QUANTITATIVE METHODOLOGY FOR ASSESSING CYBERSECURITY RISKS IN THE ABSENCE OF FINANCIAL DATA ON LOSSES
DOI:
https://doi.org/10.28925/2663-4023.2024.26.659Keywords:
information technologies, cybersecurity, risk assessment, hybrid warfare, quantitative assessment, military ICS, cyber warfareAbstract
The article addresses the pressing issue of cybersecurity risk assessment in military information and communication systems (ICS) during aggressive warfare, where it is impossible to assess potential losses in monetary terms, and considering the specifics of hybrid threats. The introduction discusses the relevance of the problem and emphasizes the need for a proactive cyber defense strategy and timely risk assessment, especially in the context of the active use of cyberweapons by the adversary. Particular attention is given to the impossibility of assessing potential losses from cyberattacks in monetary terms, which necessitates new approaches to risk assessment. The section “Specifics of Cybersecurity Risk Assessment in the ICS of the Armed Forces of Ukraine” analyzes existing standards and methodologies, such as the standards of the DSTU ISO/IEC 27000 group, as well as current cybersecurity risk assessment methodologies, and reveals the limitations of their application in wartime conditions. The section emphasizes the importance of automating the risk assessment process to ensure a rapid response to cyber threats. The advantages of quantitative risk assessment models over qualitative ones are considered, especially in the context of military information and communication systems. The following sections examine in detail the key risk assessment processes according to DSTU ISO/IEC 27005:2023 and in accordance with current methodologies. A comparative analysis of the OCTAVE, NIST, COBIT, TARA, and FAIR methodologies is conducted from the perspective of their suitability for the needs of the Armed Forces of Ukraine. The advantages and disadvantages of each methodology are discussed, and the necessity of developing a new methodology based on OpenFAIR (an open version of the FAIR methodology), adapted to the specifics of military ICS and the realities of hybrid warfare, is substantiated. The research results are presented in the form of an activity diagram for a cybersecurity risk assessment algorithm in military information and communication systems, along with a detailed description of these steps, emphasizing the differences from the OpenFAIR methodology. The “Conclusions” section summarizes the work done and formulates proposals for further research.
Downloads
References
Levite, A. E. (б. д.) Integrating Cyber Into Warfighting: Some Early Takeaways From the Ukraine Conflict. Carnegie Endowment for International Peace. https://carnegieendowment.org/research/2023/04/integrating-cyber-into-warfighting-some-early-takeaways-from-the-ukraine-conflict?lang=en
Microsoft. (б. д.). An overview of Russia’s cyberattack activity in Ukraine. https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/special-report-ukraine/?msockid=26f9b60dff436be1270b a25afe6b6a19#:~:text=Microsoft%20War%20in%20Ukraine
Baidur, O. (2022). Improvement of the cyber protection of the armed forces taking into account the experience of countering military cyber attacks of the russian federation in 2022. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique» 1(17), 31–45. https://doi.org/10.28925/2663-4023.2022.17.3145
Baidur, O. (2023). Prerequisites for creating a cyber defence model for the Armed Forces of Ukraine. Applied systems and technologies in the information society: Collection of abstracts of the VII International scientific and practical conference, 19–22.
Baidur, O. (2022). Features of legal regulation of cybersecurity issues in the Armed Forces of Ukraine and the Ministry of Defence of Ukraine. Information technologies: economy, technology, education ‘2022: Collection of abstracts of the XIII International scientific and practical conference of young scientists, 104–106.
Leszczyna, R. (2021). Review of cybersecurity assessment methods: Applicability perspective. Computers & Security, 108. https://doi.org/10.1016/j.cose.2021.102376
Cheimonidis, P., & Rantos, K. (2023). Dynamic risk assessment in cybersecurity: a systematic literature review. Future internet, 15(10). https://doi.org/10.3390/fi15100324
Devi, R. K., Sensuse, D. I., Kautsarina, & Suryono, R. R. (2022). Information security risk assessment (ISRA): a systematic literature review. Journal of information systems engineering and business intelligence, 8(2), 207–217. https://doi.org/10.20473/jisebi.8.2.207-217
Govinfo. (2015). DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (Rmf) into the System Acquisition Lifecycle: Executive Agency Publications. https://www.govinfo.gov/app/details/GOVPUB-D-PURL-gpo62894
NIST SP 800-37 Rev. 2. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (2018). https://doi.org/10.6028/NIST.SP.800-37r2
Ukrainian Research and Training Centre for Standardisation, Certification and Quality (2023). Information security, cybersecurity and privacy protection. Information security management systems. Requirements. (ISO/IEC 27001:2022, IDT) (ISO/IEC 27001:2023).
Sánchez-García, I. D., Mejía, J., & San Feliu Gilabert, T. (2022). Cybersecurity Risk Assessment: A Systematic Mapping Review, Proposal, and Validation. Applied Sciences. 13(1). https://doi.org/10.3390/app13010395
Kalinin, M., Krundyshev, V., & Zegzhda, P. (2021). Cybersecurity Risk Assessment in Smart City Infrastructures. Machines, 9(4). https://doi.org/10.3390/machines9040078
Ferreira, D. J., Mateus-Coelho, N., & Mamede, H. S. (2023). Methodology for Predictive Cyber Security Risk Assessment (PCSRA). Procedia Computer Science, 219, 1555–1563. https://doi.org/10.1016/j.procs.2023.01.447
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, 56, 1–27. https://doi.org/10.1016/j.cose.2015.09.009
Honchar, S. F. (2019). Methodology for risk assessment of cyber security of information systems of objects of critical infrastructure. Scientific notes of Taurida National V.I. Vernadsky University. Series: Technical Sciences, 4(1), 40–43. https://doi.org/10.32838/2663-5941/2019.4-1/08
Asieieva, L. A., & Shushura O. M. (2021). Assessment of confidentiality risks of information security of projects based on fuzzy logic. Telecommunication and information technologies, 70(1). https://doi.org/10.31673/2412-4338.2021.0108895
Alberts, C., & Dorofee, A. (2002). Managing information security risks: The OCTAVE approach. Addison-Wesley.
COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution. (2018). Isaca.
Wynn, J., Whitmore, J., Upton, G., Spriggs, L., McKinnon, D., McInnes, R., Graubart, R., Clausen, L. (2011). Threat Assessment & Remediation Analysis (TARA). Methodology Description Version 1.0.
Freund, J., & Jones, J. (2014). Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann.
Caralli, R., Stevens, J., Young, L., & Wilson, W. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Carnegie Mellon University.
Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2005). OCTAVE-S Implementation Guide, Version 1. Pittsburgh, PA: Carnegie Mellon Software Engineering Institute.
The Open Group Risk Analysis (O-RA) Standard, Version 2.0.1. (2021). Berkshire, United Kingdom: The Open Group.
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Олексій Байдур
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
