Abstract
Subjective judgements from experts provide essential information when assessing and modelling threats in respect to cyber-physical systems. For example, the vulnerability of individual system components can be described using multiple factors, such as complexity, technological maturity, and the availability of tools to aid an attack. Such information is useful for determining attack risk, but much of it is challenging to acquire automatically and instead must be collected through expert assessments. However, most experts inherently carry some degree of uncertainty in their assessments. For example, it is impossible to be certain precisely how many tools are available to aid an attack. Traditional methods of capturing subjective judgements through choices such as high, medium or low do not enable experts to quantify their uncertainty. However, it is important to measure the range of uncertainty surrounding responses in order to appropriately inform system vulnerability analysis. We use a recently introduced interval-valued response-format to capture uncertainty in experts’ judgements and employ inferential statistical approaches to analyse the data. We identify key attributes that contribute to hop vulnerability in cyber-systems and demonstrate the value of capturing the uncertainty around these attributes. We find that this uncertainty is not only predictive of uncertainty in the overall vulnerability of a given system component, but also significantly informs ratings of overall component vulnerability itself. We propose that these methods and associated insights can be employed in real world situations, including vulnerability assessments of cyber-physical systems, which are becoming increasingly complex and integrated into society, making them particularly susceptible to uncertainty in assessment.
Supported by EPSRC’s EP/P011918/1 grant and by the UK National Cyber Security Centre (NCSC).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
CESG has since been replaced by the NCSC (National Cyber Security Centre).
References
Aven, T., Renn, O.: On risk defined as an event where the outcome is uncertain. J. Risk Res. 12(1), 1–11 (2009)
Black, P.E., Scarfone, K., Souppaya, M.: Cyber security metrics and measures. In: Wiley Handbook of Science and Technology for Homeland Security, pp. 1–15 (2008)
CESG: Extract from HMG IA Standard No. 1 Business Impact Level Tables. CESG (2009)
Choi, H.H., Cho, H.N., Seo, J.W.: Risk assessment methodology for underground construction projects. J. Constr. Eng. Manag. 130(2), 258–272 (2004)
Duan, Y., Cai, Y., Wang, Z., Deng, X.: A novel network security risk assessment approach by combining subjective and objective weights under uncertainty. Appl. Sci. 8(3) (2018). https://doi.org/10.3390/app8030428, http://www.mdpi.com/2076-3417/8/3/428
Feng, N., Li, M.: An information systems security risk assessment model under uncertain environment. Appl. Soft Comput. 11(7), 4332–4340 (2011)
Fielder, A., Konig, S., Panaousis, E., Schauer, S., Rass, S.: Uncertainty in cyber security investments. arXiv preprint arXiv:1712.05893 (2017)
FIRST: Cvss v3.0 specification document. https://www.first.org/cvss/specification-document
Gao, H., Zhu, J., Li, C.: The analysis of uncertainty of network security risk assessment using Dempster-Shafer theory. In: 2008 12th International Conference on Computer Supported Cooperative Work in Design, pp. 754–759. IEEE (2008)
Gardner, D.: Risk: The Science and Politics of Fear. Random House, New York (2009)
Hubbard, D.W., Seiersen, R.: How to Measure Anything in Cybersecurity Risk. Wiley, New York (2016)
Kahneman, D., Slovic, S.P., Slovic, P., Tversky, A.: Judgment Under Uncertainty: Heuristics and Biases. Cambridge University Press, Cambridge (1982)
Koubatis, A., Schonberger, J.Y.: Risk management of complex critical systems. Int. J. Crit. Infrastruct. 1(2–3), 195–215 (2005)
Linda, O., Manic, M., Vollmer, T., Wright, J.: Fuzzy logic based anomaly detection for embedded network security cyber sensor. In: 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), pp. 202–209. IEEE (2011)
Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0. In: Published by FIRST-Forum of Incident Response and Security Teams, vol. 1, p. 23 (2007)
Miller, S., Appleby, S., Garibaldi, J.M., Aickelin, U.: Towards a more systematic approach to secure systems design and analysis. Int. J. Secur. Softw. Eng. (IJSSE) 4(1), 11–30 (2013)
Miller, S., Wagner, C., Aickelin, U., Garibaldi, J.M.: Modelling cyber-security experts’ decision making processes using aggregation operators. Comput. Secur. 62, 229–245 (2016)
Munir, R., Disso, J.P., Awan, I., Mufti, M.R.: A quantitative measure of the security risk level of enterprise networks. In: 2013 Eighth International Conference on Broadband and Wireless Computing, Communication and Applications, pp. 437–442. IEEE (2013)
Sikos, L.F.: Handling uncertainty and vagueness in network knowledge representation for cyberthreat intelligence. In: 2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp. 1–6. IEEE (2018)
Slovic, P.: The Perception of Risk. Routledge, Abingdon (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ellerby, Z., McCulloch, J., Wilson, M., Wagner, C. (2020). Exploring How Component Factors and Their Uncertainty Affect Judgements of Risk in Cyber-Security. In: Nadjm-Tehrani, S. (eds) Critical Information Infrastructures Security. CRITIS 2019. Lecture Notes in Computer Science(), vol 11777. Springer, Cham. https://doi.org/10.1007/978-3-030-37670-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-37670-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37669-7
Online ISBN: 978-3-030-37670-3
eBook Packages: Computer ScienceComputer Science (R0)