Towards a Reconceptualisation of Cyber Risk: An Empirical and Ontological Study

摘要

The prominence and use of the concept of cyber risk has been rising in recent years. This paper presents empirical investigations focused on two important and distinct groups within the broad community of cyber-defence professionals and researchers: (1) cyber practitioners and (2) developers of cyber ontologies. The key finding of this work is that the ways the concept of cyber risk is treated by practitioners of cyber security is largely inconsistent with definitions of cyber risk commonly offered in the literature. Contrary to commonly-cited definitions of cyber risk, concepts such as the likelihood of an event and the extent of its impact are not used by cybersecurity practitioners. This is also the case for the use of these concepts in the current generation of cyber-security ontologies. Instead, terms and concepts reflective of the adversarial nature of cyber defence appear to take the most prominent roles. This research offers the first quantitative, empirical evidence that rejection of traditional concepts of cyber risk by cyber-security professionals is indeed observed in real-world practice.