Consulting the Oracle at Delphi - Combining Risk I and Risk in cyber security (original) (raw)
Related papers
Cyber risk logics and their implications for cybersecurity
International Affairs, 2024
Cybersecurity in national and international security is frequently discussed in an existential register. However, most cybersecurity activities are normal and routine, including diverse practices of cyber risk management. The intricacies of cyber risk and its connection to security and threat politics have received surprisingly little attention in the cyber politics literature. This article addresses this gap through a twofold theoretical proposition. The first argues that cyber risk in policy and practice inhabits a continuum between 'classical' risk and security postures. The second proposes the existence of multiple risk logics located in different positions on this continuum. To illustrate this, we outline two distinct cyber risk logics-'risk as potential threats' and 'risk as uncertainty'. Through an exploratory case study of UK risk policy and guidance, we find indications of the simultaneous existence of these risk logics, including in specific organisational contexts. We propose that 'risk as potential threats', in particular, acts as a 'bridge' between conventional risk and security. We conclude by discussing how differentiating cyber risk logics facilitates a finer-grained appreciation of cybersecurity policy and practice and provides opportunities for disciplinary engagement with the organisational and institutional politics of cybersecurity and 'the international'.
Methodological Recommendations for the Cyber Risks Management
2021
The task complexity of the cyber risks, as well as their components (threats and vulnerabilities) identification, depends on the requirements for the mentioned detailing. At the basic level (third level of organization maturity), there are generally no specific requirements for detailing, and it is sufficient to use the standard list of cyber risks classes. At the same time, the amount of risk assessment is not considered, which is acceptable for some types of basic level techniques. For example, the German BSI Standard contains a catalog of typical cyber-threats for component-information infrastructure. The advantage of such lists is the acceptable completeness level: classes, usually, are few (dozen), they are quite wide and consciously cover all existing sets of cyber risks. The disadvantage is the difficulty in assessing the cyber risk level and the effectiveness of countermeasures for a wide class since it is more convenient to make settlements of the narrower (specific) risk c...
2016 IEEE Symposium on Technologies for Homeland Security (HST), 2016
Decision-making in cyber-security is mostly ad-hoc and highly reliant on static policies, as well as human intervention. This does not fit current networks/systems, as they are highly dynamic systems where security assessments have to be performed, and decisions have to be made, automatically and in real-time. To address this problem, we propose a risk-based approach to cybersecurity decision-making. In our model, the system undergoes a continuous security risk assessment based on risk; decisions for each action are taken based on constructing a sequence of alternative actions and weighing the cost-benefit trade-offs for each alternative. We demonstrate the utility of our system on a concrete example involving protecting an SQL server from SQL injection attacks. We also discuss the challenges associated with implementing our model.
Risk and the Five Hard Problems of Cybersecurity
Risk Analysis, 2019
This perspectives article addresses risk in cyber defense and identifies opportunities to incorporate risk analysis principles into the cybersecurity field. The Science of Security (SoS) initiative at the National Security Agency seeks to further and promote interdisciplinary research in cybersecurity. SoS organizes its research into the Five Hard Problems (5HP): (1) scalability and composability; (2) policy-governed secure collaboration; (3) security-metricsdriven evaluation, design, development, and deployment; (4) resilient architectures; and (5) understanding and accounting for human behavior. However, a vast majority of the research sponsored by SoS does not consider risk and when it does so, only implicitly. Therefore, we identify opportunities for risk analysis in each hard problem and propose approaches to address these objectives. Such collaborations between risk and cybersecurity researchers will enable growth and insight in both fields, as risk analysts may apply existing methodology in a new realm, while the cybersecurity community benefits from accepted practices for describing, quantifying, working with, and mitigating risk.
Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk
International Journal of Computer Applications, 2014
Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset's value, exposure, frequency and existing protection measure.
A formal qualitative risk management approach for IT security
2015 Information Security for South Africa (ISSA), 2015
Information technology (IT) security, which is concerned about protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of risk, some known and some unknown. IT security risk management has gained considerable attention over the past decade due to the collapsing of some large organisations in the world. Previous investigative research in the field of IT security have indicated that despite the efforts that organisations employ to reduce IT security risks, the trend of IT security attacks are still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologist who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. Employing a formal risk based approach in managing IT security risk assist in ensuring that risks that matter to an organisation are accounted for and as a result, receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task, which is the basis of this research. The objective of this paper is to propose an approach for identifying, assessing and treating IT security risk which incorporates a robust risk analysis and assessment process. The risk analysis process aims to make use of a comprehensive IT security risk universe which caters for the complex and dynamic nature of IT security. The research will contribute to the field of IT security by using a consolidated approach that utilises coherent characteristics of the available qualitative risk management frameworks to provide a stronger approach that will enable organisations to treat IT security risk better.
Frontiers of Computer Science
The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets. The availability of these systems is now vital for the protection and evolution of companies. However, several factors have led to an increasing need for more accurate risk analysis approaches. These are: the speed at which technologies evolve, their global impact and the growing requirement for companies to collaborate. Risk analysis processes must consequently adapt to these new circumstances and new technological paradigms. The objective of this paper is, therefore, to present the results of an exhaustive analysis of the techniques and methods offered by the scientific community with the aim of identifying their main weaknesses and providing a new risk assessment and management process. This analysis was carried out using the systematic review protocol and found that these proposals do not fully meet these new needs. The paper also pres...
A Hybrid Model for Information Security Risk Assessment
International Journal of Advanced Trends in Computer Science and Engineering, 2019
Many industry standards and methodologies were introduced which has brought forth the management of threats assessment and risk management of information assets in a systematic manner. This paper will review and analyze the main processes followed in IT risk management frameworks from the perspective of the threat analysis process using a threat modeling methodology. In this study, the authors propose a new assessment model which shows that systematic threat analysis is an essential element to be considered as an integrated process within IT risk management frameworks. The new proposed model complements and fulfills the gap in the practice of assessing information security risks.
Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma
This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.