{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T06:37:02Z","timestamp":1772001422199,"version":"3.50.1"},"reference-count":48,"publisher":"Institute for Operations Research and the Management Sciences (INFORMS)","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Decision Analysis"],"published-print":{"date-parts":[[2024,12]]},"abstract":"<jats:p> Sophisticated cyberattackers (commonly known as advanced persistent threats (APTs)) pose enormous risks to organizations such as financial institutions, industrial and commercial firms, government institutions, and power grids. This study presents a method and an index to measure the vulnerability of organizations to APT risk and shows why a one-size-fits-all solution to mitigate APT risk does not exist. Our vulnerability index is based on a model that describes the optimal behavior of a cyberattacker (APT) with research and development capabilities aspiring to attack a network that manages the organization and a network operator that deploys blocking and detection measures to protect its organization from the attack. We demonstrate how our vulnerability index, which accounts for the network\u2019s structure and the APTs\u2019 resources and strategy, can be used in realistic risk assessments and optimal resource allocation procedures and serve as a benchmark for organizations\u2019 preparedness against APTs\u2019 cyberattacks. We also propose that regulatory agencies of financial (and other) institutions provide the parameters that define an APT\u2019s profile and request, as part of their periodic assessments of the organizations that they regulate, that our (or similar) vulnerability index will be reported to them by the regulated institutions. Finally, the viability of our index in modeling modern cybersecurity defense procedures shows that not only there is no silver bullet defense against all types of APTs, it is also imperative to account for APTs\u2019 heterogeneity because detection and blocking measures can be complements, substitutes, or even degrade each other. For example, when the attacker\u2019s (defender\u2019s) budget is extremely large (small), the defender should deploy only detection measures, strongly advocating Zero Trust practices. <\/jats:p><jats:p> Supplemental Material: The online appendix is available at https:\/\/doi.org\/10.1287\/deca.2023.0072 . <\/jats:p>","DOI":"10.1287\/deca.2023.0072","type":"journal-article","created":{"date-parts":[[2024,9,9]],"date-time":"2024-09-09T13:55:35Z","timestamp":1725890135000},"page":"215-234","source":"Crossref","is-referenced-by-count":2,"title":["Measuring and Mitigating the Risk of Advanced Cyberattackers"],"prefix":"10.1287","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5956-6952","authenticated-orcid":false,"given":"Amitai","family":"Gilad","sequence":"first","affiliation":[{"name":"Coller School of Management, Tel Aviv University, Tel Aviv 6997801, Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Asher","family":"Tishler","sequence":"additional","affiliation":[{"name":"Coller School of Management, Tel Aviv University, Tel Aviv 6997801, Israel"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"109","reference":[{"key":"B1","doi-asserted-by":"publisher","DOI":"10.1287\/educ.2014.0131"},{"key":"B4","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-31"},{"key":"B5","doi-asserted-by":"publisher","DOI":"10.1287\/deca.2018.0370"},{"key":"B7","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39498-0_1"},{"key":"B8","doi-asserted-by":"publisher","DOI":"10.1287\/opre.1080.0643"},{"key":"B9","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1080.0180"},{"key":"B11","doi-asserted-by":"publisher","DOI":"10.1287\/deca.2020.0418"},{"key":"B79","doi-asserted-by":"crossref","unstructured":"Crosignani M, Macchiavelli M, Silva AF (2023) Pirates without borders: The propagation of cyberattacks through firms\u2019 supply chains. J. Financial Econom. 147(2):432\u2013448.","DOI":"10.1016\/j.jfineco.2022.12.002"},{"key":"B12","volume-title":"Cybersecurity Capability Maturity Model (C2M2), Version 2.1","author":"Department of Energy","year":"2022"},{"key":"B14","doi-asserted-by":"publisher","DOI":"10.1177\/0272989X8800800208"},{"key":"B16","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2016.02.012"},{"key":"B17","volume-title":"Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation","author":"FireEye","year":"2019"},{"key":"B19","doi-asserted-by":"publisher","DOI":"10.4153\/CJM-1956-045-5"},{"key":"B20","doi-asserted-by":"publisher","DOI":"10.1111\/risa.12891"},{"key":"B24","doi-asserted-by":"crossref","unstructured":"Gilad A, Tishler A (2023) Mitigating the risk of advanced cyberattacks: The role of quality, covertness and intensity of use of cyberweapons. Defence Peace Econom. 34(6):726\u2013746.","DOI":"10.1080\/10242694.2022.2161739"},{"key":"B25","doi-asserted-by":"publisher","DOI":"10.1080\/10242694.2020.1778966"},{"key":"B26","doi-asserted-by":"publisher","DOI":"10.1145\/581271.581274"},{"key":"B27","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyaa005"},{"key":"B28","doi-asserted-by":"publisher","DOI":"10.1287\/deca.2017.0346"},{"key":"B34","doi-asserted-by":"publisher","DOI":"10.1257\/pandp.20191058"},{"key":"B80","doi-asserted-by":"crossref","unstructured":"Kodialam M, Lakshman TV (2003) Detecting network intrusions via sampling: A game theoretic approach. Proc. 22nd Annual Joint Conf. IEEE Comput. Comm. Soc., vol. 3 (IEEE, Piscataway, NJ), 1880\u20131889.","DOI":"10.1109\/INFCOM.2003.1209210"},{"key":"B37","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2014.07.001"},{"key":"B38","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-49116-3_38"},{"key":"B39","doi-asserted-by":"publisher","DOI":"10.1111\/risa.12325"},{"key":"B40","doi-asserted-by":"publisher","DOI":"10.1111\/risa.13713"},{"key":"B41","doi-asserted-by":"publisher","DOI":"10.1080\/09537325.2020.1841158"},{"key":"B42","doi-asserted-by":"publisher","DOI":"10.1080\/09636412.2013.816122"},{"key":"B44","doi-asserted-by":"publisher","DOI":"10.1016\/j.obhdp.2012.06.006"},{"key":"B46","doi-asserted-by":"publisher","DOI":"10.1080\/23738871.2020.1778761"},{"issue":"1","key":"B47","volume":"10","author":"Monnot B","year":"2022","journal-title":"ACM Trans. Econom. Comput."},{"key":"B48","doi-asserted-by":"publisher","DOI":"10.1287\/opre.38.5.911"},{"key":"B50","doi-asserted-by":"publisher","DOI":"10.1177\/1548512917699724"},{"key":"B51","doi-asserted-by":"publisher","DOI":"10.1016\/j.cor.2016.05.005"},{"key":"B52","volume-title":"NIST SP 800-53, Rev. 5: Security and Privacy Controls for Information Systems and Organizations","author":"National Institute of Standards and Technology","year":"2020"},{"key":"B53","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.CSWP.29.ipd"},{"key":"B55","doi-asserted-by":"publisher","DOI":"10.1287\/deca.2018.0387"},{"key":"B56","doi-asserted-by":"publisher","DOI":"10.1111\/risa.12844"},{"key":"B57","doi-asserted-by":"publisher","DOI":"10.1111\/risa.12768"},{"key":"B59","doi-asserted-by":"publisher","DOI":"10.1016\/j.omega.2011.03.008"},{"key":"B63","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2013.01.001"},{"key":"B64","doi-asserted-by":"publisher","DOI":"10.2307\/1884807"},{"key":"B65","doi-asserted-by":"publisher","DOI":"10.1080\/10242690600797273"},{"key":"B69","doi-asserted-by":"publisher","DOI":"10.1198\/000313007X219996"},{"key":"B72","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2012.04.001"},{"key":"B73","doi-asserted-by":"publisher","DOI":"10.1287\/opre.43.2.243"},{"key":"B74","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyaa003"},{"key":"B76","doi-asserted-by":"publisher","DOI":"10.1287\/deca.2018.0377"},{"key":"B77","volume-title":"Solving Bilevel Mixed Integer Program by Reformulations and Decomposition","author":"Zeng B","year":"2014"}],"container-title":["Decision Analysis"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/pubsonline.informs.org\/doi\/pdf\/10.1287\/deca.2023.0072","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,6]],"date-time":"2024-12-06T14:32:43Z","timestamp":1733495563000},"score":1,"resource":{"primary":{"URL":"https:\/\/pubsonline.informs.org\/doi\/10.1287\/deca.2023.0072"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12]]},"references-count":48,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,12]]}},"alternative-id":["10.1287\/deca.2023.0072"],"URL":"https:\/\/doi.org\/10.1287\/deca.2023.0072","relation":{},"ISSN":["1545-8490","1545-8504"],"issn-type":[{"value":"1545-8490","type":"print"},{"value":"1545-8504","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,12]]}}}