The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods
MAGIC: A Method for Assessing Cyber Incidents Occurrence / Battaglioni, Massimo; Rafaiani, Giulia; Chiaraluce, Franco; Baldi, Marco. - In: IEEE ACCESS. - ISSN 2169-3536. - ELETTRONICO. - 10:(2022), pp. 73458-73473. [10.1109/ACCESS.2022.3189777]
MAGIC: A Method for Assessing Cyber Incidents Occurrence
MASSIMO BATTAGLIONI
Co-primo
;GIULIA RAFAIANICo-primo
;FRANCO CHIARALUCE;MARCO BALDI
2022-01-01
Abstract
The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods| File | Dimensione | Formato | |
|---|---|---|---|
|
MAGIC_A_Method_for_Assessing_Cyber_Incidents_Occurrence.pdf
accesso aperto
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza d'uso:
Creative commons
Dimensione
1.39 MB
Formato
Adobe PDF
|
1.39 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
