The cyber risk evaluation mechanism of SPHINX Toolkit
The main goal of any risk assessment model is to provide a relative or absolute quantification of risks in a comprehensible structure. Risk assessment and risk analysis explore the different possibilities and all the different factors that can affect them to quantify how likely each scenario is.
In SPHINX this process is carried out by the Real Time Cyber Risk Assessment (RCRA) component which periodically assesses the risk of cyber security incidents, determining their probable consequences and presents warning levels and alerts to users.
The RCRA component relies on available data drawn by logging systems, by other components like VAaaS, AD, DTM, HP and SIEM along with external threat detection and its own security protocols, to provide a trove of information about cybersecurity threats. The information is multidimensional since it can provide information regarding the threats more likely to appear and materialise, but also for those that have already leveraged existing vulnerabilities.
The RCRA has embedded security protocol analysis capabilities that allow the enrichment of the available information regarding the security protocols used in the system, as well as the calculation of the risk of these protocols’ security capabilities being breached.
Essentially, based on the available data, the RCRA component:
- makes forecasts of various types of cyber-attacks and incidents;
- makes forecasts of the multiple consequences of such attacks;
- aggregates such consequences in a utility model; and
- aggregates the above to assess the risk.
The diagram below demonstrates the interactions of RCRA component with other SPHINX components:
Indices for each of the relevant consequences are also provided and states of security level are introduced. By using risk assessment methodologies, the security level for each object is defined, leading to a multi-perspective evaluation model. Moreover, the assessment model is not restrained in defining the level of security in the present, but for the near future too, through forecasting techniques, like variations of exponential smoothing and state-of-the-art techniques, like Long Short-Term Memory (LSTM). In particular, the attacks and their consequences are foreseen, and a future risk assessment takes place, based on the aggregated consequences. Warning levels for the risk indices are also determined, in order to alert the users when needed.
A tentative approach at each timeframe is:
- Obtain the precursors;
- If observed precursors lay above the corresponding upper forecast, raise an alarm;
- Compute the risk indices;
- If risk indices lay above the corresponding upper forecast or the warning level, raise an alarm;
- Update forecasting models and issue forecasts for indicators and risk indices;
- If warning levels are covered by intervals, raise an alarm.
Depending on the alarm, different decisions need to be made. A generic model for incident handling and risk management is implemented allowing to properly handle warnings.