Assessing Risk Estimations for Cyber-Security Using Expert Judgment

Michael Krisper; Jürgen Dobaj; Georg Macher

doi:10.1007/978-3-030-56441-4_9

Assessing Risk Estimations for Cyber-Security Using Expert Judgment

Michael Krisper^*, Jürgen Dobaj, Georg Macher

^*Corresponding author for this work

Institute of Technical Informatics (4480)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

In this paper, we show a use-case of structured expert judgment to assess the risk of a cyber-security attack. We showcase the process of elicitating unknown and uncertain values using multiple experts and combining these judgments by weighing the experts based on their performance. The performance of an expert is assessed using the information and calibration score calculated from the judgments of calibration questions. The judgments are stated with three-points estimates of minimum, most likely, and maximum value, which serve as input for the PERT probability distribution. For the use-case, the input values frequency, vulnerability, and impact were asked. The combined results are propagated along an attack path to calculate the risk of a cyber-security attack. This was done using RISKEE, a tool for assessing risk in cyber-security and implementing the combination of expert judgments and propagation of the values in an attack-tree. It uses an attack graph to model the attack paths and applies probability distributions for the input values to consider the uncertainty of predictions and expert judgments. We also describe experiences and lessons-learned for conducting an expert elicitation to acquire input values for estimating risks in cyber-security.

Original language	English
Title of host publication	Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings
Editors	Murat Yilmaz, Paul Clarke, Jörg Niemann, Richard Messnarz
Publisher	Springer
Pages	120-134
Number of pages	15
ISBN (Print)	9783030564407
DOIs	https://doi.org/10.1007/978-3-030-56441-4_9
Publication status	Published - 9 Aug 2020
Event	27th European Conference on Systems, Software and Services Process Improvement: EuroSPI 2020 - Düsseldorf, Hybrider Event, Düsseldorf, Germany Duration: 9 Sept 2020 → 11 Sept 2020 https://2020.eurospi.net/

Publication series

Name	Communications in Computer and Information Science
Volume	1251 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Conference

Conference	27th European Conference on Systems, Software and Services Process Improvement
Abbreviated title	EuroSPI 2020
Country/Territory	Germany
City	Hybrider Event, Düsseldorf
Period	9/09/20 → 11/09/20
Internet address	https://2020.eurospi.net/

Keywords

Cyber-security
Expert elicitation
Expert judgment
Probabilistic methods
Risk assessment

ASJC Scopus subject areas

Computer Science(all)
Mathematics(all)
Safety, Risk, Reliability and Quality

Fields of Expertise

Information, Communication & Computing

Treatment code (Nähere Zuordnung)

Application

Access to Document

10.1007/978-3-030-56441-4_9

Cite this

Krisper, M., Dobaj, J., & Macher, G. (2020). Assessing Risk Estimations for Cyber-Security Using Expert Judgment. In M. Yilmaz, P. Clarke, J. Niemann, & R. Messnarz (Eds.), Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings (pp. 120-134). (Communications in Computer and Information Science; Vol. 1251 CCIS). Springer. https://doi.org/10.1007/978-3-030-56441-4_9

Assessing Risk Estimations for Cyber-Security Using Expert Judgment. / Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg.

Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings. ed. / Murat Yilmaz; Paul Clarke; Jörg Niemann; Richard Messnarz. Springer, 2020. p. 120-134 (Communications in Computer and Information Science; Vol. 1251 CCIS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Krisper, M , Dobaj, J & Macher, G 2020, Assessing Risk Estimations for Cyber-Security Using Expert Judgment. in M Yilmaz, P Clarke, J Niemann & R Messnarz (eds), Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings. Communications in Computer and Information Science, vol. 1251 CCIS, Springer, pp. 120-134, 27th European Conference on Systems, Software and Services Process Improvement, Hybrider Event, Düsseldorf, Germany, 9/09/20. https://doi.org/10.1007/978-3-030-56441-4_9

Krisper M , Dobaj J , Macher G. Assessing Risk Estimations for Cyber-Security Using Expert Judgment. In Yilmaz M, Clarke P, Niemann J, Messnarz R, editors, Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings. Springer. 2020. p. 120-134. (Communications in Computer and Information Science). doi: 10.1007/978-3-030-56441-4_9

Krisper, Michael ; Dobaj, Jürgen ; Macher, Georg. / Assessing Risk Estimations for Cyber-Security Using Expert Judgment. Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings. editor / Murat Yilmaz ; Paul Clarke ; Jörg Niemann ; Richard Messnarz. Springer, 2020. pp. 120-134 (Communications in Computer and Information Science).

@inproceedings{10c24be0f20846e882ffac71bc8f10c1,

title = "Assessing Risk Estimations for Cyber-Security Using Expert Judgment",

abstract = "In this paper, we show a use-case of structured expert judgment to assess the risk of a cyber-security attack. We showcase the process of elicitating unknown and uncertain values using multiple experts and combining these judgments by weighing the experts based on their performance. The performance of an expert is assessed using the information and calibration score calculated from the judgments of calibration questions. The judgments are stated with three-points estimates of minimum, most likely, and maximum value, which serve as input for the PERT probability distribution. For the use-case, the input values frequency, vulnerability, and impact were asked. The combined results are propagated along an attack path to calculate the risk of a cyber-security attack. This was done using RISKEE, a tool for assessing risk in cyber-security and implementing the combination of expert judgments and propagation of the values in an attack-tree. It uses an attack graph to model the attack paths and applies probability distributions for the input values to consider the uncertainty of predictions and expert judgments. We also describe experiences and lessons-learned for conducting an expert elicitation to acquire input values for estimating risks in cyber-security.",

keywords = "Cyber-security, Expert elicitation, Expert judgment, Probabilistic methods, Risk assessment",

author = "Michael Krisper and J{\"u}rgen Dobaj and Georg Macher",

year = "2020",

month = aug,

day = "9",

doi = "10.1007/978-3-030-56441-4_9",

language = "English",

isbn = "9783030564407",

series = "Communications in Computer and Information Science",

publisher = "Springer",

pages = "120--134",

editor = "Murat Yilmaz and Paul Clarke and J{\"o}rg Niemann and Richard Messnarz",

booktitle = "Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings",

note = "27th European Conference on Systems, Software and Services Process Improvement : EuroSPI 2020, EuroSPI 2020 ; Conference date: 09-09-2020 Through 11-09-2020",

url = "https://2020.eurospi.net/",

}

TY - GEN

T1 - Assessing Risk Estimations for Cyber-Security Using Expert Judgment

AU - Krisper, Michael

AU - Dobaj, Jürgen

AU - Macher, Georg

PY - 2020/8/9

Y1 - 2020/8/9

N2 - In this paper, we show a use-case of structured expert judgment to assess the risk of a cyber-security attack. We showcase the process of elicitating unknown and uncertain values using multiple experts and combining these judgments by weighing the experts based on their performance. The performance of an expert is assessed using the information and calibration score calculated from the judgments of calibration questions. The judgments are stated with three-points estimates of minimum, most likely, and maximum value, which serve as input for the PERT probability distribution. For the use-case, the input values frequency, vulnerability, and impact were asked. The combined results are propagated along an attack path to calculate the risk of a cyber-security attack. This was done using RISKEE, a tool for assessing risk in cyber-security and implementing the combination of expert judgments and propagation of the values in an attack-tree. It uses an attack graph to model the attack paths and applies probability distributions for the input values to consider the uncertainty of predictions and expert judgments. We also describe experiences and lessons-learned for conducting an expert elicitation to acquire input values for estimating risks in cyber-security.

AB - In this paper, we show a use-case of structured expert judgment to assess the risk of a cyber-security attack. We showcase the process of elicitating unknown and uncertain values using multiple experts and combining these judgments by weighing the experts based on their performance. The performance of an expert is assessed using the information and calibration score calculated from the judgments of calibration questions. The judgments are stated with three-points estimates of minimum, most likely, and maximum value, which serve as input for the PERT probability distribution. For the use-case, the input values frequency, vulnerability, and impact were asked. The combined results are propagated along an attack path to calculate the risk of a cyber-security attack. This was done using RISKEE, a tool for assessing risk in cyber-security and implementing the combination of expert judgments and propagation of the values in an attack-tree. It uses an attack graph to model the attack paths and applies probability distributions for the input values to consider the uncertainty of predictions and expert judgments. We also describe experiences and lessons-learned for conducting an expert elicitation to acquire input values for estimating risks in cyber-security.

KW - Cyber-security

KW - Expert elicitation

KW - Expert judgment

KW - Probabilistic methods

KW - Risk assessment

UR - http://www.scopus.com/inward/record.url?scp=85089720217&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-56441-4_9

DO - 10.1007/978-3-030-56441-4_9

M3 - Conference paper

AN - SCOPUS:85089720217

SN - 9783030564407

T3 - Communications in Computer and Information Science

SP - 120

EP - 134

BT - Systems, Software and Services Process Improvement - 27th European Conference, EuroSPI 2020, Proceedings

A2 - Yilmaz, Murat

A2 - Clarke, Paul

A2 - Niemann, Jörg

A2 - Messnarz, Richard

PB - Springer

T2 - 27th European Conference on Systems, Software and Services Process Improvement

Y2 - 9 September 2020 through 11 September 2020

ER -

Assessing Risk Estimations for Cyber-Security Using Expert Judgment

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Fields of Expertise

Treatment code (Nähere Zuordnung)

Access to Document

Other files and links

Fingerprint

Industrial Informatics

AH-DHYAMONT - Control platform for hydro-electric power generation

27th European Conference on System, Software, and Service Process Improvements and Innovations