Assessment of Cybersecurity Based on Risk and Uncertainty Propagation in Distributed Networked Systems

Publikation: StudienabschlussarbeitDissertation

Abstract

Cybersecurity incidents cause tremendous costs for the economy and damage for individuals, e.g., through identity theft, data loss, ransomware, or bribery. To find appropriate measures to reduce or prevent such incidents, a system must first be assessed regarding its risks. In domains such as safety, harmful events can be predicted by looking at past events, modelling them and applying these models to the future. For cybersecurity, however, such incidents are much harder to predict because they depend mainly on the motivation and decisions of humans. To evaluate this, one has to resort to expert judgments, which are unfortunately subject to large uncertainties. In this thesis, the structured expert judgment method is used to estimate the risks for cybersecurity incidents. The risks are calculated by forward and backward propagation of specific risk attributes along with their uncertainties. This is done on risk graphs in which all attack paths are mapped. The result is a risk distribution that can be traced back to the individual components. This supports making better decisions on the necessary measures to reduce risk. Correctness, applicability, and usefulness were demonstrated using an implemented prototype. For this purpose, a comparison of 45 publicly available studies was made using structured expert judgment and RISKEE. Furthermore, the created RISKEE method was applied in an international workshop to investigate the cybersecurity risk of car theft. Finally, the implemented prototype was used to find secure solutions for chip designs in a design space exploration study.
Originalspracheenglisch
Gradverleihende Hochschule
  • Institut für Technische Informatik (4480)
Betreuer/-in / Berater/-in
  • Römer, Kay Uwe, Betreuer
  • Ray, Indrajit, Betreuer, Externe Person
  • Macher, Georg, Berater
  • Kreiner, Christian Josef, Berater
Datum der Bewilligung26 Juni 2020
PublikationsstatusVeröffentlicht - 26 Juni 2021

ASJC Scopus subject areas

  • Informatik (insg.)
  • Sicherheit, Risiko, Zuverlässigkeit und Qualität
  • Statistik, Wahrscheinlichkeit und Ungewissheit

Fields of Expertise

  • Information, Communication & Computing

Treatment code (Nähere Zuordnung)

  • Application

Dieses zitieren