ABSTRACT

AUTHOR: W. Kanoun

MEETING: NATO SAS-106 Symposium on "Analysis to Decision Making in Cyber Defence and Security"

VENUE: Tallinn, Estonia (June 9-10, 2014)

TITLE: Calculating & Composing Elementary Riska: Novel Decision Support System for Cyber Defence

Nowadays, risk management models are widely used in order to identify, evaluate and treat prominent
risks for an organization. These models are rather organizational (business-aware) than technical,
and enable a security officer to manage risks on the long run. Every organization relies on an ICT
system where changes continuously occur and new vulnerabilities are detected. Continuous cyber
security management is required to address potential breaches that may result from those changes.
This operational management is based on technical processes, executed by administrators who are not
necessarily aware of the businesses or missions of the organisation. This gap between technical and
organizational levels renders traditional risks assessment methods cumbersome and obsolete.
We propose a novel concept of Elementary Risk (ER), which represents a quantum of risk for the organization.
Composite Risks (CRs) are calculated and presented for the security officer. CR allows calculating
organizational risks while considering the ICT system’s state. Moreover, ER and CR enables to evaluate
the contribution of technical elements (e.g. vulnerability, server), or security controls
(e.g. patch, firewall rule) to the overall risk profile of the organization.