CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Union 2nd Steering Committee Meeting Athens Greece 29th May 2014 Spyros Papastergiou University of Piraeus Research Centre

CYSM Risk Assessment Methodology29/05/20142 Target Group CYSM Risk Assessment Methodology is oriented: – to cover the security and safety requirements on the demanding sector of commercial ports, – to assess all the physical and cyber facilities required for the robust and uninterruptible operation of ports physical facilities such as buildings, platforms, gates, marinas, data centers, platform cyber facilities such as networks, equipment, satellites, servers, relay stations, tributary stations, information, etc.

CYSM Risk Assessment Methodology should satisfy: – Compatible with standards (e.g. ISO27001, and ISPS code) – Multi-scope analytic: Be able to perform risk analysis using different scopes – Collaborative: Ensures collaboration among all port users – Broad analytic: Analyses sectoral, interconnected and interdependent threats – Time and resource economical: Avoids the plethora of questionnaires and frustrating interviews with all participants – Accurate: Derives accurate results – Good Functional requirements: Needs to be clear for all actors involved, precise, and measurable – Easy to implement: Easy to implement the methodology – Well documented: All steps of the methodology can be documented in clear format with clear outcomes for each step – Responsibility centric: Methodology has to be oriented to users’ role CYSM Risk Assessment Methodology29/05/20143 CYSM Risk Assessment Methodology Requirements

General Approach of CYSM Methodology 29/05/20154CYSM Risk Assessment Methodology

Facility Cartography (Phase 1) 29/05/20145CYSM Risk Assessment Methodology

Step 1: Identification of the organizational structure. Step 2: Classification of the employees based on their positions. Step 3: Definition of the Risk Assessment boundary: Selection of the physical and/or ICT port facilities that will be evaluated. Step 4: Identification and categorization of the evaluated assets Step 5: Identification of the correlations between the assets (e.g. correlation between network and software assets, hardware and information assets, etc) Step 6: Identification of controls applied in each asset. 29/05/20146CYSM Risk Assessment Methodology

Impact Assessment (Phase 2) 7CYSM Risk Assessment Methodology29/05/2014

All assets are evaluated according to: – seven Impact Criteria, – various Scenarios such as: Financial Losses (Directly Financial Consequences, Indirectly ad Long-term Financial Consequences) Legal Consequences (Privacy Issues, Sensitive and Personal Data, Commercial Data, Competition Related Issues, Justice Issues, Private Agreements Issues, Non-Disclosure Agreement Issues, Intellectual Property Copyright Issues) Reputation Consequences (Public Confidentiality Issues regarding Organization, Confidentiality Issues regarding Suppliers and Shareholders for the Organization … 8CYSM Risk Assessment Methodology29/05/2014

Specifications of CYSM Approach & System Architecture17/10/20139 Personal Impact Assessment: Each user evaluates the assets based on the impact that this asset will have if a incident occurs. The value for each criterion is the maximum value of all scenarios for the specific criterion. The impact value of a specific asset for each participant is the maximum value of all criteria for the specific asset. Overall Impacts Assessment: The impact value of a specific asset derived from each department is calculated. The final impact of a specific asset is the maximum value of all departments

Threat Analysis (Phase 3) 10 Estimation of the likelihood of occurrence of each threat CYSM Risk Assessment Methodology29/05/2014

11 Identification of threats for each asset category – A list of threats is formulated taking into account: Internal experience from incidents and past threat assessments Threat catalogues available from industry/standardization bodies, national governments, legal bodies etc. – The identified threats are grouped into various categories: Physical Threats (e.g. Earthquake, Flood, Hurricane, Lightning) Technological Threats (e.g. Hardware Malfunction) Environmental Threats (e.g. Pollution, Chemicals) Human Threats (e.g. Network Attacks, Virus Attack, Unauthorized Access) Organized Or Deliberate Attack (e.g. Terrorist Attack - Explosive Mechanism, Sabotage, Arson) Threats Lesion Data (e.g. Malicious Data Corruption, Unauthorized Access To Data) CYSM Risk Assessment Methodology29/05/2014

12 Personal Threat Assessment: Each user evaluates the threats of each asset. Overall Threat Assessment : The likelihood of occurrence of each threat to a specific asset derived from each department is calculated. The Final likelihood of occurrence of each threat to a specific asset is the maximum value of all departments. CYSM Risk Assessment Methodology29/05/2014

Vulnerability Analysis (Phase 4) 13 Estimation of the level of exploitation of a vulnerability from a threat taking into account the applied controls CYSM Risk Assessment Methodology29/05/2014

14 Identification of the vulnerabilities associated with the defined threats – A list of vulnerabilities is formulated taking into account: Internal experience Previous audit controls Penetration tests Vulnerabilities catalogues available from industry/standardization bodies, national governments, legal bodies etc. CYSM Risk Assessment Methodology29/05/2014

15 Personal Vulnerability Assessment: Each user evaluates the vulnerabilities of each asset according to the correlated threats. Overall Vulnerability Assessment : The level of exploitation of a vulnerability from a threat derived from each department is calculated. The Final level of exploitation of a vulnerability from a threat derived from all departments is calculated. CYSM Risk Assessment Methodology29/05/2014

Risk Determination (Phase 5) 16 Calculation of the Risk value (R) of each asset CYSM Risk Assessment Methodology29/05/2014

Risk Mitigation (Phase 6) 17 Proposal a list of countermeasures required to be implemented in order to minimize the identified risks CYSM Risk Assessment Methodology29/05/2014

Case Study CYSM usage case : A port adopts the proposed CYSM methodology in order to assess the gaps and weaknesses of the underlying infrastructure; to measure the efficiency of their applied countermeasures and to evaluate the corresponding risks. The ports consists of three departments (Department 1, 2 and 3 (2, 3 and 5 weights respectively)) and each department has three employees (Unit Manager (weight 5), senior officer (weight 3) and junior officer (weight 2)). Scenario 1 – The Unit Manager of the department with the maximum weight (Department 3) answered differently than all the other participants. Scenario 2 – All departments’ Unit Managers gave the same answers but different ones from the employees of their departments. Scenario 3 – The Unit Manager and the employees of the department with the maximum weight (Department 3) answered differently than all the other participants. 18CYSM Risk Assessment Methodology29/05/2014

Observations Based on the above scenarios: – the method is able to capture the opinions, experience and expertise of the employees engaged in the risk assessment process and produce solid results; – the method is made resistant against outliers and model deviations by robust estimation of the risks; – the method is not affected by the number of the participants; – the produced results are robust to variations in model parameters – the reliability of the results is indicated by the observation that the experience and expertise of the participants are taken into consideration 19CYSM Risk Assessment Methodology29/05/2014

Thank you very much Spyros Papastergiou Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Union