A Methodology to Support Automatic Cyber Risk Assessment Review

TL;DR

This paper proposes a methodology to automate parts of cyber risk assessment reviews, reducing subjectivity by mapping security controls to automatable infrastructural aspects and validating the approach with a healthcare case study.

Contribution

It introduces a novel methodology that supports automatic review of cyber risk assessments by linking security controls to automatable infrastructure elements, enhancing objectivity.

Findings

Effective identification of controls needing revision

Validated approach through healthcare case study

Statistical analysis supports methodology's reliability

Abstract

Cyber risk assessment is a fundamental activity for enhancing the protection of an organization, identifying and evaluating the exposure to cyber threats. Currently, this activity is carried out mainly manually and the identification and correct quantification of risks deeply depend on the experience and confidence of the human assessor. As a consequence, the process is not completely objective and two parallel assessments of the same situation may lead to different results. This paper takes a step in the direction of reducing the degree of subjectivity by proposing a methodology to support risk assessors with an automatic review of the produced assessment. Our methodology starts from a controls-based assessment performed using well-known cybersecurity frameworks (e.g., ISO 27001, NIST) and maps security controls over infrastructural aspects that can be assessed automatically (e.g., ICT devices, organization policies). Exploiting this mapping, the methodology suggests how to identify controls needing revision. The approach has been validated through a case study from the healthcare domain and a set of statistical analyses.