectiveness, technology, threat intelligence, incidents impact).

Research Problems at MIT (Sloan/CAMS)

As a research scientist, my current research on cyber-risk/resilience management at MIT Sloan revolves broadly around solving societal and corporate research challenges pertaining to the topics of

  1. Assessing work-from-home (hybrid work mode) security
  2. Pricing cyber-catastrophe management solutions (e.g., cyber-CAT bonds)
  3. Quantifying and managing cyber-resilience in (critical) enterprise infrastructures
  4. Cyber-risk quantification in industrial control systems
  5. Cyber risk/resilience analysis and management for (open source) software supply chain environments

Interested Students at MIT (Sloan/EECS)

Please set up a meeting with me to discuss more. My research problems in cyber-risk management are often corporate case-study driven, and the research methods are usually theoretical (model-driven) and at times experimental. However, I strive to make sure that the research results OFTEN have a SOUND and SUCCINCT corporate and societal message. My theoretical method/tool space spans algorithmics (algorithms, randomized algorithms, approximation algorithms), economics (microeconomics, behavioral economics), decision and data science (statistics, game theory, mechanism design, optimization, system dynamics, AI, machine learning), and applied probability (stochastic processes, queueing theory).