Abstract

Introduction

Related works

Integrated cybersecurity risk management (i-CSRM)

Integrated cyber security risk management tool (i-CSRMT)

Evaluation of i-CSRM

Discussion

Conclusion

Declarations

References

Abstract

     Cyber security risk management plays an important role for today’s businesses due to the rapidly changing threat landscape and the existence of evolving sophisticated cyber attacks. It is necessary for organisations, of any size, but in particular those that are associated with a critical infrastructure, to understand the risks, so that suitable controls can be taken for the overall business continuity and critical service delivery. There are a number of works that aim to develop systematic processes for risk assessment and management. However, the existing works have limited input from threat intelligence properties and evolving attack trends, resulting in limited contextual information related to cyber security risks. This creates a challenge, especially in the context of critical infrastructures, since attacks have evolved from technical to socio-technical and protecting against them requires such contextual information. This research proposes a novel integrated cyber security risk management (i-CSRM) framework that responds to that challenge by supporting systematic identification of critical assets through the use of a decision support mechanism built on fuzzy set theory, by predicting risk types through machine learning techniques, and by assessing the effectiveness of existing controls.

Introduction

     Critical infrastructures (CIs), such as energy and healthcare, heavily rely on Information and Communication Technology (ICT) to support reliable service delivery. Such integration of ICT to CIs introduces a number of advantages, such as higher degree of flexibility, scalability and efficiency in the communication and coordination of advanced services and processes. On the other hand, the increase usage of ICT in CIs creates new opportunities for cyber attacks and increases the vulnerability of those systems. Due to the importance of critical infrastructures, there are recently an increased number of attacks that are evolving in terms of sophistication, persistence and the resources that attackers have available. Such attacks consider not just the technical limitations of the relevant technologies but also the contextual information related to the critical infrastructure.

     Despite of several existing works on cybersecurity risk management, the literature fails to present works that consider such contextual information when performing risk management for critical infrastructures. Moreover, existing works focus more on the prediction of risks and do not consider—as part of the same process—necessary controls that mitigate those risks. Our work advances the state of the art through the integration of cyber threat intelligence (CTI) to the risk management process, to understand contextual information related to the threat actor’s behaviour, tactics, techniques and procedures (TTP) and indicators. Moreover, it provides a unified process that integrates both risk prediction and risk mitigation with the aid of machine learning.

Conclusion

     Risk management is a continuous process for maintaining the effective functioning of critical assets for any organisational context. In particular, critical infrastructures need resilience for the service delivery and risk management is an essential component to achieve this. The threat landscape is constantly evolving with new techniques and more sophisticated organised attacks. Therefore, it is necessary for the risk management activities to consider the threat context to assess and manage the risks. This research proposes the integrated cyber security risk management framework (i-CSRM) that adopts various existing standards and cyber threat intelligence data for risk management. i-CSRM also includes machine learning (ML) models to predicate the risk types so that organisations can undertake the necessary proactive measures to tackle the risks. The framework also includes a tool support to automate some of the risk management activities. Finally, i-CSRM is applied in a CI-based industrial context and the results of applying the framework are very promising. Specifically the studied context was able to identify and assess risks using i-CSRM and determine the right level of control for the overall business continuity. The participants’ observation is that i-CSRM is a practical approach for the risk management, and integration of CTI makes the risk management activities more effective. We believe that the proposed i-CSRM framework, its process and supporting tool will significantly impact the cybersecurity domain and state of the art in general. The i-CSRM framework focuses only on the supervised learning method, which requires labelled dataset. As a part of our future research, we would like to deploy the i-CSRM in different CI context and implement different data sets for the risk type predication. Additionally, it is necessary to develop a checklist to make the process easy to use for risk assessment and management.