A Subjective Network Approach for Cybersecurity Risk Assessment

Nasser Al-Hadhrami, Matthew Collinson, Nir Oren

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution


We propose a subjective Bayesian network approach for cybersecurity risk assessment to address the limitations of traditional risk assessment models, which use precise values for the likelihoods of cyber-attacks. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. With this approach, we seek to better reflect the reality underpinning the model and offer a better approach to decision-making via the modelling of uncertainty about the probability distributions in the form of subjective opinions, resulting in a model taking second-order uncertainty into account. We develop a subjective Bayesian network for cybersecurity risk, and then discuss the risk evaluation and decision analysis problem under the proposed model. Finally, our approach is evaluated against classical Bayesian networks using the scenario of wiper malware in an industrial control system. Our results show that taking uncertainty about the probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.
Original languageEnglish
Title of host publication13th International Conference on Security of Information and Networks
EditorsBerna Ors, Atilla Elci
Place of PublicationNew York, NY, USA
PublisherAssociation for Computing Machinery
Number of pages8
ISBN (Print)9781450387514
Publication statusPublished - 6 Nov 2020
EventSIN 2020: 13th International Conference on Security of Information and Networks - Online
Duration: 4 Nov 20206 Nov 2020
Conference number: 13

Publication series

NameSIN 2020
PublisherAssociation for Computing Machinery


ConferenceSIN 2020
Abbreviated titleSINCONF 2020
Internet address


  • subjective Bayesian networks
  • decision analysis
  • risk analysis
  • multi-attribute risk


Dive into the research topics of 'A Subjective Network Approach for Cybersecurity Risk Assessment'. Together they form a unique fingerprint.

Cite this