Last week Axelrod and Iliev from the University of Michigan (Ann Arbor) published a paper “Timing of cyber conflict“. Akshat Rathi, science editor at The Conversation reviewed the paper for the site, and asked me for comments. A quote from me is included in his piece.

There’s a bit more to say than I did there. The Daily Mail also covered this, and lazily presented it as a model that you just enter your data into and presto! it tells you when to perform your cyber attack. That’s not at all the case. The model asks you to guess at some probabilities, and then measure some unmeasurables including a quantification of the attack’s effect. (Makes me think of risk assessment!) There isn’t much of a mathematical model in it, really – there are variables, and a formula, and case studies in the paper, but in the case studies the variables never get values, and the formula isn’t used for anything.

That’s not at all to say it’s a useless paper. Although you can’t actually establish values for the variables, the concepts embodied in them are very useful, and it makes perfect sense to talk about them going up/down in scenarios. The case studies, such as of Stuxnet, make for very interesting reading indeed.