Semantic Risk Assessment for Cybersecurity

Cybersecurity is in essence a function of risk reduction for the organization. Due to the rapid evolvement and wide diversity of technologies, it is important that risks will be managed in a way that is capable of handling much wider and diversified knowledge while reducing the increasing costs of such effort. There is a variety of methods for risk assessment but it is common for them to consider threats and improve security by taking countermeasures. Due to constraints of budget and time together with the rapid evolvement of risks (threats), knowledgeable prioritization is important. In this paper we present a semantic approach to the handling of a "fabric of knowledge" in the form of a model and ontology of the cybersecurity body of knowledge. Such a model may serve as a cybersecurity framework, managing the knowledge in a way that enables sharing of the knowledge while bridging terminology gaps and automatic processing of the data. It makes use of machine understanding and automatic reasoning. Several aspects of the cybersecurity body of knowledge are examined, presenting a semantic way of handling them, together with the benefits of handling them semantically. These aspects cover the cybersecurity body of knowledge extensively, culminating to risk assessment based on knowledge that is wider and more up to date while also enable automatic reasoning. The automatic reasoning may assist in better processing of the vast amount of new knowledge that is constantly added to this body of knowledge. Such reasoning may also be part of the knowledge, and also shared the rest of the knowledge. This paper proposes semantic approach for risk management. The CORAS risk assessment and the CVSS risk scoring methods are used to exemplify semantic representation of the risk assessment and scoring sub domains, respectively. A model is presented, advantages and limitations are discussed.