Calculating & Composing Elementary Risks: Novel Decision Support System for Cyber Defence

Since we started to rely more than ever on Information and Communications Technologies (ICT) in every aspect of modern life, we witness an accelerating growth in volume and complexity of drastic cyber attacks. In this cyber realm, where new vulnerabilities are daily discovered, organizations strive to manage risks dynamically & effectively in order to thwart cyber-attacks proliferation. Hence, they often perform cyber security management through two levels: (technical) administrators and CSO office. The former perform technology-driven management of operation & security for ICT systems (e.g. updates, firewall rules), by enforcing security policies as defined by the security officer. On the other hand, the latter adopts a strategic & business-aware standpoint, in order to conformably design and update security policies. The CSO first conducts a business-driven risk analysis before deriving appropriate decisions for his administrators. However, and contrary to administrators, the CSO is not aware of the highly dynamic system's technical state. This gap renders traditional risks assessment methods cumbersome and often obsolete. In this paper, we propose a novel system that provides an automated, dynamic and quantified assessment of organizational risks, which fills the gap by considering both strategic and technical aspects of the supporting ICT system. First, we propose a novel concept of quantum elementary risk (ER). An ER is a single detrimental event sustained by a single (organizational) asset, which is inflected by a single potential technical attack scenario that leads to a single supporting asset (e.g. server, database). In order to instantiate the ERs set of the ICT system, we leverage attack graphs generation algorithms to obtain potential attack scenarios. Second, each ER is calculated with an ordered pair (Likelihood, Impact). The calculation process employs public data (e.g. CVSS [1]) and organization-related data (e.g. topology, business assets, etc.). Third, aggregation processes calculate organizational composite risks (CRs). CR depicts an evaluated organizational risk profile (business standpoint), while considering the technical state since they are derived directly from relevant ERs (technical standpoint). Thanks to the very definitions of ER and CR, the influence of each system element (e.g. router, firewall, and server) on the overall CRs can be quantified. Furthermore, the influence of each technical security measure can be calculated (e.g. FW rule activation/deactivation, patch deployment). This expedient feature provides decision-aid through a granular break-down analysis of unacceptable organizational risks, in order to identify "guilty" technical elements. Moreover, by simulating response measures, it enables the identification of effective one(s) and derives optimal response strategy. Finally, we present a prototype that demonstrates the relevance of our work in a banking use case: we show how organizational risks profile of this example is quantified considering its ICT state. Moreover, we highlight the automation, dynamicity and quantification properties of our system; e.g. updating organizational risks when new ICT vulnerabilities are discovered, identifying most urgent patches or firewall rules to deploy, etc. This unprecedentedly fills the gap between technical awareness and business risks in organizations, and enables permeated situational awareness for consummate decision support.