Automating the assessment of ICT risk

Baiardi, Fabrizio; Corò, Fabio; Tonelli, Federico; Sgandurra, Daniele

doi:10.1016/j.jisa.2014.04.002

Cited by 23 publications

(5 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This work integrates the results outlined in [1,2] and presents them systematically. Furthermore, it applies the suite tools to assess and manage the ICT risk of two ICSs, each supervising a distinct power generation plant.…”

Section: Introductionmentioning

confidence: 82%

See 1 more Smart Citation

Assessing and managing the information and communication risk of power generation

Baiardi

Tonelli

Guidi

et al. 2015

Computers & Electrical Engineering

View full text Add to dashboard Cite

Keywords:Risk assessment Metric Intelligent agent Model based assessment Monte Carlo method Industrial control system a b s t r a c t We describe a model-based assessment of information and communication technology (ICT) risk that produces statistical samples by simulating the attacks of intelligent agents. To support this assessment, we have developed an integrated set of tools, the Haruspex suite. Some of its tools build the models of the target system and those of the agents that other tools apply to simulate the agent attacks. Further tools analyze the output of the simulation. After outlining the proposed approach and the suite, we describe the assessments of two industrial control systems that supervise, respectively, a thermoelectric generation plan and a hydroelectric one. To simplify the presentation of the output of these assessments, we introduce the security stress, a synthetic measure of how a system resists to attacks.

show abstract

Section: Introductionmentioning

confidence: 82%

“…To this purpose, it classifies v by matching some predefined patterns against the description of v in the Common Vulnerability Enumeration, CVE, database [23], a de facto standard [1]. The class of v determines the attributes of each attack at it enables such as succðatÞ and timeðatÞ.…”

Section: Modeling An Ict Systemmentioning

confidence: 99%

Assessing and managing the information and communication risk of power generation

Baiardi

Tonelli

Guidi

et al. 2015

Computers & Electrical Engineering

View full text Add to dashboard Cite

show abstract

“…A vulnerability is defined as a defect in a component or an erroneous or malicious behavior performed by a user. 6 The Common Vulnerability Scoring System (CVSS) rates all known vulnerabilities in terms of their severity on a scale from 1 to 10; higher scores indicate an increased probability of exploitation. 7 CVSS version 3 scores are assigned using four metrics: the access vector (AV), access complexity (AC), privileges required (PReq), and user interaction (UI).…”

Section: Network Riskmentioning

confidence: 99%

Estimation of cyber network risk using rare event simulation

Krall

Kühl

Yang

2020

Journal of Defense Modeling & Simulation

View full text Add to dashboard Cite

Inherent vulnerabilities in a cyber network’s constituent machine services can be exploited by malicious agents. As a result, the machines on any network are at risk. Security specialists seek to mitigate the risk of intrusion events through network reconfiguration and defense. When dealing with rare cyber events, high-quality risk estimates using standard simulation approaches may be unattainable, or have significant attached uncertainty, even with a large computational simulation budget. To address this issue, an efficient rare event simulation modeling and analysis technique, namely, importance sampling for cyber networks, is developed. The importance sampling method parametrically amplifies certain aspects of the network in order to cause a rare event to happen more frequently. Output collected under these amplified conditions is then scaled back into the context of the original network to provide meaningful statistical inferences. The importance sampling methodology is tailored to cyber network attacks and takes the attacker’s successes and failures as well as the attacker’s targeting choices into account. The methodology is shown to produce estimates of higher quality than standard simulation with greater computational efficiency.

show abstract

“…For instance, [18] Presents Monte Carlo simulation method for evaluating and communicating security investment benefits and to understand technology choices in a financial manner. In [33], the authors describe probabilistic risk assessment to ICT systems, through scenario-based estimation of agent attack plan and risk impact. Then applies Monte Carlo for detailed simulation of threat agents' behaviour to support assessment through statistical evaluation of risk.…”

Section: Related Workmentioning

confidence: 99%

Towards effective cybersecurity resource allocation: the Monte Carlo predictive modelling approach

Fagade

Maraslis

Tryfonas

2017

IJCIS

View full text Add to dashboard Cite

Organisations invest in technical and procedural capabilities to ensure the confidentiality, integrity and availability of information assets and sustain business continuity at all times. However, given growing productive assets and limited protective security budgets, there is a need for deliberate evaluation of information security investment. Optimal resource allocation to security is often affected by intrinsically uncertain variables and associated factors like technical, economical and psychological; therefore, security expenditure is a crucial resource allocation decision. In spite of that, security managers and business owners are often incentivised by different drivers on whether to allocate optimal resources to cyber-specific security protective assets or other business productive assets. Hence, there is a disparity of opinion in resource allocation decisions. We explored how Monte Carlo predictive simulation model can be used within the context of Information Technology to reduce these disparities. Using a conceptual enterprise as a case study and verifiable historical cost of security breaches as parametric values, our model shows why using conventional risk assessment approach as budgeting process can result in significant over/under allocation of resources for cyber capabilities. Our model can serve as a benchmark for policy and decision support to aid stakeholders in optimising resource allocation for cyber security investments.

show abstract

Automating the assessment of ICT risk

Cited by 23 publications

References 32 publications

Assessing and managing the information and communication risk of power generation

Assessing and managing the information and communication risk of power generation

Estimation of cyber network risk using rare event simulation

Towards effective cybersecurity resource allocation: the Monte Carlo predictive modelling approach

Contact Info

Product

Resources

About