CyberRiskDELPHI: towards objective cyber risk assessment for complex systems

Nikolaos Papakonstantinou, Douglas L. Van Bossuyt, Britta Hale, Ryan M. Arlitt, Jarno Salonen, Jani Suomalainen

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

Abstract

Risk assessment is an essential step for architecting the resilience (safety/security) of a mission critical software-intensive system as well as a regular maintenance procedures. It closely relates to estimating the (cyber) insurance needs of the system. Managing of cyber risk involves gathering threat intelligence, prioritizing the current threats against the system of interest, and planning mitigation strategies. While reliability engineering can rely on a relatively stable set of failure modes and statistical data related to their probabilities of occurrence, security deals with a dynamic threat environment. This reality has dictated the use of qualitative methods (like STRIDE and DREAD), relying on the experience and the specific background of the person performing the study. This subjectivity leads to criticism, since results calculated by different experts for the same system can vary significantly. This challenge has been addressed in the past with a method called DELPHI aiming to reduce subjectivity using a group of experts. The scientific contribution of this paper is the development of the CyberRiskDELPHI, a modified version of original DELPHI method for the identification and prioritization of cyber risks. It is demonstrated over a case study of a 5G tactical bubble covering the communication needs of a critical operation. An early evaluation of the use of a large language model (ChatGPT) in risk identification and prioritization for this case study is also included as a complementary side-activity giving an indication of future developments in the risk assessment domain.
Original languageEnglish
Title of host publication43rd Computers and Information in Engineering Conference (CIE)
PublisherAmerican Society of Mechanical Engineers (ASME)
Number of pages10
Volume2
ISBN (Electronic)978-0-7918-8729-5
DOIs
Publication statusPublished - 21 Nov 2023
MoE publication typeA4 Article in a conference publication
EventInternational Design Engineering Technical Conferences: Computers and Information in Engineering Conference - Boston, United States
Duration: 20 Aug 202323 Aug 2023

Conference

ConferenceInternational Design Engineering Technical Conferences
Abbreviated titleIDETC/CIE2023
Country/TerritoryUnited States
CityBoston
Period20/08/2323/08/23

Keywords

  • Risk assessment
  • risk management
  • Cyber insurance
  • Cybersecurity
  • DELPHI
  • CyberRiskDELPHI

Fingerprint

Dive into the research topics of 'CyberRiskDELPHI: towards objective cyber risk assessment for complex systems'. Together they form a unique fingerprint.

Cite this