Using historic attack data and internal vulnerability assessments to estimate IT risk. Application to a large Italian organization.

The process of risk assessment and management has been widely studied in the literature. Among the several domains that require some form of risk management (e.g. natural disasters, strategy and opportunity costs, etc.), the... [ view full abstract ]

The process of risk assessment and management has been widely studied in the literature. Among the several domains that require some form of risk management (e.g. natural disasters, strategy and opportunity costs, etc.), the risk associated with cyber attacks represents an interesting challenge as it must consider an attacker’s actions and capabilities. From the perspective of theoretical research this aspect of IT risk has been widely studied, and several assessment methodologies and attacker models have been proposed. From a practical standpoint, however, most organisations simply adopt red-yellow-green risk matrices and employ a worst-case scenario where their opponent is an all-powerful, all-knowing attacker. These assumptions are also often implied in theoretical research. In this setting, it remains an open issue how to measure or estimate the “likelihood of a cyber-attack”, a crucial step in most risk assessment methodologies. Existent RA literature shows that risk mis-quantification alone may lead to inefficient or counter-productive risk management decisions within the organisation.

With this work we discuss and propose a methodology to estimate attack likelihood based on historic attack data as recorded, for instance, by perimetral sensors such as an Intrusion Prevention System (IPS). We propose that this data can be further correlated with internal vulnerability assessment and system criticality measures to support the risk management process. Our contribution is threefold:

1. We first present a review of recent research results that challenge the typical theoretical assumptions made in RA research; this discussion provides the theoretical bases for the proposed methodology.

2. We present a new methodology that can be easily and inexpensively implemented to estimate the likelihood of receiving a cyber-attack against a specific system or type of system. This ultimately allows the organisation to devise a more realistic quantification of risk.

3. We apply our methodology to a large Italian organisation operating in the banking and online services market. Our results show that the methodology can be successfully applied to real-world scenarios and that it can be used to aid risk management decisions.