Cybersecurity Risk Assessment: A Systematic Mapping Review, Proposal, and Validation

Incorporating technologies across all sectors has meant that cybersecurity risk assessment is now a critical step in cybersecurity risk management. However, risk assessment can be a complicated process for organizations. Therefore, many authors have attempted to automate this step using qualitative...

Full description

Saved in:
Bibliographic Details
Published inApplied sciences Vol. 13; no. 1; p. 395
Main Authors Sánchez-García, Isaac Daniel, Mejía, Jezreel, San Feliu Gilabert, Tomás
Format Journal Article
LanguageEnglish
Published Basel MDPI AG 01.01.2023
Subjects
algorithms
Automation
Confidentiality
Cybersecurity
Identification
International organizations
ISO standards
Mapping
Risk assessment
Risk management
Security management
systematic mapping review
Online AccessGet full text

Cover

More Information
Summary:Incorporating technologies across all sectors has meant that cybersecurity risk assessment is now a critical step in cybersecurity risk management. However, risk assessment can be a complicated process for organizations. Therefore, many authors have attempted to automate this step using qualitative and quantitative tools. The problems with the tools and the risk assessment stage in general are (1) not considering all the sub-steps of risk assessment and (2) not identifying the variables necessary for an accurate risk calculation. To address these issues, this article presents a systematic mapping review (SMR) of tools that automate the cybersecurity risk assessment stage based on studies published in the last decade. As a result, we identify and describe 35 tools from 40 primary studies. Most of the primary studies were published between 2012 and 2020, indicating an upward trend of cyber risk assessment tool publication in recent years. The main objectives of this paper are to: (I) identify the differences (reference models and applications) and coverage of the main qualitative and quantitative models, (II) identify relevant risk assessment variables, (III) propose a risk assessment model (qualitative and quantitative) that considers the main variables and sub-stages of risk assessment stage, and (IV) obtain an assessment of the proposed model by experts in the field of cybersecurity. The proposal was sent to a group of 28 cybersecurity experts who approved the proposed variables and their relevance in the cybersecurity risk assessment stage, identifying a majority use of qualitative tools but a preference of experts for quantitative tools.
ISSN:2076-3417
2076-3417
DOI:10.3390/app13010395