Quantitative risk analysis in cybersecurity
InformationFörfattare: Elin Carlsson, Moa Mattsson
Beräknat färdigt: 2019-06
Handledare: Emelie Eriksson Thörnell
Handledares företag/institution: Nixu Cybersecurity
Ämnesgranskare: Björn Victor
PresentationerPresentation av Elin Carlsson
Presentationstid: 2019-06-04 13:15
Presentation av Moa Mattsson
Presentationstid: 2019-06-04 14:15
Opponenter: Elsa Bergman, Anna Eriksson
Today risk management has become an integrated part of many organizations’ daily practices to mitigate cyber threats. How the risk management process is carried out differs from organization to organization, but one commonality is the objective to prioritize risks in order to decide on how to allocate limited resources. To prioritize, the vast majority of organizations resort to some sort of scoring system, where each risk is evaluated to a predefined set of categories. A standard approach is to rate risks in terms of likelihood and impact, often on a scale varying from “low” to “high” and plot each risk in a matrix having likelihood and impact on the axes. The basic idea is that risks having higher scores are more critical to handle and that they should, therefore, be prioritized.
Although the qualitative approach to risk management has been endorsed and promoted by numerous major organizations, it poses several issues that need to be addressed. For example: How do we assure that a “high” risks for one analyst do not mean something different to another? And in cases where there are several high-labelled risks, how do we know which ones to prioritize? This paper will discuss these problems and describe how we have approached the issue of qualitative risk management by developing our own quantitative model, suitable for use at the cybersecurity consultant firm Nixu.
Our risk management model is created by studying and evaluating already existing risk management frameworks and by interviewing cybersecurity professionals about their perceptions of successful risk management processes. The results of our work indicate that the need for more quantitative models within the cybersecurity community is substantial. However, these potential developments are also highly dependent on the cybersecurity community to reach a more mature level of understanding for risk management.