Methodology of Quantitative Assessment of Network Cyber Threats Using a Risk-Based Approach

Zhylin, Artem; Holych, Hanna

doi:10.60097/ACIG/190345

Artykuł - szczegóły

Tytuł artykułu

Methodology of Quantitative Assessment of Network Cyber Threats Using a Risk-Based Approach

Autorzy

Zhylin Artem , Holych Hanna

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.60097/ACIG/190345

Warianty tytułu

Języki publikacji

Abstrakty

The methodology of a quantitative assessment of organisation’s network cyber threats was developed in order to quantitatively assess and compare the cybersecurity threat landscape in conditions of limited data while applying the risk-oriented approach. It can be used either for assessing the level of network cyber threats of a particular organisation (as a quantitative measure of the criticality of cyber threats that are detected within the organisation’s network) or for comparing the level of network cyber threats of several organisations during the same or different time periods, giving grounds for supporting the process of making managerial decisions regarding the organisation’s cybersecurity strategy. The proposed scheme of the algorithm can be used to automate the calculation process. The assessment of network cyber threats that are considered in the article is not a full-fledged measure of the cyber risk because the methodology was developed considering the common circumstances of the deficiency of the risk context data. Nevertheless, the results of the methodology implementation partially reflect the overall level of the organisation’s cyber risk and are expected to be used in the case when the full-featured proper cyber threats assessment can’t be organised for some reason.

Słowa kluczowe

cyber risk cyber threat quantitative assessment risk-oriented approach

ryzyko cybernetyczne zagrożenie cybernetyczne ocena ilościowa

Wydawca

NASK – National Research Institute

Czasopismo

Applied Cybersecurity & Internet Governance

Rocznik

2024

Tom

Vol. 3, No. 1

Strony

227--260

Opis fizyczny

Bibliogr. 59 poz., rys., tab., wykr.

Twórcy

autor

Zhylin Artem

The State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine
The Cybersecurity and Application of Information Systems and Technology Academic Department at the Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”

https://orcid.org/0000-0002-4959-612X

autor

Holych Hanna

h.holych@cip.gov.ua

The State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine

https://orcid.org/0000-0003-0849-5127

Bibliografia

[1] Y. Yuan, W. Xu, “Network security situation based on big data environment.” 6th International Workshop on Advanced Algorithms and Control Engineering (IWAACE 2022), 2022, doi: 10.1117/12.2653255.
[2] J. Zhang, H. Feng, B. Liu, D. Zhao, “Survey of technology in network security situation awareness,” Sensors, vol. 23, no. 5, p. 2608, 2023, doi: 10.3390/s23052608.
[3] B. Zhou, B. Sun, T. Zang, Y. Cai, J. Wu, H. Luo, “Security risk assessment approach for distribution network cyber physical systems considering cyber attack vulnerabilities,” Entropy, vol. 25, no. 1, p. 47, 2023, doi: 10.3390/e25010047.
[4] M.S. Kacar, K. Oztoprak, “Network security scoring.” IEEE 11th International Conference on Semantic Computing (ICSC), 2017. [Online]. Available: https://www.researchgate.net/publication/315872054_Network_Security_Scoring. [Accessed: Jun. 15, 2023].
[5] T. Ali, M. Al-Khalidi, Rabab Al-Zaidi, “Information security risk assessment methods in cloud computing: Comprehensive review,” The Journal of Computer Information Systems, pp. 1–28, 2024, doi: 10.1080/08874417.2024.2329985.
[6] Imperva. (2023). Cyber Threat Index. Cyber Security Statistics & Trends. [Online]. Available: https://www.imperva.com/cyber-threat-index/. [Accessed: Aug. 22, 2023].
[7] NordVPN. (2020). Cyber Risk Index. [Online]. Available: https://s1.nordcdn.com/ nord/misc/0.13.0/vpn/brand/NordVPN-cyber-risk-index-2020.pdf. [Accessed: Aug. 29, 2023].
[8] M. Khudyntsev, O. Lebid, M. Bychenok, A. Zhylin, A. Davydiuk, “Network monitoring index in the information security management system of critical information infrastructure objects,” in Information and Communication Technologies and Sustainable Development, S. Dovgyi, O. Trofymchuk, V. Ustimenko, L. Globa, Eds., Lecture Notes in Networks and Systems, Springer, Cham, 2022, pp. 270–290.
[9] V. Kravets, “Comparative analysis of the cybersecurity indices and their applications,” Theoretical and Applied Cybersecurity, vol. 1, no. 1, pp. 97-102, 2019, doi: 10.20535/tacs.2664-29132019.1.169090.
[10] R. Xi, X. Yun, Z. Hao, Y. Zhang, “Quantitative threat situation assessment based on alert verification,” Security and Communication Networks, vol. 9, no. 13, pp. 2135–2142, 2016, doi: 10.1002/sec.1473.
[11] H. Hu, H. Zhang, Y. Liu, Y. Wang, “Quantitative method for network security situation based on attack prediction,” Security and Communication Networks, vol. 2017, no. 1, pp. 1–19, 2017, doi: 10.1155/2017/3407642.
[12] I. Kozubtsov, O. Chernonoh, L. Kozubtsova, M. Artemchuk, I. Neshcheret, “Selection of individual indicators for assessing the ability of the information security and cybersecurity system to function in special communication information and communication systems,” Cybersecurity: Education, Science, Technique, vol. 16, no. 4, pp. 19–27, 2022, doi: 10.28925/2663-4023.2022.16.1927.
[13] I. Pyskun, Y. Tkach, V. Khoroshko, Y. Khokhlachova, A.R.A. Ayasrah, A.F. Al-Dalvash, “Quantitative assessment and determination of the level of cyber security of state information systems,” Ukrainian Scientific Journal of Information Security, vol. 26, no. 3, pp. 131–138, 2020, doi: 10.18372/2225-5036.26.14974.
[14] L. Kozubtsova, Y. Khlaponin, I. Kozubtsov, “Methods of evaluation of efficiency of implementation of cyber security measures of critical information infrastructure bodies of the body. Modern information technologies in the sphere of security and defence,” Modern Information Technologies in the Field of Security and Defense, vol. 41, no. 2, pp. 17–22, 2021, doi: 10.33099/2311-7249/2021-41-2-17-22.
[15] B. Metin, S. Duran, E. Telli, M. Mutlutürk, M. Wynn, “IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture,” Information, vol. 15, no. 1, 2024, doi: 10.3390/info15010055.
[16] V.L. Buriachok, V.B. Tolubko, V.O. Khoroshko, S.V. Tolupa, Information and Cyber Security: Socio-Technical Aspect. State University of Information and Communication Technologies, Kyiv, 2015.
[17] Joint Task Force Transformation Initiative. (2012). Guide for Conducting Risk Assessments. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf. [Accessed: Apr. 15, 2023].
[18] ENISA. (Feb. 21, 2023). Interoperable EU Risk Management Toolbox. [Online]. Available: https://www.enisa.europa.eu/publications/interoperable-eu-riskmanagement-toolbox. [Accessed: Jun. 10, 2023].
[19] D. Landoll, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, CRC Press, Boca Raton, FL, 2021.
[20] N. Yalcin, B. Kılıç, “Information security risk management and risk assessment methodology and tools.” International Conference on Cyber Security and Computer Science (ICONCS 2018), 2019. [Online]. Available: https://www.researchgate.net/publication/330170264_Information_Security_Risk_Management_and_Risk_Assessment_Methodology_and_Tools. [Accessed: Jun. 15, 2023].
[21] National Institute of Standards and Technology. (Apr. 22, 2024). Glossary. [Online]. Available: https://csrc.nist.gov/glossary. [Accessed: Apr. 15, 2023].
[22] ENISA. (2024). Glossary of Terms. [Online]. Available: https://www.enisa.europa.eu/topics/risk-management/current-risk/bcm-resilience/glossary. [Accessed: Apr. 15, 2023].
[23] National Institute of Standards and Technology. (2018). Risk management framework for information systems and organizations. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf. [Accessed: Apr. 15, 2023].
[24] J. Sokol. (Feb. 25, 2021). The OWASP risk rating methodology and SimpleRisk. [Online]. Available: https://www.simplerisk.com/blog/owasp-risk-ratingmethodology-and-simplerisk. [Accessed: Jun. 16, 2023].
[25] ENISA. (2022). Risk management standards: Analysis of standardisation requirements in support of cybersecurity policy. [Online]. Available: https://www.enisa.europa.eu/publications/risk-management-standards. [Accessed: Jun. 10, 2023].
[26] J. Dobaj, C. Schmittner, M. Krisper, G. Macher, “Towards integrated quantitative security and safety risk assessment,” in Computer Safety, Reliability, and Security, A. Romanovsky, E. Troubitsyna, I. Gashi, E. Schoitsch, F. Bitsch, Eds., Turku, Lecture Notes in Computer Science, Springer Cham, 2019, pp. 102–116.
[27] S. Bhamidipati, Examining approaches to quantifying cyber risk for improved cybersecurity management, Massachusetts Institute of Technology, 2019. [Online]. Available: https://dspace.mit.edu/bitstream/handle/1721.1/124233/1144933199-MIT.pdf?sequence=1&isAllowed=y. [Accessed: Jun. 20, 2023].
[28] G.-Y. Shin, S.-S. Hong, J.-S. Lee, I.-S. Han, H.-K. Kim, H.-R. Oh, “Network security node-edge scoring system using attack graph based on vulnerability correlation,” Applied Sciences, vol. 12, no. 14, 2022, doi: 10.3390/app12146852.
[29] O. Korchenko, V. Hnatyuk, E. Ivanchenko, S. Hnatyuk, N. Seilova, “Method for cyber incidents network-centric monitoring of cyber incidents in modern information & communication systems,” Information Protection, vol. 18, no. 3, pp. 229–247, 2016, doi: 10.5815/ijcnis.2017.06.04.
[30] ENISA. (2022). Threat landscape methodology. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-methodology. [Accessed: Jun. 10, 2023].
[31] M. Benmalek, “Ransomware on cyber-physical systems: taxonomies, case studies, security gaps, and open challenges,” Internet of Things and Cyber-Physical Systems, vol. 4, pp. 186–202, 2024, doi: 10.1016/j.iotcps.2023.12.001.
[32] ENISA. (2018). Reference incident classification taxonomy. [Online]. Available: https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy. [Accessed: Apr. 29, 2023].
[33] Europol. (2017). Common taxonomy for law enforcement and the national network of CSIRTs. [Online]. Available: https://www.europol.europa.eu/cms/sites/default/files/documents/common_taxonomy_for_law_enforcement_and_csirts_ v1.3.pdf. [Accessed: Apr. 29, 2023].
[34] ENISA. (2016). Threat taxonomy. [Online]. Available: https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends/enisa-threat-landscape/threattaxonomy/view. [Accessed: Apr. 29, 2023].
[35] Threat landscape: Trends and methods. Cyber-threat landscape and end-user requirements, 31 Aug. 2018. [Online]. Available: https://cyber-trust.eu/wpcontent/uploads/2020/02/D2.1.pdf. [Accessed: Jun. 16, 2024].
[36] ZenGRC. (Aug. 10, 2023). NIST Cyber Risk Scoring. [Online]. Available: https://reciprocity.com/blog/nist-cyber-risk-scoring/. [Accessed: Aug. 20, 2023].
[37] M. Krisper. (2021). Problems with risk matrices using ordinal scales. [Online]. Available: https://arxiv.org/pdf/2103.05440. [Accessed: Jun. 16, 2023].
[38] V. Evrin. (Apr. 28, 2021). Risk assessment and analysis methods: Qualitative and quantitative. [Online]. Available: https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods. [Accessed: Jun. 16, 2023].
[39] About TDR threat scores. [Online]. Available: https://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/services/tdr/tdr_threat_scores.html. [Accessed: Jun. 16, 2023].
[40] S. Ekung, “Limitations of risk identification tools applied in project management in the Nigerian construction industry,” Malaysian Construction Research Journal, vol. 30, no. 1, pp. 73–85, 2020.
[41] A.N. Kia, F. Murphy, B. Sheehan, D. Shannon, “A cyber risk prediction model using common vulnerabilities and exposures,” Expert Systems with Applications, vol. 237, 2024, doi: 10.1016/j.eswa.2023.121599.
[42] RiskWatch. (Jan. 31, 2024). Risk scoring methodology. [Online]. Available: https://www.riskwatch.com/risk-scoring-methodology/. [Accessed: Jun. 16, 2023].
[43] ENISA. (2019). EU Cybersecurity Certification Framework: Methodology for sectoral cybersecurity assessments. [Online]. Available: https://www.enisa.europa.eu/publications/methodology-for-a-sectoral-cybersecurity-assessment. [Accessed: Jun. 10, 2023].
[44] C. Borrett, “Threat level index for advanced persistent threats (APT) - European repository of cyber incidents,” German Institute for International and Security Affairs, 2022, doi: 10.7802/2494.
[45] T. Mahler, Y. Elovici, Y. Shahar, “A new methodology for information security risk assessment for medical devices and its evaluation,” Computer Science: Cryptography and Security, 2020, doi: 10.48550/arXiv.2002.06938.
[46] EuRepoC. (2023). Methodology. [Online]. Available: https://eurepoc.eu/methodology/. [Accessed: Jun. 16, 2023].
[47] B. Sohval, A deep dive in scoring methodology, SecurityScorecard, 2024. [Online]. Available: https://securityscorecard.com/wp-content/uploads/2024/01/EBOOKMethodologyDeepDive-3.0_v2-1.pdf. [Accessed: Jun. 16, 2023].
[48] J. de Wit, W. Pieters, P. van Gelder, “Bias and noise in security risk assessments: An empirical study on the information position and confidence of security professionals,” Security Journal, vol. 37, pp. 170–191, 2023, doi: 10.1057/s41284-023-00373-6.
[49] S. Facchinetti, S.A. Osmetti, C. Tarantola, “A statistical approach for assessing cyber risk via ordered response models,” Risk Analysis, vol. 44, no. 2, pp. 425– 438, 2023, doi: 10.1111/risa.14186.
[50] K. Ostrovska, R. Beday, “Productivity study of volume data normalization methods,” System Technologies, vol. 3, no. 128, pp. 165–175, 2020, doi: 10.34185/1562-9945-3-128-2020-15.
[51] M. Dekker, L. Alevizos, “A threat-intelligence driven methodology to incorporate uncertainty in cyber risk analysis and enhance decision-making,” Security and Privacy, vol. 7, no. 1, 2023, doi: 10.1002/spy2.333.
[52] B. Gokkaya, L. Aniello, E. Karafili, B. Halak, “A methodology for cybersecurity risk assessment in supply chains,” Computer Security, ESORICS 2023 International Workshops, pp. 26–41, 2024, doi: 10.1007/978-3-031-54129-2_2.
[53] C. Cioaca, C.-G. Constantinescu, M. Boscoianu, R. Lile, “Extreme Risk Assessment Methodology (ERAM) in aviation systems,” Environmental Engineering and Management Journal, vol. 14, no. 6, pp. 1399–1408, 2015, doi: 10.30638/eemj.2015.152.
[54] P. Nakamura, Implementing a quantitative risk management methodology in a cyber exercise, Master’s Thesis, JAMK University of Applied Sciences, 2020. [Online]. Available: https://www.theseus.fi/bitstream/handle/10024/354191/Masters_Thesis_Nakamura_Petteri.pdf?sequence=2&isAllowed=y. [Accessed: Jun. 19, 2023].
[55] Science for disaster risk management 2017: knowing better and losing less, K. Poljanšek, M. Ferrer, M. De Groeve, T. Clark, Eds., Luxembourg, Publications Office of the European Union, 2017.
[56] A.P. Duka, “Risk mapping in the organization’s integrated risk management system,” Effective Economy, no. 10, 2017.
[57] Threat actors’ attack strategies. Work Package 2: Cyber–threat landscape and end–user requirements, Dec. 31, 2018. [Online]. Available: https://cyber-trust.eu/wp-content/uploads/2020/02/D2.5.pdf. [Accessed: Jun. 16, 2023].
[58] ENISA. (2019). Online platform for security of personal data processing. [Online]. Available: https://www.enisa.europa.eu/publications/reinforcing-trust-andsecurity-platform. [Accessed: Jun. 10, 2023].
[59] D.W. Hubbard, R. Seiersen, D.E. Geer Jr, S. McClure, How to Measure Anything in Cybersecurity Risk, 2nd Edition, New Jersey: John Wiley & Sons, 2023.

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr POPUL/SP/0154/2024/02 w ramach programu "Społeczna odpowiedzialność nauki II" - moduł: Popularyzacja nauki (2025).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-fd91af3c-3bb1-47a7-a564-09e0a61ff924