Research

Acknowledgement - My research on cyber risk and resilience management at MIT has been generously funded over the years by Liberty Mutual, KPMG, Asvin, Gallagher Re, IPA Japan, and Cisco, amounting to over USD 900,000 in grants with me leading multiple industry-collaborative research projects.

Research Statement (Concise Version)

In an increasingly service interconnected enterprise world with time dynamic business processes, a pervasive reliance on technology (including IT/IoT, ICS, AI, quantum) to deliver business value propositions has significantly amplified enterprise cyber risk. The inevitability of human behavioral limitations, imperfections in security boosting technology, and adversarial evolution guarantees that public and privately owned businesses (including those supported by critical infrastructures) will regularly face (major) cyber threats over time.

The Need for a Principled Focus on Sustainable Cyber Risk and Resilience Management

In the age of “not if but when” of enterprise cyber-attacks, governing effective cyber resilience management is essential to continuously deliver business value. Managing resilience via planning, absorbing, adjusting, and recovering peak process performance post enterprises being adversely impacted by cyber incidents is key.

This necessitates developing an economically sustainable risk driven cyber resilience management governance framework to

1. Align strategies that improve enterprise cyber defense and resilience with business needs and emerging technology (AI and Quantum),
2. Increasing managerial cyber risk foresight capabilities to prioritize and optimize cyber risk mitigation investment in dynamic enterprise processes for ensuring sustainable business performance, and
3. Hedge inevitable residual (aggregate) cyber risk via cyber insurance and securitization products.

The Desired Outcome – All together, this will ensure that enterprises will perennially remain ‘steered’ on the direction of cyber resilient behavior in the face of continuously evolving cyber threats while maintaining sustainable strategic business performance amid organizational dynamics. This in turn will result in board-accepted cyber resilience management principles sustaining resilience of organizations and their ecosystems.

Enter A Next Generation Approach to Cyber Resilience Management

My research is focused on developing an economically sustainable approach for governing cyber resilience management for enterprises. It is built upon the decision, data, computer sciences and being validated using data gathered from Fortune 1000 companies. The essential high-level components for a strategic management approach are:

• A box of cyber risk driven enterprise cyber resilience metrics from the individual perspective of CXO’s, investors, and engineers alongside the managerial value propositions these metrics bring forth.
• A new principled and data-generative management framework to strengthen managerial cyber risk foresight capabilities and decide upon appropriate board-approved investment amounts that optimize enterprise cyber resilience.
• A suite of strategic and cost-effective cyber defense capabilities that anticipate adversary moves while improving critical infrastructure system defense.
• A new decision toolbox promoting enterprises to work with cyber (re)insurance and securitization firms that result in multi-party cyber risk transfer markets optimizing cyber resilience across enterprise groups.
• A strategic data sharing solution and taxonomy for enterprises to privately aggregate required resilience boosting information (e.g., controls effectiveness, technology, threat intelligence, incidents impact).

Research Problems at MIT (Sloan/CAMS)

As a research scientist, my current research on cyber risk and resilience management at MIT Sloan revolves broadly around solving societal and corporate research challenges pertaining to the topics of

1. Scaling cyber insurance markets using financial securitization solutions such as catastrophe (CAT) bonds.
2. Quantifying, managing, and strategizing risk-driven cyber resilience in (critical) enterprise infrastructures.
3. Enterprise cybersecurity management in work-from-home (WFH) environments.
4. AI-driven synthetic data generation for low data cyber risk management environments.
5. Cyber risk quantification and management in industrial control systems.
6. Cyber risk management for AI and software supply chain networked environments.
7. Cyber risk management for quantum technology driven digital businesses.
8. Strategic cyber defense in critical infrastructure networks.

Interested Students at MIT (Sloan/EECS)

Please set up a meeting with me to discuss more. My research problems in cyber risk and resilience management are often corporate case-study driven, and the research methods are usually theoretical (model-driven) and at times experimental. However, I strive to make sure that the research results OFTEN have a SOUND and SUCCINCT corporate and societal message. My theoretical method/tool space spans algorithmics (algorithms, randomized algorithms, approximation algorithms), economics (microeconomics, behavioral economics), decision and data science (statistics, game theory, mechanism design, optimization, system dynamics, AI, machine learning), and applied probability (stochastic processes, queueing theory).