Presentation is loading. Please wait.

Presentation is loading. Please wait.

An adversarial risk analysis framework for cybersecurity

Published byQuentin Chevalier Modified over 6 years ago

Similar presentations

Presentation on theme: "An adversarial risk analysis framework for cybersecurity"— Presentation transcript:

1 An adversarial risk analysis framework for cybersecurity
D. Ríos Insua1, A. Couce Vieira1, J.A. Rubio2, W. Pieters3, K. Labunets3, D. Garcia Rasines4, K. Musaraj5, P. Briggs6 1ICMAT-CSIC, 2U. Complutense de Madrid, 3Delft TU, 4Imperial College, 5AXA Tech. Serv., 6Northumbria University Part of the H2020 project CYBECO on supporting cyber insurance from a behavioural choice perspective

2 Challenges/Objectives
Overcome risk matrices as risk calculation tool Analyse adversarial cybersecurity threats Include cyber insurance in risk analysis modelling Include decision-maker’s preferences and risk attitudes Facilitate informed decision-making in cybersecurity Implement it as software An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

3 Risk analysis model template ARA defend-attack model
An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

4 Risk analysis framework
Definition of the risk analysis scope – e.g., document management SME, its online e service and for 1 year. Identification of risk components Organisation assets at risk – e.g. facilities, computer equipment, market share Non-targeted threats – e.g., fire and computer virus Targeted threats (targeted to attack us) – e.g., DDoS attack from a competitor Other uncertainties affecting risk relevant to the organisation – e.g., duration of DDoS Security controls – e.g., anti-fire system, DDoS protection system Cyber insurance products – e.g., traditional, cyber, comprehensive Impacts over the organisation’s assets and interests – e.g., over facilities, market share Impacts over the targeted threats – e.g., being detected Preferences and risk attitudes of the organisation Preferences and risk attitudes of the targeted threats – eg the competitor An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

5 Risk analysis framework
Problem structuring with our risk analysis model An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

6 Risk analysis framework
Problem solving – to solve it first we solve the attacker part, then the defender part. Defender i.e., the organisation Attacker i.e. the competitor An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

7 Risk analysis framework
Problem solving Assess the organisation’s non-strategic beliefs and preferences Modelling the defender problem with the support of data and expert judgement. All nodes, except those that correspond to an attacker decision Assess the random beliefs and preferences of the adv. threat Modelling and simulating the attacker problem to forecast its actions and obtain the probability distribution that we will use to complete the defender model. Solve the organisation’s problem This involves the construction of algorithms and its software implementation An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

8 Risk analysis framework
Implemented in R -- for calculation CYBECO toolbox -- for displaying the results An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

9 CYBECO Toolbox An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

10 CYBECO Toolbox An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

11 Risk analysis framework
Implementing the previous procedure we are able to calculate: Best security control and insurance portfolio Overall probability of different events Expected impacts given the different probabilities Further analysis are possible: sensitivity analysis, constraints, return on security investment, … An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

12 Current/future work around the ARA framework
Doing a model for a complete risk analysis case study in CYBECO Computational enhancements: Generalised interactions (ie, not only defend-attack cases) Augmented probability simulation (ie, faster optimisation) Other general risk problems: Insurance company on whether to grant cyber insurance to company Insurance company deciding their reinsurance portfolio [for cyber] Preference modelling: Cybersecurity risk management objectives (trees of objectives > attributes that measures them > utility functions) Cyber attacker objectives An adversarial risk analysis framework for cybersecurity SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018

13 CSIRA: A method for analysing the risk of cybersecurity incidents
Thank you!

Download ppt "An adversarial risk analysis framework for cybersecurity"

Similar presentations

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.
Khammar Mrabit Director Office of Nuclear Security

Khammar Mrabit Director Office of Nuclear Security
Control and Accounting Information Systems

Control and Accounting Information Systems
Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.

Own Risk & Solvency Assessment (ORSA): The heart of Risk & Capital Management John Spencer Director, Ultimate Risk Solutions.
Engineering Economic Analysis Canadian Edition

Engineering Economic Analysis Canadian Edition
The Rational Decision-Making Process

The Rational Decision-Making Process
Generalised Mean Variance Analysis and Robust Portfolio Construction February 2006 Steve Wright Tel 44 20 7568 1874.

Generalised Mean Variance Analysis and Robust Portfolio Construction February 2006 Steve Wright Tel
Company Enterprise Risk Management & Stress Testing Case Study.

Company Enterprise Risk Management & Stress Testing Case Study.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
The Information Systems Audit Process

The Information Systems Audit Process
System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan. 1999 - System Engineering Hierarchy - System Modeling - Information.

System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
MODULE 4 MARKETING STRATEGY A2 Marketing and Accounting and Finance Marketing Decision-making.

MODULE 4 MARKETING STRATEGY A2 Marketing and Accounting and Finance Marketing Decision-making.
Quantifying Disaster Risk and optimizing investment Sujit Mohanty UNISDR – Asia Pacific Protecting development gains: A path towards resilience.

Quantifying Disaster Risk and optimizing investment Sujit Mohanty UNISDR – Asia Pacific Protecting development gains: A path towards resilience.
HIT241 - RISK MANAGEMENT Introduction

HIT241 - RISK MANAGEMENT Introduction
BSBPMG508A Manage Project Risk 11.4 Perform Quantitative Risk Analysis Adapted from PMBOK 4 th Edition InitiationPlanning ExecutionClose Monitor Control.

BSBPMG508A Manage Project Risk 11.4 Perform Quantitative Risk Analysis Adapted from PMBOK 4 th Edition InitiationPlanning ExecutionClose Monitor Control.
MANAGEMENT STRATEGY ELABORATION JAVA TOOL Edward Pogossian Academy of Sciences of Armenia, IPIA State Engineering University of Armenia.

MANAGEMENT STRATEGY ELABORATION JAVA TOOL Edward Pogossian Academy of Sciences of Armenia, IPIA State Engineering University of Armenia.
Managing Information Systems Enhancing Management Decision Making Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Enhancing Management Decision Making Part 2 Dr. Stephania Loizidou Himona ACSC 345.
16.5.20021 VTT-STUK assessment method for safety evaluation of safety-critical computer based systems - application in BE-SECBS project.

VTT-STUK assessment method for safety evaluation of safety-critical computer based systems - application in BE-SECBS project.

Similar presentations

Ads by Google