RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Michael Krisper; Jürgen Dobaj; Georg Macher; Christoph Schmittner

doi:10.1007/978-3-030-28005-5_4

RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Michael Krisper, Jürgen Dobaj, Georg Macher, Christoph Schmittner

Technische Universität Graz (90000)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Forschung › Begutachtung

Abstract

In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

Originalsprache	englisch
Titel	Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings
Redakteure/-innen	Alastair Walker, Rory V. O’Connor, Richard Messnarz
Herausgeber (Verlag)	Springer Verlag
Seiten	45-56
Seitenumfang	12
ISBN (Print)	9783030280048
DOIs	https://doi.org/10.1007/978-3-030-28005-5_4
Publikationsstatus	Veröffentlicht - 1 Jan 2019
Veranstaltung	26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019 - Edinburgh, Großbritannien / Vereinigtes Königreich Dauer: 18 Sep 2019 → 20 Sep 2019

Publikationsreihe

Name	Communications in Computer and Information Science
Band	1060
ISSN (Print)	1865-0929
ISSN (elektronisch)	1865-0937

Konferenz

Konferenz	26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019
Land	Großbritannien / Vereinigtes Königreich
Ort	Edinburgh
Zeitraum	18/09/19 → 20/09/19

Fingerprint

Trees (mathematics)

Attack

Graph in graph theory

Strombus or kite or diamond

Vulnerability

Diamonds

Monte Carlo Simulation

Decision making

Decision Making

Vertex of a graph

Schlagwörter

ASJC Scopus subject areas

!!Computer Science(all)
!!Mathematics(all)

Dies zitieren

Krisper, M., Dobaj, J., Macher, G., & Schmittner, C. (2019). RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A. Walker, R. V. O’Connor, & R. Messnarz (Hrsg.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings (S. 45-56). (Communications in Computer and Information Science; Band 1060). Springer Verlag. https://doi.org/10.1007/978-3-030-28005-5_4

RISKEE : A Risk-Tree Based Method for Assessing Risk in Cyber Security. / Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg; Schmittner, Christoph.

Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Hrsg. / Alastair Walker; Rory V. O’Connor; Richard Messnarz. Springer Verlag, 2019. S. 45-56 (Communications in Computer and Information Science; Band 1060).

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Forschung › Begutachtung

Krisper, M , Dobaj, J , Macher, G & Schmittner, C 2019, RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A Walker, RV O’Connor & R Messnarz (Hrsg.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Communications in Computer and Information Science, Bd. 1060, Springer Verlag, S. 45-56, Edinburgh, Großbritannien / Vereinigtes Königreich, 18/09/19. https://doi.org/10.1007/978-3-030-28005-5_4

Krisper M , Dobaj J , Macher G, Schmittner C. RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in Walker A, O’Connor RV, Messnarz R, Hrsg., Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Springer Verlag. 2019. S. 45-56. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-030-28005-5_4

Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg ; Schmittner, Christoph. / RISKEE : A Risk-Tree Based Method for Assessing Risk in Cyber Security. Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Hrsg. / Alastair Walker ; Rory V. O’Connor ; Richard Messnarz. Springer Verlag, 2019. S. 45-56 (Communications in Computer and Information Science).

@inproceedings{23848b1cda8e447abec5ba1e747266c6,

title = "RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security",

abstract = "In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.",

keywords = "Attack trees, Cyber physical security, Diamond model, FAIR method, IT-security, Risk assessment, Risk propagation",

author = "Michael Krisper and J{\"u}rgen Dobaj and Georg Macher and Christoph Schmittner",

year = "2019",

month = "1",

day = "1",

doi = "10.1007/978-3-030-28005-5_4",

language = "English",

isbn = "9783030280048",

series = "Communications in Computer and Information Science",

publisher = "Springer Verlag",

pages = "45--56",

editor = "Alastair Walker and O’Connor, {Rory V.} and Richard Messnarz",

booktitle = "Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings",

address = "Germany",

}

TY - GEN

T1 - RISKEE

T2 - A Risk-Tree Based Method for Assessing Risk in Cyber Security

AU - Krisper, Michael

AU - Dobaj, Jürgen

AU - Macher, Georg

AU - Schmittner, Christoph

PY - 2019/1/1

Y1 - 2019/1/1

N2 - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

AB - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

KW - Attack trees

KW - Cyber physical security

KW - Diamond model

KW - FAIR method

KW - IT-security

KW - Risk assessment

KW - Risk propagation

UR - http://www.scopus.com/inward/record.url?scp=85072983274&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-28005-5_4

DO - 10.1007/978-3-030-28005-5_4

M3 - Conference contribution

SN - 9783030280048

T3 - Communications in Computer and Information Science

SP - 45

EP - 56

BT - Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings

A2 - Walker, Alastair

A2 - O’Connor, Rory V.

A2 - Messnarz, Richard

PB - Springer Verlag

ER -

Zugang zum Dokument

10.1007/978-3-030-28005-5_4

http://www.scopus.com/inward/record.url?scp=85072983274&partnerID=8YFLogxK