Mission-Based Analysis for Assessing Cyber Risk in Critical Infrastructure Systems

Llansó, Thomas; Tally, G.; Silberglitt, Michael; Anderson, Tara

doi:10.1007/978-3-642-45330-4_14

Cited by 11 publications

(6 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In CyMRisk, after an initial SME preparatory step, the rest of the steps occur in an automated fashion. We briefly summarize the approach here; see [2], [3] for details. To seed the process, SMEs consider the different types of cyber nodes in a target architecture.…”

Section: Loe Scoring Approachmentioning

confidence: 99%

See 1 more Smart Citation

CyMRisk: An approach for computing mission risk due to cyber attacks

Llansó

Klatt

2014

2014 IEEE International Systems Conference Proceedings

Self Cite

View full text Add to dashboard Cite

This paper provides an overview of CyMRisk, an experimental architecture for computing mission risk due to cyber attack. In its current form, the approach employs a simulation of key aspects of a target business/mission process as well as attacker behavior to estimate mission impact due to cyber attacks. In addition, CyMRisk estimates worst case attacker level of effort associated with carrying out such attacks.

show abstract

Section: Loe Scoring Approachmentioning

confidence: 99%

“…To motivate the rationale for CyMRisk, we begin by introducing an example of a mission-cyber risk analysis methodology that could leverage CyMRisk called Mission Information Risk Analysis (MIRA) [2], [3]. One can regard MIRA as an instance of the risk framework developed by the National Standards of Standards and Technology (NIST) [4].…”

Section: Introductionmentioning

confidence: 99%

CyMRisk: An approach for computing mission risk due to cyber attacks

Llansó

Klatt

2014

2014 IEEE International Systems Conference Proceedings

Self Cite

View full text Add to dashboard Cite

show abstract

“…We therefore suggest caution in interpreting results from such assessments because the number of unknown vulnerabilities in large-scale software tends to exceed known vulnerabilities, and we furthermore suggest risk assessment methodologies should consider both known and unknown vulnerabilities, something not commonly done today, though there are exceptions. For example, as part of the risk analysis process, MIRA [30] hypothesizes the existence of latent vulnerabilities and analyzes their potential effects. The findings also support the concept that mission resilience to cyber attack should be nurtured and explored, as preventioncentric mitigation strategies are inherently disadvantaged given that latent vulnerabilities lie in wait for adversaries.…”

Section: A Conclusionmentioning

confidence: 99%

Estimating Software Vulnerability Counts in the Context of Cyber Risk Assessments

Llansó¹,

McNeil²

2018

Proceedings of the 51st Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

Abstract-Stakeholders often conduct cyber risk assessments as a first step towards understanding and managing their risks due to cyber use. Many risk assessment methods in use today include some form of vulnerability analysis. Building on prior research and combining data from several sources, this paper develops and applies a metric to estimate the proportion of latent vulnerabilities to total vulnerabilities in a software system and applies the metric to five scenarios involving software on the scale of operating systems. The findings suggest caution in interpreting the results of cyber risk methodologies that depend on enumerating known software vulnerabilities because the number of unknown vulnerabilities in large-scale software tends to exceed known vulnerabilities.

show abstract

“…Wheat and rice alone account for almost half of the world's serial production. The third example relates to technical infrastructure (Kröger, 2008;Llanso, 2013) 13 . Human activities have become more and more interconnected and mutually dependent.…”

Section: Type 1: System Breakdown Risks (Including Cyber-risks)mentioning

confidence: 99%

Emerging Risks: Methodology, Classification and Policy Implications

Renn¹

2014

JRACR

View full text Add to dashboard Cite

Good risk governance seems to rest on the three components: knowledge, legally prescribed procedures and social values. All three components are of particular importance for assessing and managing emerging risks, which are characterized by a lack of knowledge about the likelihood and magnitude of potential positive and negative consequences. This paper reports first about a protocol of how to govern emerging risks and then analyses the patterns of risks that would fall under the emerging risk category. Six patterns were identified: system breakdown risks, amplifier risks, highly volatile and pervasive risks, psychosomatic risks, social risks, and knowledge management risks. For each of these risk patterns, the main characteristics and the policy implications are described and analyzed.

show abstract

Mission-Based Analysis for Assessing Cyber Risk in Critical Infrastructure Systems

Cited by 11 publications

References 7 publications

CyMRisk: An approach for computing mission risk due to cyber attacks

CyMRisk: An approach for computing mission risk due to cyber attacks

Estimating Software Vulnerability Counts in the Context of Cyber Risk Assessments

Emerging Risks: Methodology, Classification and Policy Implications

Contact Info

Product

Resources

About