Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network...

Full description

Saved in:
Bibliographic Details
Published inRisk analysis Vol. 40; no. 1; pp. 183 - 199
Main Authors Ganin, Alexander A., Quach, Phuoc, Panwar, Mahesh, Collier, Zachary A., Keisler, Jeffrey M., Marchese, Dayton, Linkov, Igor
Format Journal Article
LanguageEnglish
Published United States Blackwell Publishing Ltd 01.01.2020
Subjects
Assessors
Bias
Case studies
Computer security
Cybersecurity
Decision analysis
Decision making
Domains
MCDA
Multiple criterion
Ratings & rankings
Risk assessment
Risk management
Subjectivity
Vulnerability
vulnerability assessment
risk management
Cybersecurity
vulnerability assessment
MCDA
Online AccessGet full text

Cover

More Information
Summary:Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk‐based decision‐making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision‐analysis‐based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
ISSN:0272-4332
1539-6924
DOI:10.1111/risa.12891