Abstract
We propose a subjective Bayesian network approach for cybersecurity risk assessment to address the limitations of traditional risk assessment models, which use precise values for the likelihoods of cyber-attacks. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. With this approach, we seek to better reflect the reality underpinning the model and offer a better approach to decision-making via the modelling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. We develop a subjective Bayesian network for cybersecurity risk, and then discuss the risk evaluation and decision analysis problem under the proposed model. Finally, our approach is evaluated against classical Bayesian networks using the scenario of wiper malware in an industrial control system. Our results show that taking uncertainty about the probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.
Original language | English |
---|---|
Title of host publication | 13th International Conference on Security of Information and Networks |
Editors | Berna Ors, Atilla Elci |
Place of Publication | New York, NY, USA |
Publisher | Association for Computing Machinery |
Pages | 1-8 |
Number of pages | 8 |
ISBN (Print) | 9781450387514 |
DOIs | |
Publication status | Published - 6 Nov 2020 |
Event | SIN 2020: 13th International Conference on Security of Information and Networks - Online Duration: 4 Nov 2020 → 6 Nov 2020 Conference number: 13 https://www.sinconf.org/ |
Publication series
Name | SIN 2020 |
---|---|
Publisher | Association for Computing Machinery |
Conference
Conference | SIN 2020 |
---|---|
Abbreviated title | SINCONF 2020 |
Period | 4/11/20 → 6/11/20 |
Internet address |
Keywords
- subjective Bayesian networks
- decision analysis
- risk analysis
- multi-attribute risk