RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

Original languageEnglish
Title of host publicationSystems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings
EditorsAlastair Walker, Rory V. O’Connor, Richard Messnarz
PublisherSpringer Verlag
Pages45-56
Number of pages12
ISBN (Print)9783030280048
DOIs
Publication statusPublished - Sep 2019
Event26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019 - Edinburgh, United Kingdom
Duration: 18 Sep 201920 Sep 2019

Publication series

NameCommunications in Computer and Information Science
Volume1060
ISSN (Print)1865-0929
ISSN (Electronic)1865-0937

Conference

Conference26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019
CountryUnited Kingdom
CityEdinburgh
Period18/09/1920/09/19

Fingerprint

Trees (mathematics)
Attack
Graph in graph theory
Strombus or kite or diamond
Vulnerability
Diamonds
Monte Carlo Simulation
Decision making
Decision Making
Vertex of a graph

Keywords

  • Attack trees
  • Cyber physical security
  • Diamond model
  • FAIR method
  • IT-security
  • Risk assessment
  • Risk propagation

ASJC Scopus subject areas

  • Computer Science(all)
  • Mathematics(all)

Fields of Expertise

  • Information, Communication & Computing

Cite this

Krisper, M., Dobaj, J., Macher, G., & Schmittner, C. (2019). RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. In A. Walker, R. V. O’Connor, & R. Messnarz (Eds.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings (pp. 45-56). (Communications in Computer and Information Science; Vol. 1060). Springer Verlag. https://doi.org/10.1007/978-3-030-28005-5_4

RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. / Krisper, Michael; Dobaj, Jürgen; Macher, Georg; Schmittner, Christoph.

Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. ed. / Alastair Walker; Rory V. O’Connor; Richard Messnarz. Springer Verlag, 2019. p. 45-56 (Communications in Computer and Information Science; Vol. 1060).

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Krisper, M, Dobaj, J, Macher, G & Schmittner, C 2019, RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A Walker, RV O’Connor & R Messnarz (eds), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Communications in Computer and Information Science, vol. 1060, Springer Verlag, pp. 45-56, 26th European Conference on Systems, Software and Services Process Improvement, EuroSPI 2019, Edinburgh, United Kingdom, 18/09/19. https://doi.org/10.1007/978-3-030-28005-5_4
Krisper M, Dobaj J, Macher G, Schmittner C. RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. In Walker A, O’Connor RV, Messnarz R, editors, Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Springer Verlag. 2019. p. 45-56. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-030-28005-5_4
Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg ; Schmittner, Christoph. / RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. editor / Alastair Walker ; Rory V. O’Connor ; Richard Messnarz. Springer Verlag, 2019. pp. 45-56 (Communications in Computer and Information Science).
@inproceedings{23848b1cda8e447abec5ba1e747266c6,
title = "RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security",
abstract = "In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.",
keywords = "Attack trees, Cyber physical security, Diamond model, FAIR method, IT-security, Risk assessment, Risk propagation",
author = "Michael Krisper and J{\"u}rgen Dobaj and Georg Macher and Christoph Schmittner",
year = "2019",
month = "9",
doi = "10.1007/978-3-030-28005-5_4",
language = "English",
isbn = "9783030280048",
series = "Communications in Computer and Information Science",
publisher = "Springer Verlag",
pages = "45--56",
editor = "Alastair Walker and O’Connor, {Rory V.} and Richard Messnarz",
booktitle = "Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings",
address = "Germany",

}

TY - GEN

T1 - RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

AU - Krisper, Michael

AU - Dobaj, Jürgen

AU - Macher, Georg

AU - Schmittner, Christoph

PY - 2019/9

Y1 - 2019/9

N2 - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

AB - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

KW - Attack trees

KW - Cyber physical security

KW - Diamond model

KW - FAIR method

KW - IT-security

KW - Risk assessment

KW - Risk propagation

UR - http://www.scopus.com/inward/record.url?scp=85072983274&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-28005-5_4

DO - 10.1007/978-3-030-28005-5_4

M3 - Conference contribution

SN - 9783030280048

T3 - Communications in Computer and Information Science

SP - 45

EP - 56

BT - Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings

A2 - Walker, Alastair

A2 - O’Connor, Rory V.

A2 - Messnarz, Richard

PB - Springer Verlag

ER -