Cyber Security Risk Modelling and Assessment: A Quantitative Approach

摘要

The extensive use of information systems has become both a crucial enabler and a critical vulnerability in all spheres of public and private activities. A cyber-security breach may result in interruption, modification, degradation, fabrication, interception, and unauthorized use of an information asset. The resulting damage can be immediate causing direct financial losses or prospective gradually harming the national safety and reputation. In the context of cyber security, risk is present where a threat intersects with a corresponding vulnerability which allows it to manifest. It can be formally expressed as a function of three elements: Probability that a threat may become harmful, Probability that a vulnerability may be exploited, and Resulting impact. While these three elements can be expressed either qualitatively or quantitatively, they are generally described in qualitative terms in the context of cyber security. This paper presents common cyber security risk assessment methods and shows how a risk analysis can be conducted in cyberspace. It proposes a new cyber risk formulation combining statistical and Monte Carlo simulation techniques. Risk analysis is defined here as a process that aims to identify, analyze, and reduce or transfer risk. A case study using the most common threats, vulnerabilities, and impacts is presented to illustrate the approach. In this study, a Program Evaluation and Review Technique (PERT) distribution is used to represent the inherent risk curve. A correlation analysis using stochastic simulation is conducted to show how sensitive the overall risk is to the different threats. Risk drivers are therefore assessed and displayed graphically using a pairwise association. The paper results and insights can assist civilian and military decision-makers in identifying critical risk drivers and the need for contingency plans. Statistical techniques and Monte Carlo simulation objectively derive the most likely cyber risk profile. The Loss Exceedance Curve shows for each loss the likelihood of exceeding it. The what-if analysis determines which risk mitigation strategies would have the most impact.