The cybersecurity risk estimation engine: A tool for possibility based risk analysis

Baskerville, Richard; Kim, Jongwoo; Stucke, Carl

doi:10.1016/j.cose.2022.102752

Cited by 3 publications

(3 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Opposing risk quantification, [1] argues that in-depth quantification of risks is not realistic in practice since most practitioners rely on simple metrics to understand the annualized effects of threats. To understand the possibility of being affected by rare threats, a qualitative, questionnaire-based tool is proposed that surveys the perceived possibility of a breach.…”

Section: B Risk Management Approachesmentioning

confidence: 99%

“…To understand the possibility of being affected by rare threats, a qualitative, questionnaire-based tool is proposed that surveys the perceived possibility of a breach. The tool consolidates views on ongoing breaches, which [26] 2022 Quantifying Exposure Dynamic Algorithm Cyber Insurance [1] 2022 Rarity Estimation Qualitative Questionnaire Senior Security Managers [40] 2020 Loss Prediction Bayesian Network Generated data [24] 2023 Risk Identification Bayesian Network Maritime Systems [2] 2020 Maturity Benchmarking Qualit. Questionnaire IT leaders of SME [25] 2002 Downtime Cost Estimate Formula System Modelling are not conceptually aligned with a system design activity.…”

Section: B Risk Management Approachesmentioning

confidence: 99%

“…Therefore, risk management approaches cannot be directly applied to threat modeling, thus, showing the need and opportunity for the proposal of specific and practical approaches like QuantTM. Another interesting observation is the opposition of industry practitioners [1], which highlights the complexity of existing tools and argues that a full threat-and-vulnerability mapping is not practical [22]. In favor of practical, expedient, and ad hoc analysis, simple approaches like [25] embedded in a technical and organizational context can be used for a specific goal-oriented application.…”

Section: B Risk Management Approachesmentioning

confidence: 99%

See 2 more Smart Citations

CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling

Assen¹,

Franco²,

Killer³

et al. 2022

2022 IEEE International Conference on Cyber Security and Resilience (CSR)

View full text Add to dashboard Cite

Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a realworld case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

show abstract

Section: B Risk Management Approachesmentioning

confidence: 99%