Cyber-Risk Management (eBook)

Atle Refsdal is a senior research scientist at SINTEF ICT in Norway, where he is involved in international as well as national research projects. His research interests include formal specification and analysis, as well as model-based risk analysis. In addition to his academic background he also has several years of industrial experience from the fields of knowledge engineering and industrial automation.Ketil Stølen has broad experience from basic research as well as applied research. He has led the development of the CORAS method since the very beginning and was the technical manager of the related EU-project. Since then, he has led several research projects funded by the Research Council of Norway which considerably refined and extended the original CORAS approach. A book on the CORAS method supported by a free tool was published in 2011.Bjørnar Solhaug is a senior research scientist at SINTEF ICT in Norway. His research interests include risk and security management, threat and risk modelling, and formal/semi-formal techniques. He is one of the co-authors of the book on the CORAS approach to model-driven risk analysis (Springer 2011).

Preface 6
Contents 8
Acronyms 12
1Introduction 13
1.1 Aim and Emphasis 14
1.2 Policy of Writing and Presentation 14
1.3 Structure and Organization 15
1.3.1 Part I: Conceptual Introduction 15
1.3.2 Part II: Cyber-risk Assessment Exemplified 16
1.3.3 Part III: Known Challenges 16
1.4 Intended Readers and Ways to Read 17
1.5 Relevant Standards 18
Part IConceptual Introduction 19
2Risk Management 20
2.1 What is Risk? 20
2.2 What is Risk Management? 23
2.3 Communication and Consultation 24
2.3.1 Establish a Consultative Team 25
2.3.2 Define a Plan for Communication and Consultation 25
2.3.3 Ensure Endorsement of the Risk Management Process 25
2.3.4 Communicate Risk Assessment Results 26
2.4 Risk Assessment 26
2.4.1 Context Establishment 26
2.4.2 Risk Identification 29
2.4.3 Risk Analysis 31
2.4.4 Risk Evaluation 32
2.4.5 Risk Treatment 32
2.5 Monitoring and Review 33
2.5.1 Monitoring and Review of Risks 34
2.5.2 Monitoring and Review of Risk Management 34
2.6 Further Reading 35
3Cyber-systems 36
3.1 What is a Cyberspace? 36
3.2 What is a Cyber-system? 37
3.3 Further Reading 37
4Cybersecurity 39
4.1 What is Cybersecurity? 39
4.2 How Does Cybersecurity Relate to Information Security? 40
4.3 How Does Cybersecurity Relate to Critical Infrastructure Protection? 40
4.4 How Does Cybersecurity Relate to Safety? 41
4.5 Further Reading 42
5Cyber-risk Management 43
5.1 What is Cyber-risk? 43
5.2 Communication and Consultation of Cyber-risk 44
5.3 Cyber-risk Assessment 45
5.3.1 Context Establishment for Cyber-risk 47
5.3.2 Identification of Malicious Cyber-risk 47
5.3.3 Identification of Non-malicious Cyber-risk 50
5.3.4 Analysis of Cyber-risk 52
5.3.5 Evaluation of Cyber-risk 53
5.3.6 Treatment of Cyber-risk 54
5.4 Monitoring and Review of Cyber-risk 55
5.4.1 Monitoring and Review of Cyber-risk 56
5.4.2 Monitoring and Review of Cyber-risk Management 56
5.5 Further Reading 57
Part IICyber-risk Assessment Exemplified 58
6Context Establishment 59
6.1 Context, Goals, and Objectives 59
6.1.1 External Context 60
6.1.2 Internal Context 60
6.1.3 Goals and Objectives 60
6.2 Target of Assessment 61
6.2.1 Electricity Customer 62
6.2.2 Distribution System Operator 62
6.2.3 Communication Channels Between Components 63
6.3 Interface to Cyberspace and Attack Surface 63
6.4 Scope, Focus, and Assumptions 64
6.4.1 Scope 64
6.4.2 Focus 64
6.4.3 Assumptions 65
6.5 Assets, Scales, and Risk Evaluation Criteria 65
6.5.1 Assets 65
6.5.2 Likelihood Scale 66
6.5.3 Consequence Scales 66
6.5.4 Risk Evaluation Criteria 67
6.6 Further Reading 68
7Risk Identification 69
7.1 Risk Identification Techniques 69
7.2 Malicious Risks 72
7.2.1 Threat Source Identification 73
7.2.2 Threat Identification 74
7.2.3 Vulnerability Identification 76
7.2.4 Incident Identification 78
7.3 Non-malicious Risks 81
7.3.1 Incident Identification 83
7.3.2 Vulnerability Identification 84
7.3.3 Threat Identification 85
7.3.4 Threat Source Identification 87
7.4 Further Reading 88
8Risk Analysis 89
8.1 Threat Analysis 89
8.1.1 Malicious Threats 90
8.1.2 Non-malicious Threats 91
8.2 Vulnerability Analysis 92
8.2.1 Malicious Threat Vulnerabilities 93
8.2.2 Non-malicious Threat Vulnerabilities 93
8.3 Likelihood of Incidents 94
8.4 Consequence of Incidents 96
8.5 Further Reading 97
9Risk Evaluation 98
9.1 Consolidation of Risk Analysis Results 98
9.2 Evaluation of Risk Level 99
9.3 Risk Aggregation 99
9.4 Risk Grouping 102
9.5 Further Reading 103
10Risk Treatment 104
10.1 Risk Treatment Identification 104
10.1.1 Malicious Risks 104
10.1.2 Non-malicious Risks 106
10.2 Risk Acceptance 108
10.3 Further Reading 110
Part III Known Challenges and How to AddressThem in Practice 111
11Which Measure of Risk Level to Use? 112
11.1 Two-factor Measure 112
11.2 Three-factor Measure 113
11.3 Many-factor Measure 114
11.4 Which Measure to Use for Cyber-risk? 115
11.5 Further Reading 115
12What Scales Are Best Suited Under What Conditions? 116
12.1 Classification of Scales 116
12.2 Qualitative Versus Quantitative Risk Assessment 117
12.3 Scales for Likelihood 119
12.4 Scales for Consequence 120
12.5 What Scales to Use for Cyber-risk? 120
12.6 Further Reading 121
13How to Deal with Uncertainty? 122
13.1 Conceptual Clarification 122
13.2 Kinds of Uncertainty 123
13.3 Representing Uncertainty 124
13.4 Reducing Uncertainty 125
13.5 How to Handle Uncertainty for Cyber-risk? 126
13.6 Further Reading 126
14High-consequence Risk with Low Likelihood 127
14.1 Dealing with Black Swans 127
14.2 Identifying Gray Swans 128
14.3 Communicating Gray Swans 129
14.4 Dealing with Gray Swans 130
14.5 Recognizing Gray Swans in Cyberspace 130
14.6 Further Reading 131
15Conclusion 132
15.1 WhatWe Have Put Forward in General 132
15.2 WhatWe Have Put Forward in Particular 133
15.3 WhatWe Have not Covered 134
Glossary 135
References 138
Index 142