Volume 4 - Issue 2
Reconciling Malicious and Accidental Risk in Cyber Security
- Wolter Pieters
TU Delft; Technology, Policy and Management; ICT; Delft, The Netherlands, University of Twente; EEMCS; Services, Cybersecurity and Safety; Enschede, The Netherlands
w.pieters@tudelft.nl
- Zofia Lukszo
TU Delft; Technology, Policy and Management; Energy & Industry; Delft, The Netherlands
z.lukszo@tudelft.nl
- Dina Hadziosmanovic
TU Delft; Technology, Policy and Management; ICT; Delft, The Netherlands
d.hadziosmanovic@tudelft.nl
- Jan van den Berg
TU Delft; Technology, Policy and Management; Energy & Industry; Delft, The Netherlands
j.vandenberg@tudelft.nl
Keywords: adversarial risk analysis, factor analysis of information risk, security metrics, threat event frequency
Abstract
Consider the question whether a cyber security investment is cost-effective. The result will depend on
the expected frequency of attacks. Contrary to what is referred to as threat event frequencies or hazard
rates in safety risk management, frequencies of targeted attacks are not independent from system
design, due to the strategic behaviour of attackers. Although there are risk assessment methods that
deal with strategic attackers, these do not provide expected frequencies as outputs, making it impossible
to integrate those in existing (safety) risk management practices. To overcome this problem, we
propose to extend the FAIR (Factor Analysis of Information Risk) framework to support malicious,
targeted attacks. Our approach is based on (1) a clear separation of system vulnerability and environmental
threat event frequencies, and (2) deriving threat event frequencies from attacker resources
and attacker strategies rather than estimating them directly, drawing upon work in adversarial risk
analysis. This approach constitutes an innovative way to quantify expected attack frequencies as a
component of (information) security metrics for investment decisions.