Risk Models entailed into Cyber Situational Awareness Frameworks
Risk management is a central concern for every organisation. Risk can take different forms and originate from either inside or outside the organisation. IT security is amongst one of the concerns that drive strategy at every corporation, including the risk of non-compliance,
data breaches, infrastructure outages, legal penalties and more. Risk management can be described as consisting of four core processes: Context definition, Risk Assessment, Actions needed and Monitoring.
Risk assessment is the initial step of risk management and constitutes the most critical and difficult phase. In order to assess the scenarios that compose the threats, a risk assessment model needs to be structured. Using a simplified interpretation, a risk assessment model can be seen as a set of rules by which we aim to predict the future performance of a system from a risk perspective. Threat modelling, combined with risk management, should give answers to the question of who will attack your own systems, and how or where the attack will originate from. Threat modelling will provide valuable insights on IT risks facing organisations, and then outline necessary measures and sufficient controls to stop the threat before it becomes effective.
The main goal of any risk assessment model is to provide a relative or absolute quantification of risks. Models try to encapsulate in a comprehensible structure, the aspects of a real problem using simplification in contrast with simulation techniques that try to
reproduce a specific set of conditions of the problem. All models, from the simplest to the most complex ones, make use of probability theory and statistics.
Models can be classified into three general categories. From simplest to most complex, are matrix, probabilistic, and indexing models.
One of the simplest risk assessment structures is a decision-analysis matrix. It ranks risks according to the likelihood and the potential consequences of an event by a simple scale, such as high to low, or 1 to 10. Each threat is assigned to a cell of the matrix based on its perceived likelihood and consequences. This approach may simply use expert opinion or more complicated applications through quantitative information to rank risks. While this approach cannot consider all pertinent factors and their relationships, it does help to clarify thinking at least by breaking the problem into two parts for separate examination.
The most rigorous and complex risk assessment model is a modelling approach commonly referred to as probabilistic risk assessment. These models use mathematical and statistical techniques that relies heavily on historical failure data and event-tree/fault-tree analysis. Initiating events such as equipment failure and safety system malfunction are flowcharted forward to all possible concluding events, with probabilities being assigned to each branch along the way. Failures are backward flowcharted to all possible initiating events, again with probabilities assigned to all branches. All possible paths can then be quantified based on the branch probabilities along the way. Final accident probabilities are achieved by changing the estimated probabilities of individual events.
These models are technologically more demanding to develop, require trained operators, and need extensive data. A detailed probabilistic risk assessment is usually the most expensive of the risk assessment techniques.
The output of a probabilistic risk assessment is usually in a form whereby its output can be directly compared to other risks. However, in rare-event occurrences, the lack of historical data leads to an arguably blurred view. The technique therefore makes extensive use of failure statistics of components as foundations for estimates of future failure probabilities. However, as statistics can provide part of the probabilistic relationships between the nodes, many probabilities must still be assigned by experts. In order to minimize subjectivity, applications of this technique became increasingly comprehensive and complex, requiring thousands of probability estimates.
The most popular risk assessment technique in current use is the index model or some similar scoring technique. In this approach, numerical values (scores) are assigned to important conditions and activities that contribute to the risks. In order to calculate these scores risk-reducing and risk-increasing variables are introduced. Weightings are also assigned to each variable, which reflects the importance of the specific item in the risk assessment and which is based on statistics, if available, or on experts’ opinion where data are limited or not available.
These models are very comprehensive and less demanding compared to the probabilistic ones. They also provide output that can be directly compared to other risks. As greatest challenges, the efficiency, scalability, and performance are central factors to consider at any level when designing or building an index.
More information about risk models can be found at Deliverable 3.2 that is publicly available here.