Managing Cybersecurity Events Using Service-Level Agreements (SLAs) by Profiling the People Who Attack

Research output: Chapter in Book/Report/Conference proceedingChapterpeer-review

2 Citations (Scopus)


Security frameworks are used to determine the approach to managing a network that may be under attack. The DREAD model from Microsoft, for example, promotes a strategy that is defined according to the impact of the attack on Damage, Reproducibility, Exploitability, Affected users, and Discoverability (DREAD). Each DREAD metric is scored, and the subsequent priorities are used to influence a reaction to the attack. In the event that an identified attack is being carried out by a security auditor, otherwise known as a white hat hacker whose intention is not malicious, the attack may not contribute significant Damage when considered according to DREAD yet may be consuming resources and causing challenges for the network service provider in terms of their ability to fulfil all customer service-level agreements (SLAs). This is therefore an operational event that needs to be responded to when managing the network load yet not necessarily from a cybersecurity perspective—it could, however, be managed from perspective of either performance or security. As an element of a Fault, Configuration, Accounting, Performance and Security (FCAPS) management approach, a response to such an event may involve reacting to a potential performance compromise occurring for security reasons. The network operator or service provider does not need to know the reason why the network is heavily loaded and only needs to ensure sufficient resources to fulfil all SLAs. However, it is recognised that there is an opportunity to pre-emptively identify that the network may become loaded in portions due to the tendencies of people operating within the network, specifically from a cybersecurity perspective and in relation to their intentions. This is in recognition of the fact that people who attack networks have a propensity towards commonalities in their personal characteristics and that these factors can be the drivers behind their attacking of a network. In addition to categorising attackers according to their intention (i.e., black hat and malicious, grey hat and not malicious but may violate laws, or white hat and friendly), a further degree of categorisation is proposed in terms of those who: (1) have some personal pressure which is influencing their desire to carry out malevolent actions online, (2) are naturally highly intelligent and inquisitive, and (3) those who are mentally ill. In this chapter, an approach is proposed to manage the network by profiling the characteristics of users residing across it according to their propensity to carry out a cyber-attack. Furthermore, it is suggested to use this information to pre-empt their activity such that the SLAs for all customers will continue to be achieved throughout the SLA lifetime. This process will be facilitated through the way in which the SLAs are defined and the information collected during the service setup procedure.
Original languageEnglish
Title of host publicationAdvances in Cybersecurity Management
Number of pages23
ISBN (Electronic) 978-3-030-71381-2
Publication statusPublished (in print/issue) - 16 Jun 2021


Dive into the research topics of 'Managing Cybersecurity Events Using Service-Level Agreements (SLAs) by Profiling the People Who Attack'. Together they form a unique fingerprint.

Cite this