A Subjective Network Approach for Cybersecurity Risk Assessment

Nasser Al-Hadhrami; Matthew Collinson; Nir Oren

doi:10.1145/3433174.3433175

A Subjective Network Approach for Cybersecurity Risk Assessment

Nasser Al-Hadhrami, Matthew Collinson, Nir Oren

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

Abstract

We propose a subjective Bayesian network approach for cybersecurity risk assessment to address the limitations of traditional risk assessment models, which use precise values for the likelihoods of cyber-attacks. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. With this approach, we seek to better reflect the reality underpinning the model and offer a better approach to decision-making via the modelling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. We develop a subjective Bayesian network for cybersecurity risk, and then discuss the risk evaluation and decision analysis problem under the proposed model. Finally, our approach is evaluated against classical Bayesian networks using the scenario of wiper malware in an industrial control system. Our results show that taking uncertainty about the probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.

Original language	English
Title of host publication	13th International Conference on Security of Information and Networks
Editors	Berna Ors, Atilla Elci
Place of Publication	New York, NY, USA
Publisher	Association for Computing Machinery
Pages	1-8
Number of pages	8
ISBN (Print)	9781450387514
DOIs	https://doi.org/10.1145/3433174.3433175
Publication status	Published - 6 Nov 2020
Event	SIN 2020: 13th International Conference on Security of Information and Networks - Online Duration: 4 Nov 2020 → 6 Nov 2020 Conference number: 13 https://www.sinconf.org/

Publication series

Name	SIN 2020
Publisher	Association for Computing Machinery

Conference

Conference	SIN 2020
Abbreviated title	SINCONF 2020
Period	4/11/20 → 6/11/20
Internet address	https://www.sinconf.org/

Keywords

subjective Bayesian networks
decision analysis
risk analysis
multi-attribute risk

Access to Document

10.1145/3433174.3433175Licence: Unspecified

Cite this

A Subjective Network Approach for Cybersecurity Risk Assessment. / Al-Hadhrami, Nasser; Collinson, Matthew ; Oren, Nir.
13th International Conference on Security of Information and Networks. ed. / Berna Ors; Atilla Elci. New York, NY, USA: Association for Computing Machinery, 2020. p. 1-8 1 (SIN 2020).

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

@inproceedings{34287c11769a4b5084c030199d584106,

title = "A Subjective Network Approach for Cybersecurity Risk Assessment",

abstract = "We propose a subjective Bayesian network approach for cybersecurity risk assessment to address the limitations of traditional risk assessment models, which use precise values for the likelihoods of cyber-attacks. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. With this approach, we seek to better reflect the reality underpinning the model and offer a better approach to decision-making via the modelling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. We develop a subjective Bayesian network for cybersecurity risk, and then discuss the risk evaluation and decision analysis problem under the proposed model. Finally, our approach is evaluated against classical Bayesian networks using the scenario of wiper malware in an industrial control system. Our results show that taking uncertainty about the probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.",

keywords = "subjective Bayesian networks, decision analysis, risk analysis, multi-attribute risk",

author = "Nasser Al-Hadhrami and Matthew Collinson and Nir Oren",

year = "2020",

month = nov,

day = "6",

doi = "10.1145/3433174.3433175",

language = "English",

isbn = "9781450387514",

series = "SIN 2020",

publisher = "Association for Computing Machinery",

pages = "1--8",

editor = "Berna Ors and Atilla Elci",

booktitle = "13th International Conference on Security of Information and Networks",

note = "SIN 2020 : 13th International Conference on Security of Information and Networks, SINCONF 2020 ; Conference date: 04-11-2020 Through 06-11-2020",

url = "https://www.sinconf.org/",

}

TY - GEN

T1 - A Subjective Network Approach for Cybersecurity Risk Assessment

AU - Al-Hadhrami, Nasser

AU - Collinson, Matthew

AU - Oren, Nir

N1 - Conference code: 13

PY - 2020/11/6

Y1 - 2020/11/6

N2 - We propose a subjective Bayesian network approach for cybersecurity risk assessment to address the limitations of traditional risk assessment models, which use precise values for the likelihoods of cyber-attacks. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. With this approach, we seek to better reflect the reality underpinning the model and offer a better approach to decision-making via the modelling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. We develop a subjective Bayesian network for cybersecurity risk, and then discuss the risk evaluation and decision analysis problem under the proposed model. Finally, our approach is evaluated against classical Bayesian networks using the scenario of wiper malware in an industrial control system. Our results show that taking uncertainty about the probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.

AB - We propose a subjective Bayesian network approach for cybersecurity risk assessment to address the limitations of traditional risk assessment models, which use precise values for the likelihoods of cyber-attacks. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. With this approach, we seek to better reflect the reality underpinning the model and offer a better approach to decision-making via the modelling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. We develop a subjective Bayesian network for cybersecurity risk, and then discuss the risk evaluation and decision analysis problem under the proposed model. Finally, our approach is evaluated against classical Bayesian networks using the scenario of wiper malware in an industrial control system. Our results show that taking uncertainty about the probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.

KW - subjective Bayesian networks

KW - decision analysis

KW - risk analysis

KW - multi-attribute risk

U2 - 10.1145/3433174.3433175

DO - 10.1145/3433174.3433175

M3 - Published conference contribution

SN - 9781450387514

T3 - SIN 2020

SP - 1

EP - 8

BT - 13th International Conference on Security of Information and Networks

A2 - Ors, Berna

A2 - Elci, Atilla

PB - Association for Computing Machinery

CY - New York, NY, USA

T2 - SIN 2020

Y2 - 4 November 2020 through 6 November 2020

ER -

A Subjective Network Approach for Cybersecurity Risk Assessment

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this