RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Michael Krisper; Jürgen Dobaj; Georg Macher; Christoph Schmittner

doi:10.1007/978-3-030-28005-5_4

RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Michael Krisper^*, Jürgen Dobaj, Georg Macher, Christoph Schmittner

^*Korrespondierende/r Autor/-in für diese Arbeit

Institut für Technische Informatik (4480)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

Originalsprache	englisch
Titel	Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings
Redakteure/-innen	Alastair Walker, Rory V. O’Connor, Richard Messnarz
Herausgeber (Verlag)	Springer Verlag
Seiten	45-56
Seitenumfang	12
ISBN (Print)	9783030280048
DOIs	https://doi.org/10.1007/978-3-030-28005-5_4
Publikationsstatus	Veröffentlicht - Sept. 2019
Veranstaltung	26th European Conference on Systems, Software and Services Process Improvement: EuroSPI 2019 - Edinburgh, Großbritannien / Vereinigtes Königreich Dauer: 18 Sept. 2019 → 20 Sept. 2019

Publikationsreihe

Name	Communications in Computer and Information Science
Band	1060
ISSN (Print)	1865-0929
ISSN (elektronisch)	1865-0937

Konferenz

Konferenz	26th European Conference on Systems, Software and Services Process Improvement
Land/Gebiet	Großbritannien / Vereinigtes Königreich
Ort	Edinburgh
Zeitraum	18/09/19 → 20/09/19

ASJC Scopus subject areas

Allgemeine Computerwissenschaft
Allgemeine Mathematik

Fields of Expertise

Information, Communication & Computing

Zugriff auf Dokument

10.1007/978-3-030-28005-5_4

Andere Dateien und Links

http://www.scopus.com/inward/record.url?scp=85072983274&partnerID=8YFLogxK

1 Laufend
2 Abgeschlossen

Industrial Informatics
Macher, G., Dobaj, J., Krug, T., Blažević, R. & Veledar, O.
1/09/12 → …
Projekt: Arbeitsgebiet
AH-DHYAMONT - Steuerungsplattform für Stromerzeugung aus Wasserkraft
Macher, G., Krisper, M., Dobaj, J. & Krug, T.
1/01/19 → 1/02/21
Projekt: Forschungsprojekt
AH-HyUnify-Erweiterung - Steuerungsplattform für Stromerzeugung aus Wasserkraft
Macher, G., Krisper, M. & Dobaj, J.
1/10/18 → 31/03/19
Projekt: Forschungsprojekt

26th European Conference on System, Software and Service Process Improvement & Innovation: EuroSPI 2019
Jürgen Dobaj (Redner/in), Michael Krisper (Redner/in), Georg Macher (Redner/in) & Georg Macher (Keynote speaker)
18 Sept. 2019 → 20 Sept. 2019
Aktivität: Vortrag oder Präsentation › Vortrag bei Konferenz oder Fachtagung › Science to science

Dieses zitieren

Krisper, M., Dobaj, J., Macher, G., & Schmittner, C. (2019). RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A. Walker, R. V. O’Connor, & R. Messnarz (Hrsg.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings (S. 45-56). (Communications in Computer and Information Science; Band 1060). Springer Verlag. https://doi.org/10.1007/978-3-030-28005-5_4

RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. / Krisper, Michael; Dobaj, Jürgen; Macher, Georg et al.
Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Hrsg. / Alastair Walker; Rory V. O’Connor; Richard Messnarz. Springer Verlag, 2019. S. 45-56 (Communications in Computer and Information Science; Band 1060).

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Krisper, M, Dobaj, J, Macher, G & Schmittner, C 2019, RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in A Walker, RV O’Connor & R Messnarz (Hrsg.), Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Communications in Computer and Information Science, Bd. 1060, Springer Verlag, S. 45-56, 26th European Conference on Systems, Software and Services Process Improvement, Edinburgh, Großbritannien / Vereinigtes Königreich, 18/09/19. https://doi.org/10.1007/978-3-030-28005-5_4

Krisper M, Dobaj J, Macher G, Schmittner C. RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. in Walker A, O’Connor RV, Messnarz R, Hrsg., Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Springer Verlag. 2019. S. 45-56. (Communications in Computer and Information Science). doi: 10.1007/978-3-030-28005-5_4

Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg et al. / RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security. Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings. Hrsg. / Alastair Walker ; Rory V. O’Connor ; Richard Messnarz. Springer Verlag, 2019. S. 45-56 (Communications in Computer and Information Science).

@inproceedings{23848b1cda8e447abec5ba1e747266c6,

title = "RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security",

abstract = "In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.",

keywords = "Attack trees, Cyber physical security, Diamond model, FAIR method, IT-security, Risk assessment, Risk propagation",

author = "Michael Krisper and J{\"u}rgen Dobaj and Georg Macher and Christoph Schmittner",

year = "2019",

month = sep,

doi = "10.1007/978-3-030-28005-5_4",

language = "English",

isbn = "9783030280048",

series = "Communications in Computer and Information Science",

publisher = "Springer Verlag",

pages = "45--56",

editor = "Alastair Walker and O{\textquoteright}Connor, {Rory V.} and Richard Messnarz",

booktitle = "Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings",

address = "Germany",

note = "26th European Conference on Systems, Software and Services Process Improvement : EuroSPI 2019 ; Conference date: 18-09-2019 Through 20-09-2019",

}

TY - GEN

T1 - RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

AU - Krisper, Michael

AU - Dobaj, Jürgen

AU - Macher, Georg

AU - Schmittner, Christoph

PY - 2019/9

Y1 - 2019/9

N2 - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

AB - In this paper, the RISKEE method for evaluating risk in cyber security is described. RISKEE is based on attack graphs and the Diamond model combined with the FAIR method for assessing and calculating risk. It can be used to determine the risks of cyber-security attacks as a basis for decision-making. It works by forwarding estimations of attack frequencies and probabilities over an attack graph, calculating the risk at impact nodes with Monte-Carlo simulation, and propagating the resulting risk backward again. The method can be applied throughout all development phases and even be refined at runtime of a system. It involves system analysts, cyber security experts as well as domain experts for judgement of the attack frequencies, system vulnerabilities, and loss magnitudes.

KW - Attack trees

KW - Cyber physical security

KW - Diamond model

KW - FAIR method

KW - IT-security

KW - Risk assessment

KW - Risk propagation

UR - http://www.scopus.com/inward/record.url?scp=85072983274&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-28005-5_4

DO - 10.1007/978-3-030-28005-5_4

M3 - Conference paper

AN - SCOPUS:85072983274

SN - 9783030280048

T3 - Communications in Computer and Information Science

SP - 45

EP - 56

BT - Systems, Software and Services Process Improvement - 26th European Conference, EuroSPI 2019, Proceedings

A2 - Walker, Alastair

A2 - O’Connor, Rory V.

A2 - Messnarz, Richard

PB - Springer Verlag

T2 - 26th European Conference on Systems, Software and Services Process Improvement

Y2 - 18 September 2019 through 20 September 2019

ER -

RISKEE: A Risk-Tree Based Method for Assessing Risk in Cyber Security

Abstract

Publikationsreihe

Konferenz

ASJC Scopus subject areas

Fields of Expertise

Zugriff auf Dokument

Andere Dateien und Links

Fingerprint

Projekte

Industrial Informatics

AH-DHYAMONT - Steuerungsplattform für Stromerzeugung aus Wasserkraft

AH-HyUnify-Erweiterung - Steuerungsplattform für Stromerzeugung aus Wasserkraft

Aktivitäten

26th European Conference on System, Software and Service Process Improvement & Innovation: EuroSPI 2019

Dieses zitieren