RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

Originalspracheenglisch
TitelSystems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings
Redakteure/-innenAlastair Walker, Rory V. O’Connor, Richard Messnarz
Herausgeber (Verlag)Springer Verlag
Seiten45-56
Seitenumfang12
ISBN (Print)9783030280048
DOIs
PublikationsstatusVeröffentlicht - 1 Jan 2019
Veranstaltung26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019 - Edinburgh, Großbritannien / Vereinigtes Königreich
Dauer: 18 Sep 201920 Sep 2019

Publikationsreihe

NameCommunications in Computer and Information Science
Band1060
ISSN (Print)1865-0929
ISSN (elektronisch)1865-0937

Konferenz

Konferenz26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019
LandGroßbritannien / Vereinigtes Königreich
OrtEdinburgh
Zeitraum18/09/1920/09/19

Fingerprint

Trees (mathematics)
Attack
Graph in graph theory
Strombus or kite or diamond
Vulnerability
Diamonds
Monte Carlo Simulation
Decision making
Decision Making
Vertex of a graph

Schlagwörter

    ASJC Scopus subject areas

    • !!Computer Science(all)
    • !!Mathematics(all)

    Dies zitieren

    Krisper, M., Dobaj, J., Macher, G., & Schmittner, C. (2019). RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A. Walker, R. V. O’Connor, & R. Messnarz (Hrsg.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings (S. 45-56). (Communications in Computer and Information Science; Band 1060). Springer Verlag. https://doi.org/10.1007/978-3-030-28005-5_4

    RISKEE : A Risk-Tree Based Method for Assessing Risk in Cyber Security. / Krisper, Michael; Dobaj, Jürgen; Macher, Georg; Schmittner, Christoph.

    Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Hrsg. / Alastair Walker; Rory V. O’Connor; Richard Messnarz. Springer Verlag, 2019. S. 45-56 (Communications in Computer and Information Science; Band 1060).

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Krisper, M, Dobaj, J, Macher, G & Schmittner, C 2019, RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A Walker, RV O’Connor & R Messnarz (Hrsg.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Communications in Computer and Information Science, Bd. 1060, Springer Verlag, S. 45-56, Edinburgh, Großbritannien / Vereinigtes Königreich, 18/09/19. https://doi.org/10.1007/978-3-030-28005-5_4
    Krisper M, Dobaj J, Macher G, Schmittner C. RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in Walker A, O’Connor RV, Messnarz R, Hrsg., Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Springer Verlag. 2019. S. 45-56. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-030-28005-5_4
    Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg ; Schmittner, Christoph. / RISKEE : A Risk-Tree Based Method for Assessing Risk in Cyber Security. Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Hrsg. / Alastair Walker ; Rory V. O’Connor ; Richard Messnarz. Springer Verlag, 2019. S. 45-56 (Communications in Computer and Information Science).
    @inproceedings{23848b1cda8e447abec5ba1e747266c6,
    title = "RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security",
    abstract = "In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.",
    keywords = "Attack trees, Cyber physical security, Diamond model, FAIR method, IT-security, Risk assessment, Risk propagation",
    author = "Michael Krisper and J{\"u}rgen Dobaj and Georg Macher and Christoph Schmittner",
    year = "2019",
    month = "1",
    day = "1",
    doi = "10.1007/978-3-030-28005-5_4",
    language = "English",
    isbn = "9783030280048",
    series = "Communications in Computer and Information Science",
    publisher = "Springer Verlag",
    pages = "45--56",
    editor = "Alastair Walker and O’Connor, {Rory V.} and Richard Messnarz",
    booktitle = "Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings",
    address = "Germany",

    }

    TY - GEN

    T1 - RISKEE

    T2 - A Risk-Tree Based Method for Assessing Risk in Cyber Security

    AU - Krisper, Michael

    AU - Dobaj, Jürgen

    AU - Macher, Georg

    AU - Schmittner, Christoph

    PY - 2019/1/1

    Y1 - 2019/1/1

    N2 - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

    AB - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

    KW - Attack trees

    KW - Cyber physical security

    KW - Diamond model

    KW - FAIR method

    KW - IT-security

    KW - Risk assessment

    KW - Risk propagation

    UR - http://www.scopus.com/inward/record.url?scp=85072983274&partnerID=8YFLogxK

    U2 - 10.1007/978-3-030-28005-5_4

    DO - 10.1007/978-3-030-28005-5_4

    M3 - Conference contribution

    SN - 9783030280048

    T3 - Communications in Computer and Information Science

    SP - 45

    EP - 56

    BT - Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings

    A2 - Walker, Alastair

    A2 - O’Connor, Rory V.

    A2 - Messnarz, Richard

    PB - Springer Verlag

    ER -