Assessing Risk Estimations for Cyber-Security Using Expert Judgment

Michael Krisper*, Jürgen Dobaj, Georg Macher

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In this paper, we show a use-case of structured expert judgment to assess the risk of a cyber-security attack. We showcase the process of elicitating unknown and uncertain values using multiple experts and combining these judgments by weighing the experts based on their performance. The performance of an expert is assessed using the information and calibration score calculated from the judgments of calibration questions. The judgments are stated with three-points estimates of minimum, most likely, and maximum value, which serve as input for the PERT probability distribution. For the use-case, the input values frequency, vulnerability, and impact were asked. The combined results are propagated along an attack path to calculate the risk of a cyber-security attack. This was done using RISKEE, a tool for assessing risk in cyber-security and implementing the combination of expert judgments and propagation of the values in an attack-tree. It uses an attack graph to model the attack paths and applies probability distributions for the input values to consider the uncertainty of predictions and expert judgments. We also describe experiences and lessons-learned for conducting an expert elicitation to acquire input values for estimating risks in cyber-security.
Original languageEnglish
Title of host publicationSystems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings
EditorsMurat Yilmaz, Paul Clarke, Jörg Niemann, Richard Messnarz
PublisherSpringer
Pages120-134
Number of pages15
ISBN (Print)9783030564407
DOIs
Publication statusPublished - 9 Aug 2020
Event27th European Conference on Systems, Software and Services Process Improvement - Hybrider Event (Düsseldorf), Germany
Duration: 9 Sep 202011 Sep 2020
https://2020.eurospi.net/

Publication series

NameCommunications in Computer and Information Science
Volume1251 CCIS
ISSN (Print)1865-0929
ISSN (Electronic)1865-0937

Conference

Conference27th European Conference on Systems, Software and Services Process Improvement
Abbreviated titleEuroSPI 2020
CountryGermany
CityHybrider Event (Düsseldorf)
Period9/09/2011/09/20
Internet address

Keywords

  • Cyber-security
  • Expert elicitation
  • Expert judgment
  • Probabilistic methods
  • Risk assessment

ASJC Scopus subject areas

  • Computer Science(all)
  • Mathematics(all)
  • Safety, Risk, Reliability and Quality

Fields of Expertise

  • Information, Communication & Computing

Treatment code (Nähere Zuordnung)

  • Application

Fingerprint Dive into the research topics of 'Assessing Risk Estimations for Cyber-Security Using Expert Judgment'. Together they form a unique fingerprint.

Cite this