Project Synoptic Dynamic Risk Assessment for Critical Infrastructures under Attack Blondel Seumo (original) (raw)
Related papers
Dynamic Risk Assessment for Critical Infrastructures under Attack
Dynamic Risk Assessment for Critical Infrastructures under Attack, 2021
The present study has shed light upon the cyber risks associated with business management. The study has analyzed that with increasing digitalization and advancements in technology, the risks of cybersecurity are increasing as well. The study with a positivism philosophy, descriptive design has catered for providing recommendations by analyzing the situation with a questionnaire as a method of the study. Recent cyberattacks on critical infrastructure systems coupled with the technology-induced complexity of the system of systems have necessitated a review of existing methods of assessing critical systems security risk exposure. The question is: Do existing security risk assessment methods adequately address the threats of modern critical infrastructure systems? Having examined six existing assessment frameworks, we argue, the complexities associated with modern critical infrastructure systems make existing methods insufficient to assess systems security risks exposure. From the systems dynamics perspective, this project proposes a dynamic modeling approach as an alternative.
BLONDEL SEUMO - PhD Thesis (Dynamic Risk Assessment for Critical Infrastructures under Attack)
Dynamic Risk Assessment for Critical Infrastructures under Attack, 2021
Concerns in regards to enterprises are cyber security threats and their associated problems. Kostayeva and Chemyakov (2020) stated that digitalization and breathtaking techniques had escalated these cyber-related risks. As time progresses, commercial enterprises become cognizant and take action against cyber risk. For this reason, they are finding strategies to cope with management and data safeguard. Fundament challenge in business being encountered is appropriate and adequate data from online crooks. It has been observed that efficient risk evaluation strategies are the foundation for a prosperous security program concerning Critical frameworks. This statement is endorsed by a considerable amount of methodologies associated with evaluating risk for critical Infrastructure. Evaluation of threat provides a vital role for threat recognition, estimation of susceptibilities, resources influence estimation, and effect on infrastructures with the intent to investigate the possibility of the threat exists.
2017
However, the cyberspace and its core components are exposed to numerous risks, and since these complex systems are rapidly evolving, there is a constant threat of exploitable vulnerabilities. One or several of these vulnerabilities can be exploited by attackers to hack into the computer systems of an organization, thus allowing them to read, steal, disclose or delete critical information up to take full control of physical assets. These numerous vulnerabilities, coupled with the fact that awareness of this situation is not yet well established at all levels of society, meaning that the cyber threats can become an extremely important issue for organizations, which could lead to financial and reputational impacts.
Analyzing the Cyber Risk in Critical Infrastructures
Issues on Risk Analysis for Critical Infrastructure Protection [Working Title]
Information and communication technology (ICT) plays an important role in critical infrastructures (CIs). Some ICT-based services are in itself critical for the functioning of society while other ICT elements are essential for the functioning of critical processes within CIs. Moreover, many critical processes within CIs are monitored and controlled by industrial control systems (ICS) also referred to as operational technology (OT). In line with the CI-concept, the concept of critical information infrastructure (CII) is introduced comprising both ICT and OT. It is shown that CIIs extend beyond the classical set of CIs. The risk to society due to inadvertent and deliberate CI/CII disruptions has increased due to the interrelation, complexity, and dependencies of CIs and CIIs. The cyber risk due to threats to and vulnerabilities of ICT and OT is outlined. Methods to analyze the cyber risk to CI and CII are discussed at both the organization, national, and the service chain levels. Cybe...
Security Risk Management for Critical Infrastructures
ItAIS 2011, 2011
This paper presents a methodology for risk management developed and used mainly for critical infrastructures, but that can be generalized and used in other contexts. It outlines security risk assessment including identifying processes, resources / assets, threats and vulnerabilities, impacts and likelihood of failures. The methodology primary focus is the analysis of business impacts and the quantification of the different risks, together with the identification of priority intervention areas, in order to eliminate, reduce, transfer or assume calculated risks, finding the right balance between the investment (resources, money etc.) and the acceptable level / threshold of risk. The paper, based on theoretical background and on practical experiences and results achieved in real organizations that operate on global level, presents critical infrastructure characteristics, the risk management process, security goals and standards and an integrated methodology for risk management applied to critical infrastructures. Some applications cases and results obtained are shortly described, disguised for strong confidentiality issues.
International Journal of Information Management, 2008
This paper proposes a new approach for assessing the organization's vulnerability to information-security breaches. Although much research has been done on qualitative approaches, the literature on numerical approaches to quantify information-security risk is scarce. This paper suggests a method to quantify risk in terms of a numeric value or "degree of cybersecurity". To help quantitatively measure the level of cybersecurity for a computer-based information system, we present two indices, the threat-impact index and the cyber-vulnerability index, based on vulnerability trees. By calculating and comparing the indices for various possible security enhancements, managers can select the best security enhancement choice, prioritize the choices by their relative effectiveness, and statistically justify spending resources on the selected choice. By qualifying information security quantitatively, the method can also help managers establish a specific target of security level that they can track.
Critical Infrastructure Protection requires the prioritization of critical assets and the evaluation of the criticality of infrastructures. However, criticality analysis is not yet standardized. In this paper we examine the relation between security risk and criticality. We analyze the similarities and differences in terms of scope, aims, impacts, threats and vulnerabilities and we suggest how existing risk analysis can be applied when examining Critical Infrastructures. Based on the identified relation between risk and criticality, we propose a generic risk-based Criticality Analysis methodology. We place key emphasis on the definition of examined impact types, which are social-centric and/or sector-centric, in contrast to traditional risk analysis methodologies that mainly examine organization-centric impacts. We propose a detailed list of impact criteria in order to assess the criticality level of an infrastructure.
Vulnerability analysis in critical infrastructures: A methodology
2019
Vulnerability assessment is a crucial aspect for the development of methodologies to define the levels of protection in critical infrastructures. Throughout this research, we discussed the concept of vulnerability and methodologies and processes for its assessment in critical infrastructures due to a terrorist threat. The research focused on the development of an analysis model, exploring a multi-criteria decision method, in order to limit the risks to the maximum extent possible. Through a qualitative research methodology, in which we applied an analysis model based on the Threat and Infrastructure dimensions and their respective factors, we verified that the vulnerability of a critical infrastructure consists in the probability of the success of an attack, conducted by a threat - properly identifi ed, characterised, analysed and categorised - against an infrastructure with certain characteristics, which value is defi ned by the user and aggressor’s point of view. The construction of an algorithmic model for vulnerability assessment, complemented by tools to support the calculations and records, allows, through a rational, scientific and algebraic process, a qualitative analysis of factors to be transformed into measurable and quantifi able values, whose algebraic operation integrates them into a final result that expresses, as a percentage, the degree of vulnerability of a critical infrastructure facing a terrorist threat.
A Hybrid Model for Information Security Risk Assessment
International Journal of Advanced Trends in Computer Science and Engineering, 2019
Many industry standards and methodologies were introduced which has brought forth the management of threats assessment and risk management of information assets in a systematic manner. This paper will review and analyze the main processes followed in IT risk management frameworks from the perspective of the threat analysis process using a threat modeling methodology. In this study, the authors propose a new assessment model which shows that systematic threat analysis is an essential element to be considered as an integrated process within IT risk management frameworks. The new proposed model complements and fulfills the gap in the practice of assessing information security risks.
Dynamic Security Risk Management Considering Systems Structural and Probabilistic Attributes
Journal of Computer and Knowledge Engineering, 2023
Today's cyber-attacks are getting more sophisticated and their volume is consistently growing. Organizations suffer from various attacks in their lifetime each of which exploiting different vulnerabilities, therefore, preventing them all is not affordable nor effective. Hence, selecting the optimal set of security countermeasures to protect IT assets from being compromised is a challenging task which requires various considerations such as vulnerabilities characteristics, countermeasures effectiveness, existing security policies and budget limitations. In this paper, a dynamic security risk management framework is presented which identifies the optimal risk mitigation plans for preventing ongoing cyber-attacks regarding limited budget. Structural and probabilistic analysis of system model are conducted in two parallel and independent aspects in which the most probable system's risk hotspots are identified. Suitability of countermeasures are also calculated based on their ability in covering vulnerabilities and organizational security policies. Moreover, a novel algorithm for dynamically conducting cost-benefit analysis is proposed which identifies optimal security risk mitigation plans. Finally, practical applicability is ensured by using a case study.