Cybersecurity has become a critical issue for business and public administrations. The fast evolution of an increasingly connected society has brought risks that threaten our activities, finances or infrastructures. In this presentation, we introduce a risk analysis model that can be used to anticipate cyber attacks and to facilitate the implementation of optimal risk treatment strategies. Standard approaches in cybersecurity practise use risk analysis methods that are not sufficiently formalised, neither comprehensive enough (e.g., risk matrices). Our goal is to improve current risk assessment frameworks introducing a scheme that incorporates all relevant parameters, including decision maker preferences and risk attitudes, the intentionality of adversaries and decisions concerning cyber insurance adoption. This model, described in terms of influence diagrams and bi-agent influence diagrams, provides a framework for estimating the impact of cybersecurity risks that may face IT owners.
We introduce, first, our integrated risk analysis approach stepwise, analysing the elements involved progressively with a brief verbal interpretation and generic mathematical formulations of the diagrams. Later, we provide the structuring of the problem through a case study. We identify the relevant assets, threats and security controls for the IT owner. Subsequently, we assess the impacts that may affect the value of the assets to find the optimal risk management portfolio in such scenario. We also model the attacker decision problem and simulate it to obtain the attack probabilities.
This model serves IT owners to decide its best resource allocation strategy regarding cybersecurity controls and cyber insurance. It also helps insurance companies to design their cyber insurance products based on parametric variations to set insurance prices and coverages or to segment the market. It can be viewed as a template that can be extended further to different types of organisations or to include a bigger number of threats, attacks or assets.