A Data-Driven Approach to Cyber Risk Assessment

Abstract: Cyber risk assessment requires defined and objective methodologies; otherwise, its results cannot be considered reliable. The lack of quantitative data can be dangerous: if the assessment is entirely qualitative, subjectivity will loom large in the process. Too much subjectivity in the risk assessment process can weaken the credibility of the assessment results and compromise risk management programs. On the other hand, obtaining a sufficiently large amount of quantitative data allowing reliable extrapolations… Show more

“…In the case of cyber events, these processes often become subjective, due to the lack of reliable historical data concerning each specific type of cyber incident. Our target is to reduce such a subjectivity as much as possible, by following and extending the approach in [1], [9].…”

“…In this scenario, having assumed that the organization does not react immediately after experiencing one or more cyber incidents, we can model the attacks as Bernoulli experiments, with success probability given by (9). We can actually assume that also the outcome of the single attack attempt is a continuous random variable P with realization p. In particular, taking into account the uncertainty inherent in the problem (where the maturity index, for example, results from the opinion of some experts or from the assessment of questionnaires) we assume that P follows a PERT (Project Evaluation and Review Techniques) distribution, with p m = p s (min{x + q, 10}), p M = p s (max{x − q, 0}), for some arbitrary value of q, and p * = p s (x) respectively the minimum, maximum, and most likely values.…”

MAGIC: A Method for Assessing Cyber Incidents Occurrence

“…In the case of cyber events, these processes often become subjective, due to the lack of reliable historical data concerning each specific type of cyber incident. Our target is to reduce such a subjectivity as much as possible, by following and extending the approach in [1], [9].…”

“…In this scenario, having assumed that the organization does not react immediately after experiencing one or more cyber incidents, we can model the attacks as Bernoulli experiments, with success probability given by (9). We can actually assume that also the outcome of the single attack attempt is a continuous random variable P with realization p. In particular, taking into account the uncertainty inherent in the problem (where the maturity index, for example, results from the opinion of some experts or from the assessment of questionnaires) we assume that P follows a PERT (Project Evaluation and Review Techniques) distribution, with p m = p s (min{x + q, 10}), p M = p s (max{x − q, 0}), for some arbitrary value of q, and p * = p s (x) respectively the minimum, maximum, and most likely values.…”

MAGIC: A Method for Assessing Cyber Incidents Occurrence

“…In this more realistic approach, it is assumed that the organization immediately notices the breach, and tries to improve its posture. 1) Organizations which do not change posture: In this scenario, having assumed that the organization does not react immediately after experiencing one or more cyber incidents, we can model the attacks as Bernoulli experiments, with success probability given by (9). We can actually assume that also the outcome of the single attack attempt is a continuous random variable P with realization p. In particular, taking into account the uncertainty inherent in the problem (where the maturity index, for example, results from the opinion of some experts or from the assessment of questionnaires) we assume that P follows a PERT (Project Evaluation and Review Techniques) distribution, with p m = p s (min{x + q, 10}), p M = p s (max{x − q, 0}), for some arbitrary value of q, and p * = p s (x) respectively the minimum, maximum, and most likely values.…”

“…Regarding the monetary impacts, we have considered those in [9,Table 2] and also reported in Table V, for the sake of completeness. In order to keep a uniform notation with the rest of the paper, we have applied a currency exchange from dollars (used in [9]) to Euro.…”

“…Regarding the monetary impacts, we have considered those in [9,Table 2] and also reported in Table V, for the sake of completeness. In order to keep a uniform notation with the rest of the paper, we have applied a currency exchange from dollars (used in [9]) to Euro. Notice that, assuming that all threats happen and the associated cyber incidents cause the largest possible loss (given by the upper value of the corresponding interval), we obtain an upper bound for the total loss which, in the proposed example, is a value between 11.5 and 12 million Euro (precisely, 11.8361 million Euro).…”

MAGIC: A Method for Assessing Cyber Incidents Occurrence

Cyber Security Compliance Among Remote Workers