Bayesian Decision Network-Based Security Risk Management Framework

Khosravi-Farmad, Masoud; Ghaemi-Bafghi, Abbas

doi:10.1007/s10922-020-09558-5

Cited by 37 publications

(26 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For fixed infrastructure networks, graphical representations, such as attack graphs, are developed to represent the possible attack paths by exploiting the vulnerability relationships. For these reasons, vulnerability analysis techniques based on directed graphs are frequently found in the literature [ 69 ]. However, despite their potential, these analysis techniques have been relegated to vulnerability analysis in computer networks.…”

Section: Related Workmentioning

confidence: 99%

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Longueira-Romero

Iglesias

Flores

et al. 2022

Sensors

View full text Add to dashboard Cite

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the libssl library. The model was able to determine new requirements and generate test cases from the analysis.

show abstract

Section: Related Workmentioning

confidence: 99%

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Longueira-Romero

Iglesias

Flores

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…e security risk is a function of the likelihood of the occurrence of a threat event and its potential adverse impact. However, previous studies did not include this type of impact in their frameworks [19,22,23]; they considered only the impacts of single hosts [21] and did not consider relationships among impacts of vulnerability exploitations. is is different from the case of BAGs, which reflect causal relationships among vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

“…Moreover, quantitative assessment most effectively supports cost-benefit analysis of alternative risk responses or courses of action [17]. In particular, in a network environment in which multiple systems are interconnected, graphical security models such as Bayesian attack graphs (BAGs) [18][19][20][21][22][23][24] are suitable for risk assessment. BAGs provide powerful tools that represent information about causal relationships among vulnerabilities while compensating for the drawback of the attack graph (AG), which cannot provide information on vulnerability exploiting probabilities, which is an essential factor for risk assessment [21].…”

Section: Introductionmentioning

confidence: 99%

“…Concerning quantitative risk assessment, methods such as the common vulnerability scoring system (CVSS) [30] were proposed to quantify each type of vulnerability in a standardized way. Most quantitative BAG-based methods use the exploitability metrics of the CVSS to indicate the probability of successful exploitation of vulnerabilities [21]. For this reason, we also propose automated quantitative risk assessment using the exploitable metric of a CVSS based on BAGs.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Consider the Consequences: A Risk Assessment Approach for Industrial Control Systems

Kim

Kwon

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

The development of information and communication technologies extended the application of digitalized industrial control systems (ICSs) to critical infrastructure. With this circumstance, emerging sophisticated cyberattacks by adversaries, including nation-backed terrorists, target ICSs due to their strategic value that critical infrastructure can cause severe consequences to equipment, people, and the environment due to the cyberattacks on ICSs. Therefore, critical infrastructure owners should provide high assurance to those involved, such as neighboring residents and governments, that the facility is adequately protected against cyberattacks. The risk assessment that identifies, estimates, and prioritizes risks is vital to provide high assurance. This study proposes a framework for evaluating risks by quantifying the likelihood of cyber exploitation and the consequences of cyberattacks. The quantification of the likelihood of cyber exploitation is inspired by research on Bayesian attack graphs (BAGs), allowing probability evaluation that considers the causal relationship between ICSs and multistage attacks. For the cyberattack consequences quantification, we propose a methodology to evaluate how far an impact will spread and thus how many functions will be influenced when an ICS is exploited. The methodology is conducted by ICS experts identifying and listing functional dependencies and essential function goals among ICSs that they are already familiar with and do not require in-depth cybersecurity knowledge. Through experiments, we demonstrated how to apply our framework to assess the risks of the plant protection system, which is a safety-grade digital system used in nuclear power plants. The result shows that risk can be multidimensionally assessed than previous literature, such as discovering that components that were not considered important have high risk due to their functional connectivity.

show abstract

“…The quantitative approaches tend to narrow down the scope of the studies to the cyber risk assessment. A Bayesian decision network (BDN) was applied to a framework for network security risk management [56]. The framework consists of several essential processes: risk assessment, risk mitigation, and risk validation and monitoring, which should be done accurately to improve the security level of a network.…”

Section: Quantitative Approaches To Cybersecurity Risk Managementmentioning

confidence: 99%

Internet of Things (IoT) Cybersecurity: Literature Review and IoT Cyber Risk Management

Lee

2020

Future Internet

148

View full text Add to dashboard Cite

Along with the growing threat of cyberattacks, cybersecurity has become one of the most important areas of the Internet of Things (IoT). The purpose of IoT cybersecurity is to reduce cybersecurity risk for organizations and users through the protection of IoT assets and privacy. New cybersecurity technologies and tools provide potential for better IoT security management. However, there is a lack of effective IoT cyber risk management frameworks for managers. This paper reviews IoT cybersecurity technologies and cyber risk management frameworks. Then, this paper presents a four-layer IoT cyber risk management framework. This paper also applies a linear programming method for the allocation of financial resources to multiple IoT cybersecurity projects. An illustration is provided as a proof of concept.

show abstract

Bayesian Decision Network-Based Security Risk Management Framework

Cited by 37 publications

References 32 publications

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Consider the Consequences: A Risk Assessment Approach for Industrial Control Systems

Internet of Things (IoT) Cybersecurity: Literature Review and IoT Cyber Risk Management

Contact Info

Product

Resources

About