Cyber Security Risk Modelling and Assessment: A Quantitative Approach

被引:0
|
作者
Sokri, Abderrahmane [1 ]
机构
[1] Govt Canada, DRDC CORA, Toronto, ON, Canada
关键词
cyber security; risk analysis; threat; vulnerability; impact; MANAGEMENT; TOOL;
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The extensive use of information systems has become both a crucial enabler and a critical vulnerability in all spheres of public and private activities. A cyber-security breach may result in interruption, modification, degradation, fabrication, interception, and unauthorized use of an information asset. The resulting damage can be immediate causing direct financial losses or prospective gradually harming the national safety and reputation. In the context of cyber security, risk is present where a threat intersects with a corresponding vulnerability which allows it to manifest. It can be formally expressed as a function of three elements: Probability that a threat may become harmful, Probability that a vulnerability may be exploited, and Resulting impact. While these three elements can be expressed either qualitatively or quantitatively, they are generally described in qualitative terms in the context of cyber security. This paper presents common cyber security risk assessment methods and shows how a risk analysis can be conducted in cyberspace. It proposes a new cyber risk formulation combining statistical and Monte Carlo simulation techniques. Risk analysis is defined here as a process that aims to identify, analyze, and reduce or transfer risk. A case study using the most common threats, vulnerabilities, and impacts is presented to illustrate the approach. In this study, a Program Evaluation and Review Technique (PERT) distribution is used to represent the inherent risk curve. A correlation analysis using stochastic simulation is conducted to show how sensitive the overall risk is to the different threats. Risk drivers are therefore assessed and displayed graphically using a pairwise association. The paper results and insights can assist civilian and military decision-makers in identifying critical risk drivers and the need for contingency plans. Statistical techniques and Monte Carlo simulation objectively derive the most likely cyber risk profile. The Loss Exceedance Curve shows for each loss the likelihood of exceeding it. The what-if analysis determines which risk mitigation strategies would have the most impact.
引用
收藏
页码:466 / 474
页数:9
相关论文
共 50 条
  • [1] A new quantitative approach for information security risk assessment
    Asosheh, Abbas
    Dehmoubed, Bijan
    Khani, Amir
    [J]. 2009 2ND IEEE INTERNATIONAL CONFERENCE ON COMPUTER SCIENCE AND INFORMATION TECHNOLOGY, VOL 2, 2009, : 222 - +
  • [2] A new quantitative approach for information security risk assessment
    Asosheh, Abbas
    Dehmoubed, Bijan
    Khani, Amir
    [J]. ISI: 2009 IEEE INTERNATIONAL CONFERENCE ON INTELLIGENCE AND SECURITY INFORMATICS, 2009, : 229 - 229
  • [3] A Quantitative CVSS-Based Cyber Security Risk Assessment Methodology For IT Systems
    Aksu, M. Ugur
    Dilek, M. Hadi
    Tatli, E. Islam
    Bicakci, Kemal
    Dirik, H. Ibrahim
    Demirezen, M. Umut
    Aykir, Tayfun
    [J]. 2017 INTERNATIONAL CARNAHAN CONFERENCE ON SECURITY TECHNOLOGY (ICCST), 2017,
  • [4] Risk Assessment for Cyber Security of Manufacturing Systems: A Game Theory Approach
    Zarreha, Alireza
    Wan, HungDa
    Lee, Looneun
    Saygin, Can
    Al Janahi, Rafid
    [J]. 29TH INTERNATIONAL CONFERENCE ON FLEXIBLE AUTOMATION AND INTELLIGENT MANUFACTURING (FAIM 2019): BEYOND INDUSTRY 4.0: INDUSTRIAL ADVANCES, ENGINEERING EDUCATION AND INTELLIGENT MANUFACTURING, 2019, 38 : 605 - 612
  • [5] A Model-Based Approach for Aviation Cyber Security Risk Assessment
    Kiesling, Tobias
    Niederl, Josef
    Ziegler, Juergen
    Krempel, Matias
    [J]. PROCEEDINGS OF 2016 11TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY, (ARES 2016), 2016, : 517 - 525
  • [6] Risk Assessment Method for Cyber Security of Cyber Physical Systems
    Wu, Wenbo
    Kang, Rui
    Li, Zi
    [J]. PROCEEDINGS OF THE 2015 FIRST INTERNATIONAL CONFERENCE ON RELIABILITY SYSTEMS ENGINEERING 2015 ICRSE, 2015,
  • [7] Quantitative Assessment of Cyber Security Risk using Bayesian Network-based model
    Mo, Sheung Yin Kevin
    Beling, Peter A.
    Crowther, Kenneth G.
    [J]. 2009 IEEE SYSTEMS AND INFORMATION ENGINEERING DESIGN SYMPOSIUM (SIEDS), 2009, : 183 - 187
  • [8] Security Risk Assessment Approach for Distribution Network Cyber Physical Systems Considering Cyber Attack Vulnerabilities
    Zhou, Buxiang
    Sun, Binjie
    Zang, Tianlei
    Cai, Yating
    Wu, Jiale
    Luo, Huan
    [J]. ENTROPY, 2023, 25 (01)
  • [9] Cyber Security Risk Assessment of a DDoS Attack
    Wangen, Gaute
    Shalaginov, Andrii
    Hallstensen, Christoffer
    [J]. INFORMATION SECURITY, (ISC 2016), 2016, 9866 : 183 - 202
  • [10] Cyber security risk assessment in autonomous shipping
    Hasan Mahbub Tusher
    Ziaul Haque Munim
    Theo E. Notteboom
    Tae-Eun Kim
    Salman Nazir
    [J]. Maritime Economics & Logistics, 2022, 24 : 208 - 227