CSR CRE 2021

2021 IEEE CSR Workshop on Cyber Resilience and Economics (CRE)

July 27, 2021

A combination of cyber technological feasibility and economic viability drives many of the decisions related to cybersecurity and cyber resiliency by both the defenders and attackers. In this context, technological feasibility is defined as any cyber resiliency technology that has the potential to be developed, fielded, and operationally controlled. In the case of economic viability, the resources required to defend, or attack must be available. We define resources in its broadest sense to include but not limited to the people, equipment, training, required funding, and asset value. On the defensive side, these technological and economic factors determine the cyber security and resiliency policies, procedures and technologies implemented to prevent and respond to cyber-attacks. On the offensive side, they not only determine the type of attack but also the effort expended to ensure its success. In short, these and other factors determine the asymmetric balance between the attackers and defenders.

The CRE 2021 workshop will explore foundational and applied advances in cyber resiliency strategies, policies and technologies to shift the asymmetric balance in favour of the defender and identify and quantify the effect economic realities have on the decision processes. At the top level, national and organizational strategies and policies are required to understand what is to be achieved and the resources to be made available to protect critical resources and infrastructures. These strategies and policies must be supported by security and resiliency technologies. As a result, in addition to exploring various strategies, the workshop will seek to understand the capabilities, strengths/weaknesses, and benefits of various resiliency technologies whether existing or in research. The workshop will examine the parameters needed to accurately quantify asymmetric imbalance from both the offensive and defensive perspective; examine technical and non-technical approaches to shifting that balance, including the full range of costs/benefits of each approach; and explore and evaluate a range of options for defining and achieving optimality.

Topics of Interest

Prospective authors are encouraged to submit previously unpublished contributions from a broad range of topics, which include but are not limited to the following:

› National and organizational cyber resiliency strategies and policies related to the development, deployment and use of cyber resiliency technologies.
› Existing IT/OT (and their interfaces) to achieve cyber resilience of CPS environments.
› Research activities in cyber resilience focused on IT and OT solutions, alignment of technical and mission resiliency, and preemptive resilience.
› Benefits and weaknesses of cyber resiliency technologies in CPS environments.
› Metrics, measurements, and economics of cyber resiliency & asymmetry.

› Technical and Economic barriers to the implementation of cyber resiliency technologies.
› Defining practical cyber resiliency and potential use cases and case studies.
› Relationship between resiliency and security in protecting CPS environments.
› Adversary and defender economics: assessing the impact of defender capabilities and actions to the attacker and vice versa.
› Frameworks for ROI analysis (cost, risk, benefit) to guide technology investment (research, development, and utilization).

The workshop organizers are also interested in proposed panel discussions on the above topics. Panel discussion proposals should be submitted via the manuscript submission process and should include a detailed description of the panel discussion along with the proposed panelists.

Important Dates

Paper submission deadline: April 19 May 10, 2021 AoE (firm)
Authors’ notification: May 3 May 31, 2021 AoE
Camera-ready submission: May 10 June 7, 2021 AoE
Early registration deadline: June 14, 2021 AoE
Workshop date: July 27, 2021

Submission Guidelines

The workshop’s proceedings will be published by IEEE and will be included in IEEE Xplore. The guidelines for authors, manuscript preparation guidelines, and policies of the IEEE CSR conference are applicable to CRE 2021 workshop. Please visit the authors’ instructions page for more details. When submitting your manuscript via the conference management system, please make sure that the workshop’s track 2T3 CRE is selected in the Topic Areas drop down list.

Workshop Committees

Workshop chairs

Nicholas J. Multari, Pacific Northwest National Lab (US)
Jeffrey Picciotto, MITRE Corporation (US)

Organizing committee

Rosalie McQuaid, MITRE Corporation (US)
George Sharkov, European Software Inst CEE; Cybersecurity Lab (BG)
Volkmar Lotz, SAP Labs (FR)
Christopher Oehmen, Pacific Northwest National Lab (US)

Publicity chairs

Christopher Oehmen, Pacific Northwest National Lab (US)
Paul Rowe, MITRE Corporation (US)

Contact us


Program committee

Michael Atighetchi, Raytheon Corp, BBN (US)
Yung Ryn Choe, Sandia National Laboratory (US)
Sabrina De Capitani di Vimercati, Universita degli Studi di Milano (IT)
Herve Debar, Telecom Sud, Paris (FR)
Erich Devendorf, Air Force Research Laboratory (US)
Chad Heitzenrater, Air Force Research Laboratory (US)
Doug Jacobson, Iowa State University (US)
Aloysius Mok, University of Texas at Austin (US)
Takashi Nanya, University of Tokyo (JP)
Nuno Neves, University of Lisbon (PT)
Craig Rieger, Idaho National Laboratory (US)
Luigi Romano, University of Naples (IT)
Meghan Sahakian, Sandia National Laboratory (US)
Reginald Sawilla, Government of Canada (CA)
O. Sami Saydjari, Cyber Defense Agency (US)
Marco Vieira, University of Coimbra (PT)

Program Information

All sessions are held in Nafsika room (July 27, 2021)

Technical session WS-CRE1

Chair: Nicholas J. Multari, Pacific Northwest National Lab (US)

10:00–10:20 CET

Welcome from the CRE workshop chairs

N. J. Multari and J. Picciotto

10:20–10:40 CET

Modelling cyber-risk in an economic perspective

I. Bothos, V. Vlachos, D. Kyriazanos, I. Stamatiou, K. G. Thanos, P. Tzamalis, S. Nikoletseas, and S. Thomopoulos

10:40–11:00 CET

Disposable identities; Enabling trust-by-design to build more sustainable data driven value

J. Isohanni, K. M. Hermsen, L. Goulden, M. Ross, and J. Vanbockryck

11:00–11:20 CET

Influence pathways: Mapping the narratives and psychological effects of russian COVID-19 disinformation

A. Hoyle, T. Powell, B. Cadet, and J. van de Kuijt



Break (resume in the afternoon)



Keynote session WS-CRE2

Chair: Rosalie McQuaid, MITRE Corporation (US)

15:40–16:10 CET

Invited talk: A process-based approach to cybersecurity certification

Volkmar Lotz, SAP Security Research (FR)

Abstract. We outline an approach for security certification of products or services for modern commercial systems that are characterized by agile development, the integration of development and operations, and high dynamics of system features and structures. The proposed scheme rather evaluates the processes applied in development and operations than investigates into the validity of the product properties itself. We argue that the resulting claims are still suitable to increase the confidence in the security of products and services resulting from such processes.

Biography. Volkmar Lotz is Head of SAP Security Research, a group of 35 researchers aiming at future-proofing SAP’s security and privacy, in line with SAP’s business and technology strategy and global trends, covering topics ranging from applied cryptography over securing AI applications to software security analysis. He has 30 years’ experience in industrial research on Security and Software Engineering. His own research interests include Security Certification, Software Security, and IoT security. He is located in Sophia Antipolis France. Volkmar has published numerous scientific papers in his area of interest and is regularly serving on Programme Committees of internationally renowned conferences. He has been supervising various European projects, including large-scale integrated projects. Volkmar holds a diploma in Computer Science from the University of Kaiserslautern.

16:10–16:40 CET

Invited talk: Adaptable cyber matrix in energy security hybrid threat analysis

Gabriel Raicu, Constanta Maritime University (RO)

Abstract. With increased digitalization energy systems face an increasing range of threats requiring an attentive evaluation of the cyber security risk allowing taking proper countermeasures. The protection and response modalities applied until now have had only a limited efficiency being necessary new approaches with a higher degree of adaptability that take into account the evolutionary structure of the threats on the energy field. Energy systems become more dependent of digital technologies which is facing higher risks and vulnerabilities exposed to an increasing range of cyber threats. Most power grids were designed at a time when there were no cyber-attacks and as a result the protections installed later do not correctly and completely address the problem of cyber security. As direct consequence not all systems assets can be protected accordingly. There is an inherent risk of escalation and proliferation of these threats and their transformation into soft bridges that affect energy security as a whole. For cybersecurity approaches to be successful, a paradigm shift must be made starting with the cybersecurity matrix approach.

Biography. Assoc. Prof. PhD Gabriel Raicu is a Vice-Rector of Constanta Maritime University (CMU) and director of the Black Sea Maritime Cyber Security Center or Excellence. He holds a PhD in Cybernetics and is a main coordinator of the Black Sea Cyber Security Conference series starting from 2017.

16:40–17:10 CET

Invited talk: Hybridized exercising of critical infrastructure cyber resilience

George Sharkov, European Software Institute (BG)

Abstract. The hybrid nature of a modern cyber warfare requires an upgrade of the traditional cyber exercising from purely technically focused (like CTF) or decision-making (table-top) to a more complex cyber-hybrid scenario. A stronger and effective collaboration at technical, operational and higher decision-making level need to be exercised, analyzed and improved to ensure the resilience of our digitized society, essential services and economy. An experience of performing three “cyber shockwave” exercises at national level is presented with focus on main weaknesses identified. To provide a realistic environment for such exercises a “hybrid” type of cyber ranges is also needed which combine “simulation” “emulation” and “overlay” type of technical platforms as well as custom-made polygons. Our composite cyber range (TheRedRanger) follows the System-of-Systems approach and allows dynamic activation or incorporation of playgrounds integration of complete standard or customized attacks and support “exercise as a service”.

Biography. Dr. George Sharkov is CEO of the European Software Institute CEE and a head of Cyber Security and Resilience Lab since 2003. He was an adviser to the Bulgarian Minister of Defense (2014-2021) and the National Cybersecurity Coordinator, leading the development of the national Cyber Resilience strategy. Member of the EU AI High Level Expert Group, SMEs voice at ETSI technical committees (TC CYBER and ISG “Securing AI”), ENISA Ad-Hoc Group on AI, ENISA Stakeholders Cybersecurity Certification Group. He holds PhD in AI and lecturing at 4 leading universities (software quality, cybersecurity and resilience, active security).



Break (awards session in Athena room)



Panel discussion WS-CRE3

Chairs: Jeffrey Picciotto, MITRE Corporation (US);
Nicholas J. Multari, Pacific Northwest National Lab (US)

18:20–18:50 CET

Invited talk: Cyber reflections, cyber projections

Paul Nielsen, Carnegie Mellon University/Software Engineering Institute (US)

Abstract. Daily, we learn about breaches and intrusions of computer systems and networks. Leaps in technology that have enabled new means to acquire wealth have created attractive targets for malicious attackers. The field of cybersecurity has grown as the means to protect assets on those systems and networks that individuals and organizations value. Across decades, the back-and-forth between those who want to protect data or money and those who act to take it by malicious means can be seen as a contest, even battle. It is possible to look back, examine today, and glimpse a future of where this contest is heading. Seeing past, present, a possible future, we can also take stock of what defenders can do today.

Biography. Paul D. Nielsen is Director and Chief Executive Officer of the Carnegie Mellon University Software Engineering Institute (SEI), a leader and key innovator in areas central to U.S. Department of Defense including software quality, artificial intelligence engineering, mission assurance, network and system resilience, and the increasing overlap of software and systems engineering. Nielsen is a member of the U.S. National Academy of Engineering (NAE); a Fellow of the American Institute of Aeronautics and Astronautics (AIAA); the Institute for Electrical and Electronics Engineers (IEEE); and the International Council on Systems Engineering (INCOSE); and a frequent speaker and panelist at conferences, workshops, and symposia. He serves on the Defense Science Board and several other advisory boards. Prior to joining the SEI in 2004, Nielsen served in the U.S. Air Force, retiring as a major general and commander of Air Force research after 32 years of distinguished service. Nielsen holds PhD and MS degrees in Applied Science from the University of California (Davis).

18:50–19:20 CET

Invited talk: On the resilience of command and control architectures for cyber defense

Marco Carvalho, Florida Institute of Technology (US)

Abstract. One of the most well established principles of mission critical operations is the notion of centralized control and decentralized execution. This age-old tenant has been the basis for traditional command and control (C2) frameworks that has proven to be successful time and time again and understandably has been widely replicated for a very diverse set of applications, including cyber defense infrastructures. However, as the limitations of traditional C2 approaches start to become clear in modern contested operation environments, so are the limitations of the defense infrastructures designed under similar principles. In this talk, I will discuss some of the issues associated with the resilience of commend and control architectures for cyber defense, and their operational impact in the operations and security of the infrastructure. The talk will also introduce some alternative design strategies for resilience in distributed C2 and review some prior and current research in the field.

Biography. Marco M. Carvalho is a Professor at the Florida Institute of Technology in Melbourne, FL/USA. He graduated in Mechanical Engineering at the University Brasilia (UnB Brazil), where he also completed his M.Sc. in Mechanical Engineering with specialization in dynamic systems. Dr. Carvalho also holds a M.Sc. in Computer Science from the University of West Florida and a Ph.D. in Computer Science from Tulane University with specialization in Machine Learning and Data Mining. At Florida Tech, Dr. Carvalho serves as the Executive Vice-President and Provost as well as Director of the L3Harris Institute for Assured Information. Dr. Carvalho is a Principal Investigator of several research projects in the areas of cyber security, information management, distributed coordination, and tactical communication systems. Dr. Carvalho can be contacted at mcarvalho@fit.edu.

19:20–20:00 CET

Panel topic: The next step for cyber resilience

Moderator: Nicholas J Multari, Pacific Northwest National Lab (US)
 Marco Carvalho, Florida Institute of Technology (US)
 Volkmar Lotz, SAP Security Research (FR)
 Paul Nielsen, Carnegie Mellon University/Software Engineering Institute (US)
 Gabriel Raicu, Constanta Maritime University (RO)
 George Sharkov, European Software Institute (BG)

See also the conference’s overall program.

Modelling cyber-risk in an economic perspective
I. Bothos, V. Vlachos, D. Kyriazanos, I. Stamatiou, K. G. Thanos, P. Tzamalis, S. Nikoletseas, and S. Thomopoulos

Disposable identities; Enabling trust-by-design to build more sustainable data driven value
J. Isohanni, K. M. Hermsen, L. Goulden, M. Ross, and J. Vanbockryck

Influence pathways: Mapping the narratives and psychological effects of russian COVID-19 disinformation
A. Hoyle, T. Powell, B. Cadet, and J. van de Kuijt

See also the conference’s overall list of accepted papers.