CSIRA: A Method for Analysing the Risk of Cybersecurity Incidents

  • Aitor Couce-VieiraEmail author
  • Siv Hilde Houmb
  • David Ríos-Insua
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10744)


Analysing risk is critical for dealing with cybersecurity incidents. However, there is no explicit method for analysing risk during cybersecurity incidents, since existing methods focus on identifying the risks that a system might face throughout its life. This paper presents a method for analysing the risk of cybersecurity incidents based on an incident risk analysis model, a method for eliciting likelihoods based on the oddness of events and a method for categorising the potential ramifications of cybersecurity incidents.


Cybersecurity Risk analysis Incident risk analysis Decision support 



The authors are grateful to the support of the MINECO MTM2014-56949-C3-1-R project, the AXA-ICMAT Chair in Adversarial Risk Analysis, the Regional Forskingsfond Vestlandet project 245291 Cybersecurity Incident Response Framework, and the COST IS1304 Action on Expert Judgement.


  1. 1.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  2. 2.
    Singhal, A., Ximming, O.: Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. National Institute of Standards and Technology, Gaithersburg (2011). CrossRefGoogle Scholar
  3. 3.
    Department of Defense: MIL-STD-1629A, Procedures for Performing a Failure Mode, Effect and Criticality Analysis. Department of Defense, Washington DC, USA (1980)Google Scholar
  4. 4.
    Clemens, P.L., Simmons, R.J.: System Safety and Risk Management: A Guide for Engineering Educators. National Institute for Occupational Safety and Health, Cincinnati (1998)Google Scholar
  5. 5.
    International Association of Drilling Contractors: Health, Safety and Environment Case Guidelines for Mobile Offshore Drilling Units, Issue 3.6. International Association of Drilling Contractors, Houston, TX, USA (2015)Google Scholar
  6. 6.
    International Organisation for Standardization: ISO 17776:2000, Petroleum and Natural Gas Industries – Offshore Production Installations – Guidelines on Tools and Techniques for Hazard Identification and Risk Assessment. International Organisation for Standardization, Geneva, Switzerland (2000)Google Scholar
  7. 7.
    Cox, L.A.: What’s wrong with risk matrices? Risk Anal. 28(2), 497–512 (2008). CrossRefGoogle Scholar
  8. 8.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011). CrossRefzbMATHGoogle Scholar
  9. 9.
    The Open Group: Risk Taxonomy. The Open Group, Reading, UK (2009)Google Scholar
  10. 10.
    Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., Stoddart, K.: A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 56, 1–27 (2016). CrossRefGoogle Scholar
  11. 11.
    Couce-Vieira, A., Insua, D.R., Houmb, S.H.: GIRA: a general model for incident risk analysis. J. Risk Res. (2017). Advance online publication
  12. 12.
    Keeney, R.L., Raiffa, H.: Decisions with Multiple Objectives. Cambridge University Press, Cambridge (1993). CrossRefzbMATHGoogle Scholar
  13. 13.
    European Food Safety Authority: Guidance on Uncertainty in EFSA Scientific Assessment. European Food Safety Authority, Parma, Italy (2016)Google Scholar
  14. 14.
    European Food Safety Authority: Guidance on Expert Knowledge Elicitation in Food and Feed Safety Risk Assessment. European Food Safety Authority, Parma, Italy (2014).
  15. 15.
    Renooij, S.: Probability elicitation for belief networks: issues to consider. Knowl. Eng. Rev. 16(3), 255–269 (2001). CrossRefGoogle Scholar
  16. 16.
    ISACA: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, Rolling Meadows, IL, USA (2012)Google Scholar
  17. 17.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). CrossRefGoogle Scholar
  18. 18.
    National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity (2014)Google Scholar
  19. 19.
    Industrial Control Systems Cyber Emergency Response Team. Destructive Malware. National Cybersecurity and Communications Integration Center (US) (2014)Google Scholar
  20. 20.
    Espinoza, N.: Incommensurability: the failure to compare risks. In: The Ethics of Technological Risk, pp. 128–143. Earthscan, London (UK) (2009)Google Scholar
  21. 21.
    Reichert, P., Langhans, S.D., Lienert, J., Schuwirth, N.: The conceptual foundation of environmental decision support. J. Environ. Manage. 154, 316–332 (2015). CrossRefGoogle Scholar
  22. 22.
    Gregory, R., Failing, L., Harstone, M., Long, G., McDaniels, T., Ohlson, D.: Structured Decision Making: A Practical Guide to Environmental Management Choices. Wiley, Hoboken (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Aitor Couce-Vieira
    • 1
    • 3
    Email author
  • Siv Hilde Houmb
    • 2
  • David Ríos-Insua
    • 3
  1. 1.Universidad Rey Juan CarlosMadridSpain
  2. 2.Secure-NOK ASStavangerNorway
  3. 3.Consejo Superior de Investigaciones CientíficasInstituto de Ciencias MatemáticasMadridSpain

Personalised recommendations