130 likes | 159 Views
An adversarial risk analysis framework for cybersecurity. D. Ríos Insua 1 , A. Couce Vieira 1 , J.A. Rubio 2 , W. Pieters 3 , K. Labunets 3 , D. Garcia Rasines 4 , K. Musaraj 5 , P. Briggs 6
E N D
An adversarial risk analysis framework for cybersecurity D. Ríos Insua1, A. Couce Vieira1, J.A. Rubio2, W. Pieters3,K. Labunets3, D. Garcia Rasines4, K. Musaraj5, P. Briggs6 1ICMAT-CSIC, 2U. Complutense de Madrid, 3Delft TU, 4Imperial College, 5AXA Tech. Serv., 6Northumbria University Part of the H2020 project CYBECO on supporting cyber insurance from a behavioural choice perspective
Challenges/Objectives Overcome risk matrices as risk calculation tool Analyse adversarial cybersecurity threats Include cyber insurance in risk analysis modelling Include decision-maker’s preferences and risk attitudes Facilitate informed decision-making in cybersecurity Implement it as software • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysis model templateARA defend-attack model • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysis framework Definition of the risk analysis scope – e.g., document management SME, its online e- service and for 1 year. Identification of risk components Organisation assets at risk – e.g. facilities, computer equipment, market share Non-targeted threats – e.g., fire and computer virus Targeted threats (targeted to attack us) – e.g., DDoS attack from a competitor Other uncertainties affecting risk relevant to the organisation – e.g., duration of DDoS Security controls – e.g., anti-fire system, DDoS protection system Cyber insurance products – e.g., traditional, cyber, comprehensive Impacts over the organisation’s assets and interests – e.g., over facilities, market share Impacts over the targeted threats – e.g., being detected Preferences and risk attitudes of the organisation Preferences and risk attitudes of the targeted threats – eg the competitor • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysis framework Problem structuring with our risk analysis model • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysis framework Problem solving – to solve it first we solve the attacker part, then the defender part. Attacker i.e. the competitor Defenderi.e., the organisation • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysis framework Problem solving Assess the organisation’s non-strategic beliefs and preferences Modelling the defender problem with the support of data and expert judgement. All nodes, except those that correspond to an attacker decision Assess the random beliefs and preferences of the adv. threat Modelling and simulating the attacker problem to forecast its actions and obtain the probability distribution that we will use to complete the defender model. Solve the organisation’s problem This involves the construction of algorithms and its software implementation • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysisframework Implemented in R -- for calculation CYBECO toolbox -- for displaying the results • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
CYBECOToolbox • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
CYBECO Toolbox • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Risk analysis framework Implementing the previous procedure we are able to calculate: Best security control and insurance portfolio Overall probability of different events Expected impacts given the different probabilities Further analysis are possible: sensitivity analysis, constraints, return on security investment, … • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
Current/future work around the ARA framework Doing a model for a complete risk analysis case study in CYBECO Computational enhancements: Generalised interactions (ie, not only defend-attack cases) Augmented probability simulation (ie, faster optimisation) Other general risk problems: Insurance company on whether to grant cyber insurance to company Insurance company deciding their reinsurance portfolio [for cyber] Preference modelling: Cybersecurity risk management objectives (trees of objectives > attributes that measures them > utility functions) Cyber attacker objectives • An adversarial risk analysis framework for cybersecurity • SRA-E Conference 2018, Östersund, Sweden – June 18-20, 2018
CSIRA: A method for analysing the risk of cybersecurity incidents Thank you!