Quantifying and Analyzing Information Security Risk from Incident Data
Multiple cybersecurity risk assessment and root cause analysis methods propose incident data as a source of information. However, it is not a straightforward matter to apply incident data in risk assessments. The paper trail of incident data is often incomplete, ambiguous, and dependent on the incident handlers routines for keeping records. Current incident classification approaches classify incidents as one specific type, for example, “Data spillage,” “Compromised information,” or “Hacking.” Through incident analysis, we found that the current classification schemes are ambiguous and that most incident consists of additional components. This paper builds on previous work on incident classifications and proposes a method for quantifying and risk analyzing incident data for improving decision-making. The applied approach uses a set of incident data to derive the causes, outcomes, and frequencies of risk events. The data in this paper was gathered from a year of incident handling from a Scandinavian university’s security operations center (SOC), and consists of 550 handled incidents from November 2016 to October 2017. By applying the proposed method, this paper offers empirical insight into the risk frequencies of the University during the period. We demonstrate the utility of the approach by deducting the properties of the most frequent risks and creating graphical representations of risks using a bow-tie diagram. The primary contribution of this paper is the highlighting of the ambiguity of existing incident classification methods and how to address it in risk quantification. Additionally, we apply the data in risk analysis to provide insight into common cyber risks faced by the University during the period. A fundamental limitation is that this study only defines adverse outcomes and does not include consequence estimates.
KeywordsInformation security Cyber security Security incidents Risk analysis Threat intelligence
The NTNU digital security section and SOC consisting of Christoffer Vargtass Hallstensen, Frank Wikstrøm, Harald Hauknes, Hans Åge Marthinsen, Vebjørn Slyngstadli, Gunnar Dørum, Lars Einarsen, and Stian Husemoen. Vivek Agrawal and the anonymous reviewers for help with quality assurance.
- 1.Common taxonomy for law enforcement and the national network of csirts, version 1.3. Technical report, ENISA and Europol E3 (2017). https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts
- 2.Information technology, security techniques, information security risk management (ISO/IEC 27005:2011)Google Scholar
- 3.Reference incident classification taxonomy: Task force status and way forward. Technical report, ENISA, January 2018Google Scholar
- 4.Bernsmed, K., Frøystad, C., Meland, P.H., Nesheim, D.A., Rødseth, Ø.J.: Visualizing cyber security risks with bow-tie diagrams. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 38–56. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_3CrossRefGoogle Scholar
- 5.Chapman, J.: How safe is your data? cyber-security in higher education. HEPI Policy Note, 12 April 2019Google Scholar
- 9.Hellesen, N., Torres, H., Wangen, G.: Empirical case studies of the root-cause analysis method in information security. Int. J. Adv. Secur. 11(1&2), 60–79 (2018) Google Scholar
- 12.Kuypers, M.A., Maillart, T., Pate-Cornell, E.: An empirical analysis of cyber security incidents at a large organization. Department of Management Science and Engineering, Stanford University, School of Information, UC Berkeley 30 (2016)Google Scholar
- 13.Potter, B.: Practical threat modeling. Login 41(3) (2016). https://www.usenix.org/publications/login/fall2016/potter
- 14.Romanosky, S.: Examining the costs and causes of cyber incidents. J. Cybersecur. 2(2), 121–135 (2016)Google Scholar
- 16.Wangen, G., Brodin, E.Ø., Skari, B.H., Berglind, C.: Unrecorded security incidents at NTNU 2018 (Mørketallsundersøkelsen ved NTNU 2018). NTNU Open Gjøvik (2019)Google Scholar