Automated Cyber and Privacy Risk Management Toolkit
Abstract
:1. Introduction
2. Related Work
2.1. Cyber Risk Assessment
2.2. Privacy Risk Assessment
2.3. Optimal Risk Control and Cyber Investments
2.4. AMBIENT Novelty
3. AMBIENT: Automated Cyber and Privacy Risk Management Toolkit
3.1. Cybersecurity Risk Assessment
- Indicator Value Generator: used to collect all inputs from the external sources of information (e.g., questionnaire data, target information, vulnerabilities).
- Triggering Detector: receives new or updated indicator values and the target information related to the loss estimations; and the risk models selected for the assessments. The Triggering Detector invokes the Risk Model Executors upon a change in any of its inputs.
- Instantiator: is in charge of creating an instance (i.e., qualitative used by DEXi, and quantitative used by R) of the risk models using the current indicators values received as inputs.
- Model Rules Executor: performs two simultaneous analysis: (i) the qualitative risk assessment for the corresponding target and the risk model using the DEXi Model Rules Executor, and (ii) the quantitative risk assessment for the corresponding target and risk model using the Model Rules Executor.
- Aggregator: aims to group the individual risk assessment of an organisation per asset (e.g., workstation, server, printer, cellphone) per risk model (e.g., Denial of Service, Bypass Login, Cross-Site Request Forgery) and/or per security attribute (i.e., confidentiality, integrity, availability).
- Data Warehouse: represents the central data storage component, which stores the following information: (i) users and organisations (input manually by administrators); (ii) users’ configuration parameters (input by end-users); (iii) risk models; (iv) catalogues of risks, mitigation measures and indicators; (v) risk reports (results of finished risk assessment procedures); (vi) active deployed sensors; (vii) events reported by sensors; (viii) alarms reported by the Monitoring Engine; and (ix) vulnerabilities found by the vulnerability scanners.
3.2. Privacy Risk Assessment
- A novel and extensible privacy risk scoring system for quantifying the privacy risks imposed by quantitatively scaled identified vulnerabilities and threats, that have an impact on privacy when targeting assets.
- A dynamic and extensible system model that maps core GDPR entities and requirements for assisting the information security decision makers in keeping track of all risk-related information and assessing the degree of compliance of the organisation.
- Data Warehouse and Model Initialisation: They are closely related one to the other. Data Warehouse is a NoSQL database based on MongoDB (https://www.mongodb.com/ (accessed on 21 April 2021)) that stores all the external input, while the Model Initialisation component (a) “translates” the stored information, (b) consults the different modelling methods used in Privacy Risk Assessment and (c) directly feeds the corresponding components.
- Asset Modelling: It is based on the inter-dependency graph approach introduced in [64]. The nodes represent the individual assets and the edges represent the inter-dependencies amongst them. Such a graphical representation model is a cornerstone in the Privacy Risk Assessment, as it works as the “glue” that keeps together ICT assets, data entries, threats and vulnerabilities in order to identify risk data processing activities of an organisation. This module uses the inter-dependency types IsConnectedTo, IsUsedBy, IsProcessedBy, isLocatedIn, isStoredOn and IsInstalledOn to annotate the relation among assets. These relations are not used only to denote connections among tangible ICT assets, but also to intangible ones, such as data, health records and PIIs. Overall, by utilising the inter-dependency graphs, a security analyst is in position to identify potential privacy risks based on a cartography of assets, which encapsulate their vulnerabilities and the potential privacy threats posed against them. In this way, the inter-dependency graphs contribute, not only to the uncovering of privacy risky individual assets, but crucially, they ease in highlighting privacy risky paths which are formed by chains of assets included in a specific processing activity.
- GDPR Modelling: The Processing Activity is the principal aspect of the GDPR modelling that aggregates all the GDPR-related information. The main information that a Processing Activity includes can be divided in three parts: (a) the processing purpose along with the involved entities, (b) all the processed personal data assigned to specific subjects, and (c) the asset chain that is involved in the processing activity. By combining the aforementioned elements, the security analyst is in position to consolidate all the necessary information for processing activities, including the engaged supporting ICT assets, and define the dependency with intangible personal and sensitive data assets.Considering that information systems may store and process a huge amount of data, the GDPR modelling adopts a specific data categorisation, as the criticality of the data is not always the same. In fact, the categorisation of personal data is considered essential [65], as some processing activities may focus on publicly available data, while others on financial or even sensitive data. This indicates the need to assign a different criticality level to the aforementioned data types and treat personal and sensitive data, as data types that can clearly have a higher impact on the fundamental rights and freedoms of the individuals in case of data breaches [66]. That is, AMBIENT identifies the following categories based on the classification proposed in [67] and assigns different criticality scores according to the scoring methodology presented in [34].
- −
- Sensitive personal data (e.g., medical data, legal documents);
- −
- Personal data (e.g., data which uniquely identify a person, such as IDs, Social Security Number (SSN), personal or marital status);
- −
- Financial data (e.g., data related to financial transactions, accounting entries);
- −
- Operational data (e.g., data generated during the execution of a service, log files);
- −
- Other data (e.g., data that cannot be classified in any of the above categories, and belong to a lower criticality level).
In practice it is up to the Data Protection Officer (DPO) or the security administrator to identify the correct data class when instantiating AMBIENT in the context of the identified processing activities of the organisation. - Privacy Threat Modelling: This component, as its name suggests, aims to provide the threat characterisation score. Given the information of quantitatively scaled identified vulnerabilities and threats this component facilitates the privacy scoring calculation based on: (a) the type of the threat; (b) the sensitivity of the corresponding vulnerable asset; and (c) the calculated cybersecurity risk score. The aforementioned factors contribute to a formula inspired by [68], in order to reflect the impact that a cyber threat may have to the data protection and privacy dimension.
- Privacy Impact Assessment: The Privacy Impact Assessment component aggregates all the information from the modelling components and undertakes the calculation of the privacy scores. These scores are calculated on an asset basis and quantify the impact that a vulnerability or a threat may have due to the affected asset which is used to support data processing activities. Given the severity of the threat and the peculiarities derived from the privacy threat modelling component, the Privacy Impact Assessment component assesses the impact on fundamental rights and freedoms of the individuals, following the classification used by The European Union Agency for Cybersecurity [44]. The privacy scoring system combines two factors the threat characterisation and the privacy impact. The scoring system uses a weighted scale to focus on the impact to users’ privacy, while considering the threat. However, the exact value of the weights is a parameter that can be adjusted accordingly, given the preferences and the domain knowledge of experts in different sectors. The weighted scale formula is given by the formula . More details on the idea behind this weighted formula can be found in [34].
- Privacy Quantification Engine: The Privacy Risk Quantification engine is the main component of the Privacy Impact Assessment that provides three different privacy scores: (a) the asset-level privacy score, (b) the processing activity-level privacy score, and (c) the organisation-level (global) privacy score.
3.3. Risk Mitigation
- Determine long-term best cybersecurity strategies, in the form of an advice, in terms of mitigating cyber and privacy risks subject to financial constraints by using fundamental principles of cybersecurity risk management to create the Core model and multi-criteria mathematical optimisation to solve the underlying decision-making challenge.
- Visualise the cybersecurity advice using the CIS Controls v7.1 [2], which is a well-known framework of cybersecurity safeguards, by generating practical and detailed advice on tools and processes required to implement the safeguards. It also visualises the performance of cyber controls in terms of risk mitigation.
- Visualise the results of risk improvement to raise awareness of decision makers on how each cybersecurity safeguard improves the security posture of the organisation by using the Dashboard.
- Prioritise short-term cyber actions that the organisation must take against specific cyber threats and risks identified by the cybersecurity and privacy risk modules.
- Risk Parameters Initialiser: this component initialises the parameters required to compute the optimal set of safeguards that mitigate cyber and privacy risks. They include the reports received by the risk assessment modules.
- Safeguard Game Generator: this component uses AI optimisation generating a strategic game between a defending and an attacking agent based on the game-theoretic concepts used to compute equilibria, i.e., optimal points [70]. This game is represented by the available actions of the agents and their payoff functions. The defending agent can choose among different ways of implementing a cyber control and the attacking agent among different attack methods.
- Safeguard Game Solver: this component calculates the game equilibria, which are optimal combinations of implementation ways (can be seen as levels when the ways refer to different intensity of implementing the control) chosen for each control used to mitigate cyber and privacy risks against the attacking agent. The Risk Mitigation module uses the 20 CIS Controls, which include 171 sub-controls. This component solves the game for each of these subcontrols to create a repository of optimal available safeguards.
- Cybersecurity Budget Distributor: this component takes a budget and distributes it among all the 20 CIS Controls, which is then allocated to its safeguards.
- Combinatorial Safeguards Generator: for each CIS control, this component generates all the combinations of safeguards, which have been calculated previously by the Safeguard Game Solver.
- Safeguards Plan Solver: for the budget allocation derived previously, this component calculates the safeguard combination that fits into the available budget of the defending agent and minimises the maximum risk inflicted by the attacking agent respecting the “weakest link” concept [11].
4. AMBIENT Demonstration
4.1. Testbed Description
- SAVAC client application: either accessed from the CITRIX (https://www.citrix.com/ (accessed on 17 April 2021)) server farm or from a PC that has the client version installed locally, connects to the SAVAC database, which is installed in the hospital’s Data Center (DC).
- Workstations: 3 PCs are placed inside the users’ VLAN with the basic programs together with hospital’s user credential handling procedures.
- SAVAC Database server: consists of a cluster of servers that contains all the information stored.
- Firewall: The hospital’s DC is generally supervised by a firewall system in which specific rules are programmed. Virtual LAN users, servers and devices are bi-bidirectionally connected to the hospital’s firewall.
- Switch: This network component has a dedicated link to the cluster of servers and another to the rest of the network’s elements.
- Analyser: The hospital uses analytic platforms, which operates directly on data collected by SAVAC and generate analytic dashboards and visualisation reports for the hospital managers.
- PACS image server: The images are stored on a server called PACS (Picture and Archiving Communications System). To retrieve the images, a call is made from SAVAC to a URL through a unique identifier of the patient’s image study.
- Integration server: It is used to collect all data and external files and integrate them into SAVAC, either in the database or on the file server, or by external links using identifiers, as in the example of the PACS image server.
- Medical equipment: Different medical devices are placed in VLAN.
- Smartphone: Smart devices connect through hospital’s Wi-Fi (open Wi-Fi validated via capture portal), using a specific identification that the hospital’s firewall allows to be visible, to operate and to have internet access.
4.2. Use Case Scenarios
- Cross-border patient data exchange, originated when a patient from hospital A has a malaise in a foreign hospital (i.e., hospital B) and due to the emergency hospital B requests the patient’s health records to hospital A.
- Data exchange in mobile healthcare platforms, which considers malfunctioning of IoT devices that fail to register measurements which imposes not only service disruption but also threats to compromise the patients’ safety and health.
- Data exchange in remote healthcare services, which includes threats related to the confidentiality and integrity of the patients’ data, coming from healthcare devices and applications (e.g., mobile applications for collecting blood pressure, health rate, temperature, etc.).
- Data exchange for healthcare research, which includes privacy challenges originated from the exchange of health data for research purposes with third parties such as universities and research groups.
4.3. CVE & Threat Model Selection
- CVE-2020-11896 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11896 (accessed on 31 May 2021)) which allows remote code execution related to IPv4 tunneling;
- CVE-2019-11510 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510 (accessed on 31 May 2021)) which allows attackers to remotely access the targeted network and perform arbitrary file reading.
4.4. Cybersecurity and Privacy Risk Assessment Results
4.5. Risk Mitigation Results
4.5.1. Reactive Controls
4.5.2. Preemptive Controls SUBJECT to a Budget
5. Discussion and Conclusions
5.1. Discussion
5.2. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Whitman, M.E.; Mattord, H.J. Principles of Information Security; Cengage Learning: Boston, MA, USA, 2011. [Google Scholar]
- Centre for Internet Security. CIS Controls v7.1. 2020. Available online: https://www.cisecurity.org/controls/ (accessed on 31 May 2021).
- Kruse, C.S.; Frederick, B.; Jacobson, T.; Monticone, D.K. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol. Health Care 2017, 25, 1–10. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Verizon. 2020 Data Breach Investigations Report. 2020. Available online: https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf (accessed on 30 March 2021).
- Bischoff, P. 172 Ransomware Attacks on US Healthcare Organizations Since 2016 (Costing Over $157 Million). 2020. Available online: https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/ (accessed on 30 March 2021).
- Verizon. 2019 Data Breach Investigations Report. 2019. Available online: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf (accessed on 12 April 2021).
- Martin, G.; Ghafur, S.; Kinross, J.; Hankin, C.; Darzi, A. WannaCry—A Year on; British Medical Journal Publishing Group: London, UK, 2018. [Google Scholar]
- Commission, E. General Data Protection Regulation (GDPR). Available online: https://gdpr-info.eu/ (accessed on 8 June 2021).
- National Institute of Standards and Technology. NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management; Version 1.0; US Department of Commerce: Columbia, WA, USA, 2020. [CrossRef]
- Nespoli, P.; Papamartzivanos, D.; Gómez Mármol, F.; Kambourakis, G. Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks. IEEE Commun. Surv. Tutor. 2018, 20, 1361–1396. [Google Scholar] [CrossRef]
- Arce, I. The weakest link revisited [information security]. IEEE Secur. Priv. 2003, 1, 72–76. [Google Scholar] [CrossRef] [Green Version]
- Vavoulas, N.; Xenakis, C. A Quantitative Risk Analysis Approach for Deliberate Threats. In Proceedings of the 5th International Workshop on Critical Information Infrastructures Security (CRITIS), Athens, Greece, 23–24 September 2010. [Google Scholar]
- Vesely, W.; Dugan, J.; Fragola, J.; Minarick, J.; Railsback, J. Fault Tree Handbook with Aerospace Applications (NASA Project). 2002. Available online: http://www.mwftr.com/CS2/Fault%20Tree%20Handbook_NASA.pdf (accessed on 31 May 2021).
- Ruijters, E.; Stoelinga, M. Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Comput. Sci. Rev. 2015, 15, 29–62. [Google Scholar] [CrossRef] [Green Version]
- Jiang, X.; Neapolitan, R.E.; Barmada, M.M.; Visweswaran, S. Learning genetic epistasis using Bayesian network scoring criteria. BMC Bioinform. 2011, 12, 1–12. [Google Scholar] [CrossRef] [Green Version]
- Koumenides, C.L.; Shadbolt, N.R. Combining link and content-based information in a Bayesian inference model for entity search. In Proceedings of the 1st Joint International Workshop on Entity-Oriented and Semantic Search, Portland, OR, USA, 16 August 2012; pp. 1–6. [Google Scholar]
- Haugh, M. Monte-Carlo Methods for Risk Management. In IEOR E4602: Quantitative Risk Management; 2016; Available online: https://martin-haugh.github.io/files/QRM/MC_RiskManage.pdf (accessed on 12 April 2021).
- Komorowski, M.; Raffa, J. Markov Models and Cost Effectiveness Analysis: Applications in Medical Research. Second. Anal. Electron. Health Rec. 2016, 351–367. [Google Scholar] [CrossRef] [Green Version]
- Yu-Ting, D.; Hai-Peng, Q.; Xi-Long, T. Real-time risk assessment based on hidden Markov model and security configuration. In Proceedings of the Conference on Information Science, Electronics & Electrical Engineering, Wuhan, China, 7–9 March 2014. [Google Scholar]
- Gonzalez Granadillo, G.; Doynikova, E.; Garcia-Alfaro, J.; Kotenko, I.; Fedorchenko, A. Stateful RORI-based countermeasure selection using hypergraphs. J. Inf. Secur. Appl. 2020, 54. [Google Scholar] [CrossRef]
- Gonzalez-Granadillo, G.; Dubus, S.; Motzek, A.; Garcia-Alfaro, J.; Alvarez, E.; Merialdo, M.; Papillon, S.; Debar, H. Dynamic risk management response system to handle cyber threats. Future Gener. Comput. Syst. 2018, 83, 535–552. [Google Scholar] [CrossRef]
- Gonzalez-Granadillo, G.; Alvarez, E.; Motzek, A.; Merialdo, M.; Garcia-Alfaro, J.; Debar, H. Towards an Automated and Dynamic Risk Management Response System. In Proceedings of the Nordic Conference on Secure IT Systems NordSec, Oulu, Finland, 2–4 November 2016; pp. 37–53. [Google Scholar] [CrossRef] [Green Version]
- Ganin, A.A.; Quach, P.; Panwar, M.; Collier, Z.A.; Keisler, J.M.; Marchese, D.; Linkov, I. Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management. Risk Anal. Int. J. 2017, 40, 183–199. [Google Scholar] [CrossRef]
- Radanliev, P.; De Roure, D.C.; Nicolescu, R.; Huth, M.; Montalvo, R.M.; Cannady, S.; Burnap, P. Future developments in cyber risk assessment for the internet of things. Comput. Ind. 2018, 102, 14–22. [Google Scholar] [CrossRef]
- Varela-Vaca, A.J.; Parody, L.; Gasca, R.M.; Gómez-López, M.T. Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Model. IEEE J. Access 2019, 7, 26448–26465. [Google Scholar] [CrossRef]
- Bay Dynamics. Cyber Value at Risk: Quantify the Financial Impact of Cyber Risk. Available online: https://www.ten-inc.com/presentations/2017_ISE_NE_BayDynamics_WP.pdf (accessed on 5 August 2021).
- Fry, A.; Harrison, A.; Daigneault, M. Micromorts—What is the risk? Br. J. Oral Maxillofac. Surg. 2016, 54, 230–231. [Google Scholar] [CrossRef]
- Biswas, B.; Mukhopadhyay, A.; Bhattacharjee, S.; Kumar, A.; Delen, D. A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums. Decis. Support Syst. 2021, 113651. [Google Scholar] [CrossRef]
- Wang, Z.; Chen, L.; Song, S.; Cong, P.X.; Ruan, Q. Automatic cyber security risk assessment based on fuzzy fractional ordinary differential equations. Alex. Eng. J. 2020, 59, 2725–2731. [Google Scholar] [CrossRef]
- Derbyshire, R.; Green, B.; Hutchison, D. “Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment. Comput. Secur. 2021, 103, 102163. [Google Scholar] [CrossRef]
- Clarke, R. Privacy impact assessment: Its origins and development. Comput. Law Secur. Rev. 2009, 25, 123–135. [Google Scholar] [CrossRef]
- Oetzel, M.C.; Spiekermann, S. A systematic methodology for privacy impact assessments: A design science approach. Eur. J. Inf. Syst. 2014, 23, 126–150. [Google Scholar] [CrossRef] [Green Version]
- Vemou, K.; Karyda, M. An Evaluation Framework for Privacy Impact Assessment Methods. In Proceedings of the 12th Mediterranean Conference on Information Systems (MCIS), Corfu, Greece, 28–30 September 2018. [Google Scholar]
- Papamartzivanos, D.; Menesidou, S.A.; Gouvas, P.; Giannetsos, T. A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly. Future Internet 2021, 13, 30. [Google Scholar] [CrossRef]
- Institution, B.S. Data Protection—Specification for a Personal Information Management System. 2017. Available online: https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/ (accessed on 12 July 2021).
- ISO/IEC-29151:2017. Information Technology—Security techniques—Code of Practice for Personally Identifiable Information Protection. 2017. Available online: https://www.iso.org/standard/62726.html (accessed on 12 July 2021).
- ISO/IEC-27018:2014. Information Technology—Security Techniques—Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors. 2014. Available online: https://www.iso.org/standard/61498.html (accessed on 12 July 2021).
- Wei, Y.C.; Wu, W.C.; Lai, G.H.; Chu, Y.C. pISRA: Privacy considered information security risk assessment model. J. Supercomput. 2020, 76, 1468–1481. [Google Scholar] [CrossRef]
- ISO/IEC-29134:2017. Information Technology—Security Techniques—Guidelines for Privacy Impact Assessment. 2017. Available online: https://www.iso.org/standard/62289.html (accessed on 12 July 2021).
- Wagner, I.; Eckhoff, D. Technical Privacy Metrics: A Systematic Survey. Assoc. Comput. Mach. 2018, 51. [Google Scholar] [CrossRef] [Green Version]
- National Institute of Standards and Technology. NIST Privacy Risk Assessment Methodology (PRAM). 2020. Available online: https://www.nist.gov/privacy-framework/nist-pram (accessed on 29 March 2021).
- Commission Nationale de l’Informatique et des Libertés. Privacy Impact Assessment (PIA) 1: Methodology. 2018. Available online: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-1-en-methodology.pdf (accessed on 8 November 2020).
- Information Commissioner’s Office. Data Protection Impact Assessments (DPIAs). 2018. Available online: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ (accessed on 8 November 2020).
- ENISA. On-line Tool for the Security of Personal Data Processing. Available online: https://www.enisa.europa.eu/risk-level-tool/risk (accessed on 8 November 2020).
- Arnell, S. GDPR Data Protection Impact Assessment Tool. Available online: https://github.com/simonarnell/GDPRDPIAT (accessed on 8 November 2020).
- IITR. Compliance Kit 2.0. Available online: https://www.iitr.us/products-services/compliance-kit.html (accessed on 8 November 2020).
- Manna, A.; Sengupta, A.; Mazumdar, C. A Quantitative Methodology for Business Process-Based Data Privacy Risk Computation. Adv. Comput. Syst. Secur. 2020, 10, 17–33. [Google Scholar]
- Henriksen-Bulmer, J.; Faily, S.; Jeary, S. DPIA in Context: Applying DPIA to Assess Privacy Risks of Cyber Physical Systems. Future Internet 2020, 12, 93. [Google Scholar] [CrossRef]
- Gordon, L.A.; Loeb, M.P. The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 2002, 5, 438–457. [Google Scholar] [CrossRef]
- Fielder, A.; Panaousis, E.; Malacaria, P.; Hankin, C.; Smeraldi, F. Decision support approaches for cyber security investment. Decis. Support Syst. 2016, 86, 13–23. [Google Scholar] [CrossRef] [Green Version]
- Panda, S.; Panaousis, E.; Loukas, G.; Laoudias, C. Optimizing Investments in Cyber Hygiene for Protecting Healthcare Users. In From Lambda Calculus to Cybersecurity Through Program Analysis; Springer: Berlin/Heidelberg, Germany, 2020; pp. 268–291. [Google Scholar]
- Rontidis, G.; Panaousis, E.; Laszka, A.; Dagiuklas, T.; Malacaria, P.; Alpcan, T. A game-theoretic approach for minimizing security risks in the internet-of-things. In Proceedings of the 2015 IEEE International Conference on Communication Workshop (ICCW), London, UK, 8–12 June 2015; pp. 2639–2644. [Google Scholar]
- Panaousis, E.; Karapistoli, E.; Elsemary, H.; Alpcan, T.; Khuzani, M.; Economides, A.A. Game theoretic path selection to support security in device-to-device communications. Ad Hoc Netw. 2017, 56, 28–42. [Google Scholar] [CrossRef] [Green Version]
- Fielder, A.; Panaousis, E.; Malacaria, P.; Hankin, C.; Smeraldi, F. Game theory meets information security management. In Proceedings of the IFIP International Information Security Conference, Marrakech, Morocco, 2–4 June 2014; pp. 15–29. [Google Scholar]
- Wang, S.S. Integrated framework for information security investment and cyber insurance. Pac. Basin Financ. J. 2019, 57, 101173. [Google Scholar] [CrossRef]
- Nagurney, A.; Daniele, P.; Shukla, S. A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints. Ann. Oper. Res. 2017, 248, 405–427. [Google Scholar] [CrossRef]
- Chronopoulos, M.; Panaousis, E.; Grossklags, J. An options approach to cybersecurity investment. IEEE Access 2017, 6, 12175–12186. [Google Scholar] [CrossRef] [Green Version]
- Zhang, H.; Chari, K.; Agrawal, M. Decision support for the optimal allocation of security controls. Decis. Support Syst. 2018, 115, 92–104. [Google Scholar] [CrossRef]
- Fielder, A.; König, S.; Panaousis, E.; Schauer, S.; Rass, S. Risk assessment uncertainties in cybersecurity investments. Games 2018, 9, 34. [Google Scholar] [CrossRef] [Green Version]
- Paul, J.A.; Wang, X. Socially optimal IT investment for cybersecurity. Decis. Support Syst. 2019, 122, 113069. [Google Scholar] [CrossRef]
- Dutta, A.; Al-Shaer, E. Cyber defense matrix: A new model for optimal composition of cybersecurity controls to construct resilient risk mitigation. In Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security, Nashville, TN, USA, 1–3 April 2019; pp. 1–2. [Google Scholar]
- Gonzalez-Granadillo, G.; Gonzalez-Zarzosa, S.; Diaz, R. Security Information and Event Management (SIEM): Analysis, Trends, and Usage in Critical Infrastructures. Sensors 2021, 21, 4759. [Google Scholar] [CrossRef] [PubMed]
- Marko Bohanec. DEXi: Program for Multi-Attribute Decision Making User’s Manual Version 5.05. Available online: https://kt.ijs.si/MarkoBohanec/pub/DEXiManual505.pdf (accessed on 12 June 2021).
- Polemi, N.; Kotzanikolaou, P. Medusa: A Supply Chain Risk Assessment Methodology. In Cyber Security and Privacy; Cleary, F., Felici, M., Eds.; Springer International Publishing: Cham, Switzerland, 2015; pp. 79–90. [Google Scholar]
- Ahmadian, A.S.; Strüber, D.; Riediger, V.; Jürjens, J. Supporting Privacy Impact Assessment by Model-Based Privacy Analysis. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing, Pau, France, 9–13 April 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 1467–1474. [Google Scholar] [CrossRef]
- De Capitani Di Vimercati, S.; Foresti, S.; Livraga, G.; Samarati, P. Data privacy: Definitions and techniques. Int. J. Uncertain. Fuzziness Knowl. Based Syst. 2012, 20, 793–817. [Google Scholar] [CrossRef] [Green Version]
- Makri, E.L.; Georgiopoulou, Z.; Lambrinoudakis, C. A Proposed Privacy Impact Assessment Method Using Metrics Based on Organizational Characteristics. In Computer Security; Springer International Publishing: Cham, Switzerland, 2020; pp. 122–139. [Google Scholar]
- QED Secure Solutions. Risk Scoring System for Medical Devices (RSS-MD)-Technical Specification Guide. Available online: https://www.riskscoringsystem.com/medical/techspecmedical.pdf (accessed on 8 November 2020.).
- ENISA. Procurement Guidelines for Cybersecurity in Hospitals. Available online: https://www.enisa.europa.eu/publications/good-practices-for-the-security-of-healthcare-services.pdf (accessed on 15 February 2021).
- Nash, J. Equilibrium points in n-person games. Proc. Natl. Acad. Sci. USA 1950, 36, 48–49. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Mohammadi, F.; Panou, A.; Ntantogian, C.; Karapistoli, E.; Panaousis, E.; Xenakis, C. CUREX: SeCUre and pRivate hEalth data eXchange. In Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence, Thessaloniki, Greece, 14–17 October 2019; Volume 24800, pp. 263–268. [Google Scholar]
- Jofre, M.; Navarro-Llobet, D.; Agulló, R.; Puig, J.; Gonzalez-Granadillo, G.; Mora Zamorano, J.; Romeu, R. Cybersecurity and Privacy Risk Assessment of Point-of-Care Systems in Healthcare—A Use Case Approach. Appl. Sci. 2021, 11, 6699. [Google Scholar] [CrossRef]
- Bray, T. The JavaScript Object Notation (JSON) Data Interchange Format. Available online: https://datatracker.ietf.org/doc/html/rfc8259 (accessed on 10 May 2021).
Input Data | Description | Expected Data |
---|---|---|
Business indicators | Questionnaire about the organisation’s size, business structure and main security aspects as well as information about the economic impact of the organisation and details on the confidentiality, availability and integrity affecting values. | Q14. Do browsers used in your organisation allow client side scripting? Yes = 1, No = 0, Do not know = 0. |
Monitoring data | Information of the monitoring infrastructure in the form of events (e.g., expiration of a license key, a virtual machine is powered on, user logs on a virtual machine, fail login requests, host connection lost) and/or alarms (e.g., detected malware, Man in the Middle attack, potential brute-force attack, connection attempts against SQL services). They include details of the source elements (i.e., IP address, port number, detection device), as well as details on the time associated to the event and the type of event detected. |
|
Vulnerabilities | Contains the list of potential vulnerabilities affecting the target infrastructure. They are compared against the indicator rules to get inputs for the algorithms used in the risk models. New detected vulnerabilities will automatically trigger a new risk assessment. | CVE-2020-11896, CVE-2020-11903, CVE-2020-11914, CVE-2019-11510. |
Configuration data | Changes or updates in the configuration of the target infrastructure (e.g., IP addresses and ports of the available machines, addition or removal of assets, estimation of the confidentiality, integrity or availability impact). | MEDEV02: C = 9, I = 7, A = 5, PREPACSSQL: C = 10, I = 10, A = 10. |
Modelling | Refer to the selected risk models that are pre-defined and associated with specific algorithms (script files). The toolkit uses these models and rules to compare with real input in order to represent a situation inside a risk model. | WPR4: Compromise security via Trojan malware, WPR8: SQL injection. |
Output Data | Description | Expected Data |
---|---|---|
Cybersecurity Global Risk Reports | Qualitative and quantitative global risk scores indicating the overall risk associated to the target organisation. Global qualitative risks range from Very Low to Very High, whereas global quantitative risks are expressed in monetary values and represent the typical loss and the worst-case scenario. | “risk model”: “WPR8”, “target”: “FPHAG”, “cyber qualitative”: “VH”, “cyber quantitative”: “49368: 721267” |
Cybersecurity Specific Risk Reports | Cybersecurity reports indicating qualitative and quantitative assessment associated to the analysed threat per model (e.g., DoS, Malware, Bypass Login, SQL injection, etc.), per target asset (e.g., workstation, server, medical device, etc.), and per risk (confidentiality, integrity, availability. | “risk model”: “WPR8”, “risk”: “C, I”, “target”: “SQL Server (192.168.40.4)”, “cyber qualitative”: “M”, “cyber quantitative”: “9928: 145298” |
Mitigation Measures | List of mitigation measures associated to the analysed threat and that are proposed to be implemented by the end-users to eliminate or reduce the risk down to acceptable levels. The selection of these mitigation measures is further processed and analysed by the Risk Mitigation module of AMBIENT. | “risk model”: “WPR8”, “target”: “FPHAG”, “measures”: “M8, M10, M13, M22, M41, M42, M43, M45, M46, M47, M48, M49” |
Input Data | Description | Expected Data |
---|---|---|
Monitoring Data, Vulnerabilities and Cybersecurity risk | Information acquired from the monitored infrastructure, including the identified vulnerabilities, as a result of external asset inventory, network scanning tools (e.g., Open Vulnerability Assessment Scanner - OpenVAS (https://www.openvas.org/) (accessed on 12 July 2021)) and cybersecurity risk tools. | Monitoring data: src 91.189.88.152:3510, dst 192.168.40.4:41814 Vulnerabilities: CVE-2020-11896, CVE-2020-11903, CVE-2020-11914, CVE-2019-11510 Cybersecurity risk: “risk model”: “WPR8”, “risk”: “C, I”, “target”: “SQL Server (192.168.40.4)”, “qualitative”: “Medium”, “quantitative”: “9928:145298” |
Configuration data | This input is provided by end-users and reflects the infrastructure profile and environment. More specifically, this type of information could be, among others, the Personal Data to be processed, the Data Subjects (e.g., Patient), the Legal Grounds, the Legal Entities, the Processing Types, the Processing Activities, the Attack/Threat Scenarios, the privacy-oriented value of assets and already applied mitigation controls. | Configuration data: “PIIs”: “name, surname”, “data subjects”: “Patient1”, “legal entity”: “DPO”, “legal grounds”: “Legal monitoring of Patient1”, “type”: “transfer health data”, “activities”: “91.189.88.152, 192.168.40.4”, “privacy value”: “CVE-2020-11896:VH” |
Output Data | Description | Expected Data |
---|---|---|
Asset-level Privacy Risk Report | It is a privacy score associated with a specific asset that faces a possible privacy threat. Thus, each asset has a threat characterisation score associated with a privacy impact score. | asset1: “asset”: “192.168.40.4”, “privacy quantitative”: “5.0”, “privacy qualitative”: “M”, asset2: “asset”: “91.189.88.152”, “privacy quantitative”: “9.8” “privacy qualitative”: “VH” |
Processing Activity-level Privacy Risk Report | It is a privacy score associated with a data processing activity. A processing activity may consist of several assets. Thus, the risk level of a processing activity is the maximum value of risk among the assets participating in the processing activity. | processing activity1: “processing activity”: “91.189.88.152, 192.168.40.4” “privacy quantitative”: “9.8” “privacy qualitative”: “VH” |
Global Privacy Risk Report | It is a privacy score associated with the whole organisation. The risk score will be the maximum risk among the processing activities. Note that, the global privacy score is combined with the risk score derived from the cyber security assessment module. | global: “privacy quantitative”: “9.8” “privacy qualitative”: “VH” |
Input Data | Description | Expected Data |
---|---|---|
Cyber investment | The budget available to the defending agent to implement cyber controls. | “Available budget”: “30,000 EUR” |
Cyber and privacy risk reports | The outputs of the other two modules of AMBIENT, used by the Risk Mitigation module to decide on how to mitigate risks using controls. | “risk model”: “WPR8” “measures”: “M8, M10, M13, M22, M41, M42, M43, M45, M46, M47, M48, M49” “privacy quantitative”: “9.8”, “privacy qualitative”: “VH” |
Risk appetite | The organisation chooses its own risk appetite expressed in the degree of impact they can tolerate before they decide to spend a greater cybersecurity budget. | “risk appetite”: “Medium”. |
Repository of cyber controls | This requires a repository of controls along with their costs (purchase, implementation, maintenance cost) and benefits (efficacy in mitigating threats) to evaluate them during the game-theoretic and the optimisation phase of its operation. | “CIS subControls”: 1.1: “directcost”: 2276.158891, “implementation level”: {H: { “implelevel”: 1, “system performance cost”: 7.491514705, “usability cost”: 6.493688798, “overall indirectcost”: 6.992601751, “efficacy”: 78.36633331, “directcost”: 4097.086004 }, |
Output Data | Description | Expected Data |
---|---|---|
Reactive Risk Mitigation Report | This report shows which mitigation measures, as proposed by the cyber risk assessment module, must be used and with what priority optimised by the risk mitigation module. | “risk mitigation output”: ’id’: 0101, ’report’: 0001, “mitigation measures”: M49, M8, M22, M41, M42, M13, M44, M10, M45, M43, M46, M19, M18, M48, “timestamp”: 2020-01-09T09:46:15.242445Z. |
Risk Improvement Reports | These demonstrate to the end-user the degree of risk improvement when the proposed safeguards are chosen for implementation. Each selected safeguard exhibits its own improvement against different threats. This is key in allowing the end user to make an informative choice about the required preemptive controls. | ‘1’: { “malware risk improvement”: 99.11941836, “dos risk improvement”: 96.70459599, “web attack improvement”: 99.18107606, “phishing risk improvement”: 96.01828912, “man in the middle risk improvement”: 99.40160608, “overall risk improvement”: 98.72331726, ...} |
Control Guidance Reports | These are reports that explain to the end-user how the selected safeguards assist the organisation. They also include suggestions about actual cybersecurity products mapped to the framework of controls selected. | Information about the proposed CIS controls with suggestions on how they will help the target organisation ** (as presented in Figure 5 and Figure 6). |
Control Cost Reports | These reports show to the end-user what costs must be tolerated if the proposed safeguards are selected. The costs refer to both direct (e.g., financial losses) and indirect (e.g., system performance loss). | “CIS Sub-control”: 1.1, “Implementation Level”: Low, “System Performance Cost”: 0.966163655, “Financial Cost”: 1.789499785, “Usability Cost”: 0.386993268 |
MM | Description |
---|---|
M8 | Validate input |
M10 | Map input values to actual filenames/URLs and reject all other input |
M13 | Use application firewall to detect attacks against URL redirection |
M18 | Use antivirus software that is currently considered to be strong by experts in the field |
M19 | Verify the integrity of the software that is being installed |
M22 | Ensure checks performed at the client side are duplicated on the server side |
M41 | Use vetted library to mitigate improper neutralisation of special elements used |
M42 | Use structured mechanisms to enforce automatic separation of data and code |
M43 | Run code using the lowest privileges to accomplish the necessary tasks |
M44 | Quote arguments and escape any special characters within dynamically generated queries that mix control and data together |
M45 | Ensure error messages contain minimal details useful only to the intended audience |
M46 | Avoid using register global in the application |
M47 | Mix white and black list parsing to filter control-plane syntax from input |
M48 | Handle exceptions at code level |
M49 | Fix errors returned by functions |
Indicator | Means | Data-Type | Source-Type |
---|---|---|---|
IN-32: Does the web application consist of HTML forms? | questionnaire | Boolean | business |
IN-37: Do HTTP requests contain special elements used in an SQL command successfully executed? | event | Boolean | test |
IN-38: Do records in the database consist of corrupt or invalid data? | vulnerability | Boolean | application |
IN-44: Do HTTP requests contain special elements used in an SQL command? | event | Boolean | network |
IN-45:Do HTTP responses contain malicious scripts? | network, test, app | Boolean | network |
IN-54: How many sanitised HTTP requests contain special elements used in an SQL command? | application | Integer | event |
IN-55: How many abnormal (suspicious) SQL queries are executed? | application | Integer | event |
IN-56: How many SQL-related errors have been recorded in the log? | application | Integer | event |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gonzalez-Granadillo, G.; Menesidou, S.A.; Papamartzivanos, D.; Romeu, R.; Navarro-Llobet, D.; Okoh, C.; Nifakos, S.; Xenakis, C.; Panaousis, E. Automated Cyber and Privacy Risk Management Toolkit. Sensors 2021, 21, 5493. https://doi.org/10.3390/s21165493
Gonzalez-Granadillo G, Menesidou SA, Papamartzivanos D, Romeu R, Navarro-Llobet D, Okoh C, Nifakos S, Xenakis C, Panaousis E. Automated Cyber and Privacy Risk Management Toolkit. Sensors. 2021; 21(16):5493. https://doi.org/10.3390/s21165493
Chicago/Turabian StyleGonzalez-Granadillo, Gustavo, Sofia Anna Menesidou, Dimitrios Papamartzivanos, Ramon Romeu, Diana Navarro-Llobet, Caxton Okoh, Sokratis Nifakos, Christos Xenakis, and Emmanouil Panaousis. 2021. "Automated Cyber and Privacy Risk Management Toolkit" Sensors 21, no. 16: 5493. https://doi.org/10.3390/s21165493
APA StyleGonzalez-Granadillo, G., Menesidou, S. A., Papamartzivanos, D., Romeu, R., Navarro-Llobet, D., Okoh, C., Nifakos, S., Xenakis, C., & Panaousis, E. (2021). Automated Cyber and Privacy Risk Management Toolkit. Sensors, 21(16), 5493. https://doi.org/10.3390/s21165493