Jan von der Assen,Muriel F. Franco,Muyao Dong,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2402.14140

2024-02-22

Abstract:Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

Cryptography and Security

Muriel Figueredo Franco,Fabian Künzler,Jan von der Assen,Chao Feng,Burkhard Stiller

2023-07-21

Abstract:Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide individualized and quantitative monetary estimations of cybersecurity impacts. Due to limited resources and technical expertise, SMEs and even large companies are affected and struggle to quantify their cyberattack exposure. Therefore, novel approaches must be placed to support the understanding of the financial loss due to cyberattacks. This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs using real-world information from public cybersecurity reports. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. Furthermore, RCVaR extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. The evaluation of the approach on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks. Thus, it shows that the RCVaR is a valuable addition to cybersecurity planning and risk management processes.

Cryptography and Security,Computers and Society,Information Retrieval

Saleh Mohamed AlHidaifi,Muhammad Rizwan Asghar,Imran Shafique Ansari

DOI: https://doi.org/10.1016/j.comnet.2024.110446

IF: 5.493

2024-05-05

Computer Networks

Abstract:Cyber resilience quantification is the process of evaluating and measuring an organisation's ability to withstand, adapt to, and recover from cyber-attacks. It involves estimating IT systems, networks, and response strategies to ensure robust defence and effective recovery mechanisms in the event of a cyber-attack. Quantifying cyber resilience can be difficult due to the constantly changing components of IT infrastructure. Traditional methods like vulnerability assessments and penetration testing may not be effective. Measuring cyber resilience is essential to evaluate and strengthen an organisation's preparedness against evolving cyber-attacks. It helps identify weaknesses, allocate resources, and ensure the uninterrupted operation of critical systems and information. There are various methods for measuring cyber resilience, such as evaluating, teaming and testing, and creating simulated models. This article proposes a cyber resilience quantification framework for IT infrastructure that utilises a simulation approach. This approach enables organisations to simulate different attack scenarios, identify vulnerabilities, and improve their cyber resilience. The comparative analysis of cyber resilience factors highlights pre-configuration's robust planning and adaptation (61.44%), buffering supported's initial readiness (44.53%), and network topologies' robust planning but weak recovery and adaptation (60.04% to 77.86%), underscoring the need for comprehensive enhancements across all phases. The utilisation of the proposed factors is crucial in conducting a comprehensive evaluation of IT infrastructure in the event of a cyber-attack.

computer science, information systems, hardware & architecture,engineering, electrical & electronic,telecommunications

Michael D. Iannacone,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1902.00053

2019-10-25

Abstract:Metrics and frameworks to quantifiably assess security measures have arisen from needs of three distinct research communities - statistical measures from the intrusion detection and prevention literature, evaluation of cyber exercises, e.g.,red-team and capture-the-flag competitions, and economic analyses addressing cost-versus-security tradeoffs. In this paper we provide two primary contributions to the security evaluation literature - a representative survey, and a novel framework for evaluating security that is flexible, applicable to all three use cases, and readily interpretable. In our survey of the literature we identify the distinct themes from each community's evaluation procedures side by side and flesh out the drawbacks and benefits of each. The evaluation framework we propose includes comprehensively modeling the resource, labor, and attack costs in dollars incurred based on expected resource usage, accuracy metrics, and time. This framework provides a unified approach in that it incorporates the accuracy and performance metrics, which dominate intrusion detection evaluation, the time to detection and impact to data and resources of an attack, favored by educational competitions' metrics, and the monetary cost of many essential security components used in financial analysis. Moreover, it is flexible enough to accommodate each use case, easily interpretable and comparable, and comprehensive in terms of costs <a class="link-external link-http" href="http://considered.Finally" rel="external noopener nofollow">this http URL</a>, we provide two examples of the framework applied to real-world use cases. Overall, we provide a survey and a grounded, flexible framework with multiple concrete examples for evaluating security which can address the needs of three currently distinct communities.

Cryptography and Security

Lampis Alevizos,Vinh-Thong Ta

2024-09-06

Abstract:In the dynamic cyber threat landscape, effective decision-making under uncertainty is crucial for maintaining robust information security. This paper introduces the Cyber Resilience Index (CRI), a threat-informed probabilistic approach to quantifying an organisation's defence effectiveness against cyber-attacks (campaigns). Building upon the Threat-Intelligence Based Security Assessment (TIBSA) methodology, we present a mathematical model that translates complex threat intelligence into an actionable, unified metric similar to a stock market index, that executives can understand and interact with while teams can act upon. Our method leverages Partially Observable Markov Decision Processes (POMDPs) to simulate attacker behaviour considering real-world uncertainties and the latest threat actor tactics, techniques, and procedures (TTPs). This allows for dynamic, context-aware evaluation of an organization's security posture, moving beyond static compliance-based assessments. As a result, decision-makers are equipped with a single metric of cyber resilience that bridges the gap between quantitative and qualitative assessments, enabling data-driven resource allocation and strategic planning. This can ultimately lead to more informed decision-making, mitigate under or overspending, and assist in resource allocation.

Cryptography and Security

Raisa Dzhamtyrova,Carsten Maple

DOI: https://doi.org/10.1007/s10618-021-00814-z

Abstract:The increasing value of data held in enterprises makes it an attractive target to attackers. The increasing likelihood and impact of a cyber attack have highlighted the importance of effective cyber risk estimation. We propose two methods for modelling Value-at-Risk (VaR) which can be used for any time-series data. The first approach is based on Quantile Autoregression (QAR), which can estimate VaR for different quantiles, i. e. confidence levels. The second method, we term Competitive Quantile Autoregression (CQAR), dynamically re-estimates cyber risk as soon as new data becomes available. This method provides a theoretical guarantee that it asymptotically performs as well as any QAR at any time point in the future. We show that these methods can predict the size and inter-arrival time of cyber hacking breaches by running coverage tests. The proposed approaches allow to model a separate stochastic process for each significance level and therefore provide more flexibility compared to previously proposed techniques. We provide a fully reproducible code used for conducting the experiments.

Piotr Żebrowski,Aitor Couce-Vieira,Alessandro Mancuso

DOI: https://doi.org/10.1111/risa.13900

Abstract:Critical infrastructures are increasingly reliant on information and communications technology (ICT) for more efficient operations, which, at the same time, exposes them to cyber threats. As the frequency and severity of cyberattacks are increasing, so are the costs of critical infrastructure security. Efficient allocation of resources is thus a crucial issue for cybersecurity. A common practice in managing cyber threats is to conduct a qualitative analysis of individual attack scenarios through risk matrices, prioritizing the scenarios according to their perceived urgency and addressing them in order until all the resources available for cybersecurity are spent. Apart from methodological caveats, this approach may lead to suboptimal resource allocations, given that potential synergies between different attack scenarios and among available security measures are not taken into consideration. To overcome this shortcoming, we propose a quantitative framework that features: (1) a more holistic picture of the cybersecurity landscape, represented as a Bayesian network (BN) that encompasses multiple attack scenarios and thus allows for a better appreciation of vulnerabilities; and (2) a multiobjective optimization model built on top of the said BN that explicitly represents multiple dimensions of the potential impacts of successful cyberattacks. Our framework adopts a broader perspective than the standard cost-benefit analysis and allows the formulation of more nuanced security objectives. We also propose a computationally efficient algorithm that identifies the set of Pareto-optimal portfolios of security measures that simultaneously minimize various types of expected cyberattack impacts, while satisfying budgetary and other constraints. We illustrate our framework with a case study of electric power grids.

Taylor Reynolds,Sarah Scheffler,Daniel J. Weitzner,Angelina Wu

2024-02-07

Abstract:There are two strategic and longstanding questions about cyber risk that organizations largely have been unable to answer: What is an organization's estimated risk exposure and how does its security compare with peers? Answering both requires industry-wide data on security posture, incidents, and losses that, until recently, have been too sensitive for organizations to share. Now, privacy enhancing technologies (PETs) such as cryptographic computing can enable the secure computation of aggregate cyber risk metrics from a peer group of organizations while leaving sensitive input data undisclosed. As these new aggregate data become available, analysts need ways to integrate them into cyber risk models that can produce more reliable risk assessments and allow comparison to a peer group. This paper proposes a new framework for benchmarking cyber posture against peers and estimating cyber risk within specific economic sectors using the new variables emerging from secure computations. We introduce a new top-line variable called the Defense Gap Index representing the weighted security gap between an organization and its peers that can be used to forecast an organization's own security risk based on historical industry data. We apply this approach in a specific sector using data collected from 25 large firms, in partnership with an industry ISAO, to build an industry risk model and provide tools back to participants to estimate their own risk exposure and privately compare their security posture with their peers.

Cryptography and Security,Computers and Society,General Economics,Applications

Weili Han,Chenguang Shen,Yuliang Yin,Yun Gu,Chen Chen

DOI: https://doi.org/10.1145/2046707.2093492

2011-01-01

Abstract:Risk and benefit are two implicit key factors to determine accesses in secure information sharing. Recent researches have shown that they can be explicitly quantified and used to improve the flexibility in information systems. This paper introduces the motivation and a technical design of Quantified riSk and Benefit adaptive Access Control (QSBAC) to strengthen the security of information sharing. The paper also introduces the key issues to design policies in QSBAC.

Seddik, Hellas Mohamed,Rachid, Chaib

DOI: https://doi.org/10.1007/s00500-023-07960-0

IF: 3.732

2023-03-10

Soft Computing

Abstract:The disadvantage of the methods used in dependability and especially the QRA (Quantitative Risk Assessment) method is that of data imperfection and the lack of robustness in the results (subjective estimation of frequencies and consequences effects of accident scenarios). This subjectivity results from several factors, in particular, the high number of components in the system studies, connections and structural interactions, and functional dependencies between the components including operating conditions. Also, physical factors and environmental influence the state and functioning of the system. All these factors alternate the credibility and perfection of data as well as security analysis results. Although the QRA method is effective, its application is very costly in terms of time and effort, which requires competent specialists. It is right that several aspects are not well supported by conventional QRA. Paving the way for further improvements and suggesting soft computing approaches using fuzzy sets and logic although various other approaches can be adopted such as fuzzy probability theory approach. A good review of the QRA approach in various fields is also appreciated as the availability and quality of the data restrict the objectivity and effectiveness of QRA and secondly the results of QRA either the steps taken are qualitative or quantitative are associated with uncertainty or impreciseness and compel to adopt soft computing approach. Four types of uncertainties are covered: Uncertainty associated with input parameters, stochastic/ontological uncertainty, Assessment and reduction in risk and modeling of dangerous effects. The uncertainties inherent in QRA approach are dealt with using tools from the theory of fuzzy sets and that of possibility and helpful in flexible solutions allowing for adaptive risk management.

computer science, artificial intelligence, interdisciplinary applications

Michel Dacorogna,Marie Kratz

2023-02-05

Abstract:Not a day goes by without news about a cyber attack. Fear spreads out and lots of wrong ideas circulate. This survey aims at showing how all these uncertainties about cyber can be transformed into manageable risk. After reviewing the main characteristics of cyber risk, we consider the three layers of cyber space: hardware, software and psycho-cognitive layer. We ask ourselves how is this risk different from others, how modelling has been tackled and needs to evolve, and what are the multi-facetted aspects of cyber risk management. This wide exploration pictures a science in the making and points out the questions to be solved for building a resilient society.

Cryptography and Security

Jürgen Beyerer,Jürgen Geisler

DOI: https://doi.org/10.1007/s41125-016-0008-y

2016-10-01

European Journal for Security Research

Abstract:A mathematical framework is presented that describes risk in the context of safety and security problems quantitatively and in an integrative way. Great importance is laid on a clear notation with a sound semantics. Essentially, this seminal contribution is a substantially expanded version of our short paper “A quantitative risk model for a uniform description of safety and security”, which we presented to the 10th Future Security 2015 in Berlin (A quantitative risk model for a uniform description of safety and security. In: Proceedings of the 10th Future security—security research conference, pp 317–324, 2015). The key concept of this paper is a quantitative formulation of risk. Uncertainties are modelled based on probability distributions. Risk due to purely stochastic sources of danger is based on objective notions of probabilities and costs whereas risks of individuals (intelligent agents) are described from their own points of view, i.e. in a fully subjective manner, since individuals draw their decisions based on their subjective assessments of potential costs and of frequencies of event occurrence. Therefore, probability is interpreted in a Bayesian context as a degree of belief (DoB). Based on a role model for the involved agents with the three roles »source of danger«, »subject of protection« and »protector«, risk is modelled quantitatively using statistical decision theory and game theory. The set D of sources of danger is endowed with a DoB-distribution describing the probability of occurrence. D is partitioned into subsets that describe dangers which are due to random causes, carelessness and intention. A set of flanks of vulnerability F is assigned to each subject of protection. These flanks characterize different aspects of vulnerability concerning mechanical, physiological, informational, economical, reputational, psychological, … vulnerability. The flanks of vulnerability are endowed with conditional DoBs that describe to which degree an incidence or an attack will be harmful. Additionally, each flank of vulnerability is endowed with a cost function that quantifies the costs which are charged to the subject of protection, if it is affected by a harmful incidence or attack. With these ingredients the risk for the subject of protection can be quantified based on an ensemble functional with respect to all sources of danger and to all flanks of vulnerability. Depending of the respective subset of dangers such a functional is an expectation (case of random causes and carelessness) or a selection operation (case of intention), where in the latter case the attack will presumably take place at the weakest flank of vulnerability. The calculated risk can be opposed to the cost of protection measures that are offered by the protector in order to foster an effective and economical invest decision. From an attacker’s point of view a utility function is formulated which a rational attacker presumably would use to evaluate his cost-benefit ratio in order to decide whether he attacks and which of his options he exercises. The challenges of the approach are the determination of the cost functions and especially the estimation of the probabilities (DoBs) of the model. Two approaches for determining DoBs, the Maximum Entropy Principle (MEP) and the Conditioning On Rare Events (CORE), are presented and discussed. The model can be used to simulate and evaluate the endangerment of subjects of protection quantitatively, e.g. using a software agent implementation, where the agents are endowed with the cost functions and the DoBs of the presented framework.

Mahdieh Safarzadehvahed,Farzaneh Abazari,Afsaneh Madani,Fatemeh Shabani

DOI: https://doi.org/10.48550/arXiv.2304.14952

2023-04-28

Cryptography and Security

Abstract:When a threat is observed, one of the most important challenges is to choose the most appropriate and adequate timely decisions in response to the current and near future situation in order to have the least consequences and costs. Making the appropriate and sufficient decisions requires knowing what situations the threat has engendered or may engender. In this paper, we propose a quantitative risk-based method called QR-SACP to calculate and project situational awareness in a network based on threat information sharing. In this method, we investigate a threat from different aspects and evaluate the threat's effects through dependency weight among a network's services. We calculate the definite effect of a threat on a service and the cascading propagation of the threat's definite effect on other dependent services to that service. In addition, we project the probability of a threat propagation or recurrence of the threat in other network services in three ways: procedurally, network connections and similar infrastructure or services. Experimental results demonstrate that the QR-SACP method can calculate and project definite and probable threats' effects across the entire network and reveal more details about the threat's current and near future situations.

Fazleena Badurdeen,Mohannad Shuaib,Ken Wijekoon,Adam Brown,William Faulkner,Joseph Amundson,I.S. Jawahir,Thomas J. Goldsby,Deepak Iyengar,Brench Boden

DOI: https://doi.org/10.1108/jmtm-10-2012-0097

2014-05-27

Journal of Manufacturing Technology Management

Abstract:Purpose – Globally expanding supply chains (SCs) have grown in complexity increasing the nature and magnitude of risks companies are exposed to. Effective methods to identify, model and analyze these risks are needed. Risk events often influence each other and rarely act independently. The SC risk management practices currently used are mostly qualitative in nature and are unable to fully capture this interdependent influence of risks. The purpose of this paper is to present a methodology and tool developed for multi-tier SC risk modeling and analysis. Design/methodology/approach – SC risk taxonomy is developed to identify and document all potential risks in SCs and a risk network map that captures the interdependencies between risks is presented. A Bayesian Theory-based approach, that is capable of analyzing the conditional relationships between events, is used to develop the methodology to assess the influence of risks on SC performance Findings – Application of the methodology to an industry case study for validation reveals the usefulness of the Bayesian Theory-based approach and the tool developed. Back propagation to identify root causes and sensitivity of risk events in multi-tier SCs is discussed. Practical implications – SC risk management has grown in significance over the past decade. However, the methods used to model and analyze these risks by practitioners is still limited to basic qualitative approaches that cannot account for the interdependent effect of risk events. The method presented in this paper and the tool developed demonstrates the potential of using Bayesian Belief Networks to comprehensively model and study the effects or SC risks. The taxonomy presented will also be very useful for managers as a reference guide to begin risk identification. Originality/value – The taxonomy developed presents a comprehensive compilation of SC risks at organizational, industry, and external levels. A generic, customizable software tool developed to apply the Bayesian approach permits capturing risks and the influence of their interdependence to quantitatively model and analyze SC risks, which is lacking.

engineering, manufacturing, industrial,management

Oleksandr Netkachov,Peter Popov,Kizito Salako

DOI: https://doi.org/10.1007/978-3-319-95597-1_5

2019-01-01

Abstract:This chapter reports on a model-based approach to assessing cyber-risks in a cyber-physical system (CPS), such as power-transmission systems. We demonstrate that quantitative cyber-risk assessment, despite its inherent difficulties, is feasible. In this regard: (i) we give experimental evidence (using Monte-Carlo simulation) showing that the losses from a specific cyber-attack type can be established accurately using an abstract model of cyber-attacks – a model constructed without taking into account the details of the specific attack used in the study; (ii) we establish the benefits from deploying defence-in-depth (DiD) against failures and cyber-attacks for two types of attackers: (a) an attacker unaware of the nature of DiD, and (b) an attacker who knows in detail the DiD they face in a particular deployment, and launches attacks sufficient to defeat DiD. This study provides some insight into the benefits of combining design-diversity – to harden some of the protection devices in a CPS – with periodic “proactive recovery” of protection devices. The results are discussed in the context of making evidence-based decisions about maximising the benefits from DiD in a particular CPS.

Aaron Sanders,Tong Sun,Yin Pan,Bo Yuan

DOI: https://doi.org/10.1109/socialcom-passat.2012.95

2012-01-01

Abstract:Research in quantitative Information Technology (IT) risk analysis has increased in the past decade, but much of that research has focused on creating new approaches that replace existing ones. Since organizations have extensive sunk costs invested in their risk management programs, there exists a need to extend and improve existing approaches. Additionally, many quantitative approaches are difficult to implement without mathematical expertise or specialized tools, focus on quantifying individual vulnerabilities, provide little insight into underlying process gaps affecting IT risk and do not facilitate including environmental factors in risk ratings. Our research focuses on identifying attributes or characteristics of risk that are missing from existing approaches, and quantifying their relevance using statistical analysis techniques. We seek to identify and quantify attributes that further close the gap between enumerating IT risks and understanding the actual risk they present. In this paper we identify the relationship between risk findings as a key attribute, and demonstrate using correlation to quantify the relationship. Correlation analysis enables organizations to uncover process gaps, and situations where default risk ratings may not be sufficient. In this paper, we discuss the benefits of correlating risk findings and demonstrate value and feasibility through an empirical case study.

Alexander A. Ganin,Phuoc Quach,Mahesh Panwar,Zachary A. Collier,Jeffrey M. Keisler,Dayton Marchese,Igor Linkov

DOI: https://doi.org/10.1111/risa.12891

2017-09-05

Risk Analysis

Abstract:Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Nicole M. Radziwill,Morgan C. Benton

DOI: https://doi.org/10.48550/arXiv.1707.02653

2017-07-09

Cryptography and Security

Abstract:There is no standard yet for measuring and controlling the costs associated with implementing cybersecurity programs. To advance research and practice towards this end, we develop a mapping using the well-known concept of quality costs and the Framework Core within the Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) in response to the Cybersecurity Enhancement Act of 2014. This mapping can be easily adopted by organizations that are already using the NIST CSF for cybersecurity risk management to plan, manage, and continually improve cybersecurity operations. If an organization is not using the NIST CSF, this mapping may still be useful for linking elements in accounting systems that are associated with cybersecurity operations and risk management to a quality cost model.

Wing Fung Chong,Runhuan Feng,Hins Hu,Linfeng Zhang

2023-10-23

Abstract:Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to manage. This paper proposes a two-pillar cyber risk management framework to address such difficulty. The first pillar, cyber risk assessment, blends the frequency-severity model in insurance with the cascade model in cybersecurity, to capture the unique feature of cyber risk. The second pillar, cyber capital management, provides informative decision-making on a balanced cyber risk management strategy, which includes cybersecurity investments, insurance coverage, and reserves. This framework is demonstrated by a case study based on a historical cyber incident dataset, which shows that a comprehensive cost-benefit analysis is necessary for a budget-constrained company with competing objectives for cyber risk management. Sensitivity analysis also illustrates that the best strategy depends on various factors, such as the amount of cybersecurity investments and the effectiveness of cybersecurity controls.

Risk Management,Cryptography and Security,Optimization and Control