A dynamic cybersecurity risk assessment tool for integrated governance

2018-11-21T09:51:07+00:0016/10/2018|Tags: , , , |

Today, a huge amount of our daily activities is supported by information exchange. Unfortunately, this information represents a top income to cyber-criminals. Cyber threats are increasing, especially among Intellectual Property intensive industries, putting at risk not only data, but different kinds of intangible assets, such as copyrights, processes or business models.

How can companies react without losing efficiency?

HERMENEUT is about to release a dynamic risk-assessment tool able to not only establish a company’s vulnerability level considering human, organisational and IT factors, but also able to automatically update itself whenever something in your organisation changes. Then, the Risk Assessment Tool for integrated governance proposes adequate countermeasures and supports the decision making process and prioritisation of security investments through a holistic cost-benefit analysis.

The tool has been developed by an interdisciplinary team, including economists, cybersecurity experts and Human Factor specialists, within the HERMENEUT project, whose aim is to support organizations in assessing individuals and collective evidence-based risk profiles. Following the dynamic risk assessment methodology defined in HERMENEUT, the tool is able to identify major cybersecurity risks, valuate the tangible and intangible assets at risk, and thus support decisions-making related to cyber-security investments on hard and soft mitigation solutions, also considering the possibility to transfer risks to cyber-insurances. The tool, targeted at company’s stakeholders, allows to:

(i) Assess vulnerabilities and threats with a focus on human-related vulnerabilities through dedicated questionnaires developed by HERMENEUT.

(ii) Valuate the potential losses of tangible and intangible assets based on the most likely cyber-attacks assessed at step (i) and the costs related to the cyber-attacks. Focus is on cascading effects and hidden costs of cyber-attacks.

(iii) Model the risk, according to three levels of increasing precision:

  • Level 1: Conservative (Screening) Risk Assessment. Analysis of historical information gathering, and data obtained from experts.  System vulnerability assessments are carried out using results of data collection and findings from the iVA, followed by risk evaluations using ranking techniques and then setting priority on remedial and preventive measures. This step is fundamental to start the prioritisation of resources.
  • Level 2: Qualitative (secondary) Risk Assessment. The assets requiring further consideration and having positive cost-benefit implications require additional data. These data allow for the reduction of uncertainty and more robust risk assessment. Boston-square methods and specific vulnerability metrics are used alongside data elicitation from experts.
  • Level 3: Quantitative (Mainly Probabilistic) Risk assessment. This is usually needed for the most critical and complex assets. The level of detail depends on the uncertainty and models’ requirements. This is the most significant level in terms of costs for the company, to collect the required information.

HERMENEUT has also introduced an innovative approach to identify the needs of reassessing the risks based on dark web analysis and on company’s cyber-posture and business ecosystem. To protect the assets from cyber-threat attacks, the general approach presented by the tool includes both qualitative and quantitative methodologies based on risk definition from ISO31000 and ISO 31010 risk management and risk assessment standards.

The HERMENEUT tool is validated in critical domains, like healthcare and aviation. It is the ideal model to assess risks related to tangible and intangible assets, keeping the process as simple as possible.