Abstract
Risk assessment is an essential step for architecting the resilience (safety/security) of a mission critical software-intensive system as well as a regular maintenance procedures. It closely relates to estimating the (cyber) insurance needs of the system. Managing of cyber risk involves gathering threat intelligence, prioritizing the current threats against the system of interest, and planning mitigation strategies. While reliability engineering can rely on a relatively stable set of failure modes and statistical data related to their probabilities of occurrence, security deals with a dynamic threat environment. This reality has dictated the use of qualitative methods (like STRIDE and DREAD), relying on the experience and the specific background of the person performing the study. This subjectivity leads to criticism, since results calculated by different experts for the same system can vary significantly. This challenge has been addressed in the past with a method called DELPHI aiming to reduce subjectivity using a group of experts. The scientific contribution of this paper is the development of the CyberRiskDELPHI, a modified version of original DELPHI method for the identification and prioritization of cyber risks. It is demonstrated over a case study of a 5G tactical bubble covering the communication needs of a critical operation. An early evaluation of the use of a large language model (ChatGPT) in risk identification and prioritization for this case study is also included as a complementary side-activity giving an indication of future developments in the risk assessment domain.
| Original language | English |
|---|---|
| Title of host publication | 43rd Computers and Information in Engineering Conference (CIE) |
| Publisher | American Society of Mechanical Engineers (ASME) |
| Number of pages | 10 |
| Volume | 2 |
| ISBN (Electronic) | 978-0-7918-8729-5 |
| DOIs | |
| Publication status | Published - 21 Nov 2023 |
| MoE publication type | A4 Article in a conference publication |
| Event | International Design Engineering Technical Conferences: Computers and Information in Engineering Conference - Boston, United States Duration: 20 Aug 2023 → 23 Aug 2023 |
Conference
| Conference | International Design Engineering Technical Conferences |
|---|---|
| Abbreviated title | IDETC/CIE2023 |
| Country/Territory | United States |
| City | Boston |
| Period | 20/08/23 → 23/08/23 |
Funding
This work was partially supported by the AI-NETANTILLAS project (CELTIC-NEXT, C2019/3-3), funded by Business Finland. This research was partially supported by the Technical University of Denmark and the Naval Postgraduate School. Any opinions or findings of this work are the responsibility of the authors, and do not necessarily reflect the views of the sponsors or collaborators. The case studies presented in this publication, while inspired by real systems and real events, is intentionally fictional and idealized in nature. Approved for Public Release; distribution is unlimited.
Keywords
- Risk assessment
- risk management
- Cyber insurance
- Cybersecurity
- DELPHI
- CyberRiskDELPHI
Fingerprint
Dive into the research topics of 'CyberRiskDELPHI: towards objective cyber risk assessment for complex systems'. Together they form a unique fingerprint.Projects
- 1 Finished
-
AI-NET-ANTILLAS: Accellerating digital transformation in Europe by Intelligent NETwork automation - Autonomous end-to-end optimization
Suomalainen, J. (Manager) & Räty, T. (Participant)
1/06/21 → 31/08/24
Project: Business Finland project
Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver