METHODOLOGY FOR ASSESSMENT AND MANAGEMENT OF DIGITAL RISKS
UDC 330.341
Key words: risk assessment methodology, risk management, digitalization risks, cybercrime, OCTAVE, STRIDE and CIA.
For citation: Kryshtanosau V. B. Methodology for assessment and management of digital risks. Proceedings of BSTU, issue 5, Economics and Management, 2021, no. 2 (250), pp. 15–36 (In Russian). DOI: https://doi.org/10.52065/2520-6877-2021-250-2-15-36.
Abstract
There were identified the main approaches to assessing the risks associated with the implementation of modern technologies, were given analysis of approaches to risk management both at the level of the enterprise and the state and a characteristic and highlighted the specifics of qualitative and quantitative methods for assessing digital threats. It has been substantiated the necessity of developing international standards for digital risk management. There were given methods for risk evaluating: OCTAVE, STRIDE and CIA. There were carried out classification of the economic costs associated with cyber attacks, and the factors influencing the emergence (strengthening) of new digital risks were highlighted. There were given assessments to the modern strategies developed to reduce risks and effectively respond to incidents associated with risks. There have been identified the most common cyber threats in the dynamics of their spread.
References
- Ruan K. Сyber Risk Management: A New Era of Enterprise Risk Management. Digital Asset Valuation and Cyber Risk Measurement Principles of Cybernomics. Cambridge, Elsevier Inc., 2019, pp. 49–73. Available at: https://doi.org/10.1016/B978-0-12-812158-0.00003-X (accessed 10.10.2020).
- International Organization for Standardization (ISO). Risk Management – Principles and Guidelines: ISO 31000: 2009. Available at: https://www.iso.org/iso-31000-risk-management.html (accessed 11.04.2020).
- Quality vocabulary. Availability, reliability, and maintainability terms. Guide to concepts and related definitions: BS 4778-3.1: 1991. London: British Standards Institution, 1991. 32 р.
- International Risk Governance Council (IRGC). The Emergence of Risks. Contributing Factors. Geneva, 2010. Available at: www.irgc.org (accessed 10.02.2020).
- Ramezani J., Camarinha-Matos L. Approaches for resilience and antifragility in collaborative business ecosystems. Technological Forecasting & Social Change, 2020, no. 151, p. 26. Available at: https://doi.org/10.1016/j.techfore.2019.119846 (accessed 15.04.2020).
- Tsifrovyye dividenty. Doklad o mirovom razvitii 2016. Obzor [Digital dividends. Word Development Report 2016. Overview]. Washington DC, World Bank Group, 2016. 58 p. Available at: https://openknowledge.worldbank.org/bitstream/handle/10986/23347/210671RuSum.pdf (accessed 05.02.2020).
- Ali M., Azad M., Centeno M., Hao F., van Moorsel A. Consumer-facing technology fraud: Economics, attack methods and potential solutions. Future Generation Computer Systems, 2019, no. 100, рp. 408–427. Available at: https://doi.org/10.1016/j.future.2019.03.041 (accessed 14.01.2020).
- Sharafaldin I., Lashkari A., Ghorbani A. An evaluation framework for network security visualizations. Computers & Security, 2019, no. 84, pp. 30–92. Available at: https://doi.org/10.1016/j.cose.2019.03.005 (accessed 24.12.2020).
- Choo K-Kr. The cyber threat landscape: challenges and future research directions. Computers & Security, 2011, no. 30 (8), pp. 719–731.
- Hunton P. Data attack of the cybercriminal: Investigating the digital currency of cybercrime. Computer Law & Security Review, 2012, no. 28, рp. 201–207. Available at: https://10.1016/j.clsr.2012.01.007 (accessed 03.03.2020).
- NIST. Guide for Conducting Risk Assessments. Special Publication 800-30 Rev 1: US Department of Commerce. Washington, DC, 2012. 95 p. Available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf (accessed 01.03.2020).
- Volz D. Cyber attacks loom as growing corporation credit risk. Moody’s, 2015. Available at: http://www.reuters.com/article/us-cybersecurity-moody-s-idUSKBN0TC2CP20151123 (accessed 02.04.2020).
- KKR adds cyber risk score to its assessment of companies. Bloomberg, 2014. Available at: http://www.bloomberg.com/news/articles/2014-04-11/kkr-adds-cyber-risk-score-to-its-assessment-ofcompanies (accessed 02.04.2020).
- Society for Risk Analysis (SRA). 2020. Available at: https://www.sra.org/risk-analysis-introduction/(accessed 23.05.2020).
- Scardovi C. Digital Transformation in Financial Services. London, Springer International Publishing AG, 2017. 236 р. Available at: https://doi:10.1007/978-3-319-66945-8 (accessed 14.02.2021).
- Towards an Integrative Approach. International Risk Governance Council (IRGC). White Paper on Risk Governance. Geneva, 2005. Available at: www.irgc.org (accessed 04.06.2020).
- Boyson S. Cyber supply chain risk management: Revolutionizing the strategic control of critical it systems. Technovation, 2014, no. 34 (7), pp. 342–353.
- Chadwick D., Fan W., Costantino G., de Lemos R., Di Cerbo F., Herwono I., Manea M., Mori P., Sajjad A., Wang X.-S. A cloud-edge based data security architecture for sharing and analysing cyber threat information. Future Generation Computer Systems, 2020, no. 102, pp. 710–722.
- Andrade R., Yoo S. Cognitive security: A comprehensive study of cognitive science in cybersecurity. Journal of Information Security and Applications, 2019, no. 48, р. 13. Available at: https://doi.org/10.1016/jjisa.2019.06.008 (accessed 08.01.2020).
- Tomlin B. On the value of mitigation and contingency strategies for managing supply chain disruption risks. Management Science, 2006, no. 52 (5), pp. 639–657. Available at: https://doi.org/10.1287/mnsc.1060.0515 (accessed 03.01.2019).
- Ruan K. Principles of Cybernomics. Digital Asset Valuation and Cyber Risk Measurement. Cambridge, Elsevier Inc., 2019, рp. 141–158. Available at: https://doi.org/10.1016/B978-0-12-812158-0.00009-0 (accessed 23.11.2020).
- Gerber M., von Solms R. Management of risk in the information age. Computer Security, 2005, no. 24, pp. 16–30.
- Lacon M., Marron S. Risk Assessment and Monitoring in Intelligent Data-Centric Systems. Security and Resilience in Intelligent Data-Centric Systems and Communication Networks. Cambridge, Elsevier Inc., 2018, pp. 29–52. Available at: https://doi.org/10.1016/B978-0-12-811373-8.00002-1 (accessed 16.04.2019).
- Fischer R., Halibozek E., Walters D. Risk Analysis, Security Surveys and Insurance. Introduction to Security. Cambridge, Elsevier Inc., 2019, рp. 137–168. Available at: https://doi.org/10.1016/B978-0-12-805310-2.00007-X (accessed 13.08.2020).
- Nauck F., Usher O., Weiss L. The disaster you could have stopped: Preparing for extraordinary risks. McKinsey&Company, 2020. 9 p. Available at: https://www.mckinsey.com/business-functions/risk/ourinsights/the-disaster-you-could-have-stopped-preparing-for-extraordinary-risks?cid=other-eml-nsl-mip-mck&hlkid=061d027268294196b455863b2fa7bbd6&hctky=11708326&hdpid=89044107-4811-4e7a-a384-9ca7
c398bac6 (accessed 13.03.2020). - Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53. National Institute of Standards and Technology. Available at: https://nvlpubs.nist.gov/nistpubs/Special Publications/NIST.SP.800-53r4.pdf (accessed 13.03.2020).
- Introduction to Threat Modeling. Microsoft. Available at: https://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx (accessed 10.01.2020).
- What is the CIA Triad? Available at: https://www.forcepoint.com/cyber-edu/cia-triad (accessed 11.05.2020).
- Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience. WEF (World Economic Forum). Cologny, Switzerland, 2012. Available at: https://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf (accessed 09.02.2019).
- Cavusoglu H., Mishra B., Raghunathan S. The effect of Internet security breach announcements on market value of breached firms and Internet security developers. Int. J. Electron. Commerce, 2004, no. 9 (1), pp. 69–104.
- Ruan K. Cyber Risk Measurement in the Hyperconnected World. Digital Asset Valuation and Cyber Risk Measurement Principles of Cybernomics. Cambridge, Elsevier Inc., 2019, pp. 75–86. Available at: https://doi.org/10.1016/B978-0-12-812158-0.00004-1 (accessed 11.09.2020).
- Zhong R., Xu X., Klotz E., Newman S. Intelligent manufacturing in the context of Industry 4.0: A review. Engineering, 2017, no. 3 (5), pp. 616–630.
- Organization for Economic Co-Operation and Development (OECD). Emerging Systemic Risks in the 21st Century: An Agenda for Action. Paris, 2003. Available at: http://www.oecd.org/ (accessed 14.08.2019).
- Managing emerging technology-related risks. Standard Recommendation: CWA 16649: 2013. Available at: https://shop.standards.ie/preview/98705249998.pdf?sku=877230_SAIG_NSAI_ NSAI_2084853 (accessed 28.01.2019).
- Ellwood P., Reynolds J., Duckworth M. Green Jobs and Occupational Safety and Health: Foresight on New and Emerging Risks Associated with New Technologies by 2020. EU-OSHA (European Agency for Safety and Health at Work). Luxembourg, 2014. Available at: http://osha.europa.eu (accessed 23.07.2019).
- Huq N. TrendLabs Research. Follow the Data: Dissecting Data Breaches and Debunking Myths: Trend Micro Analysis of Privacy Rights Clearinghouse 2005–2015 Data Breach Records. Tokyo, Japan, Trend Micro, 2015, p. 51. Available at: https://documents.trendmicro.com/assets/wp/wp-follow-the-data.pdf (accessed 04.05.2021).
- Pursiainen C. Critical infrastructure resilience: A Nordic model in the making? International Journal of Disaster Risk Reduction, 2018, no. 27, pp. 632–641. Available at: http://dx.doi.org/10.1016/j.ijdrr. 2017.08.006 (accessed 06.07.2019).
- Mahdavifar S., Ghorbani A. Application of deep learning to cybersecurity: A survey. Neurocomputing, 2019, no. 347, рp. 31–176. Available at: https://doi.org/10.1016/j.neucom.2019.02.056 0925-2312 (accessed 05.11.2020).
- Eder-Neuhauser P., Zseby T., Fabini J., Vormayr G. Cyber attack models for smart grid environments. Sustainable Energy, Grids and Networks, 2017, р. 22. Available at: http://dx.doi.org/10.1016/j.segan.2017.08.002 (accessed 04.12.2019).
- Malecki F. StorageCraft. Best practices for preventing and recovering from a ransomware attack. Computer Fraud & Security, 2019, March, pp. 8–10.
- Annual number of ransomware attacks worldwide from 2014 to 2020. Statista, 2020. Available at: https://www.statista.com/statistics/494947/ransomware-attacks-per-year-worldwide/ (accessed 14.06.2020).
- Ransomware is Costing UK Companies £346 Million Per Annum to their Bottom Line 27th March. 2017. Available at: https://www.sentinelone.com/press/ransomware-costing-uk-companies-346-million-perannum/ (accessed 18.11.2020).
- Kaspersky E. The digital underworld isolated itself, but did not go on vacation. Harvard Business Review. Russia, 2021, February 5. Available at: https://hbr-russia.ru/innovatsii/tekhnologii/854790 (accessed 01.04.2020).
- Ransomware 2021. Critical Mid-Year Update. Сhainalysis. 2021, May, 38 p. Available at: https://go.chainalysis.com/rs/503-FAP-074/images/Ransomware-2021-update.pdf (accessed 03.06.2020).
- Luh R., Janicke H., Schrittwieser S. AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes. Computers & Security, 2019, no. 84, pp. 31–147.
- Falliere N., Murchu L., Chien E. W32.stuxnet. dossier. Available at: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf (accessed 01.01.2020).
- Chien E., O’Murchu L., Falliere N. W32. duqu: the precursor to the next Stuxnet. Proceedings of the fifth USENIX workshop on large-scale exploits and emergent threats (LEET), 2012. Available at: https://www.usenix.org/conference/leet12/workshop-program/presentation/chien (accessed 25.08.2021).
- The DUQU 2.0 Technical Details Version: 2.1 (11 June 2015). Available at: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf (accessed 24.01.2020).
- Maestre V. Swarm and Evolutionary Computation. 2017. 15 p. Available at: http://dx.doi.org/10.1016Zj.swevo.2017.07.002 (accessed 25.03.2019).
- Europol. The Internet Organized Crime Threat Assessment (iOCTA). 2015. Available at: http://www.europol.europa.eu (accessed 11.10.2019).
- Kurtz J. Noncivilian Government Context. Hacking Wireless Access Points Cracking, Tracking, and Signal Jacking. 2017, pp. 109–128. Available at: http://dx.doi.org/10.1016/B978-0-12-805315-7.00008-5 (accessed 08.07.2019).
- Urquhart L., McAuley D. Avoiding the internet of insecure industrial things. Computer Law & Security Review, 2018, no. 34, pp. 32–466.
- Zhang T. A comparative study on sanction system of cyber aider from perspectives of German and Chinese criminal law. Computer Law & Security Review: The International Journal of Technology Law and Practice, 2017, no. 33 (1), pp. 98–102. DOI: 10.1016/j.clsr.2016.11.017.
- Al-Rimy B., Maarof M., Zainuddin S., Shaid M. Ransomware threat success factors, taxonomy, and countermeasures: a survey and research direction. Computers & Security, 2018, р. 49. Available at: https://doi.org/10.1016/j.cose.2018.01.001 (accessed 25.05.2019).
- Goncharov M. Russian Underground 101. Trend Micro Incorporated. Research Paper. 2012. 29 p. Available at: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russianunderground-101.pdf?_ga=2.259319754.1186463633.1634981178-1453004565.1634981175 (accessed 03.11.2019).
- PandaLabs Q1 Report: Trojans Account for 80% of Malware Infections, Set New Record. Panda Security. 2013. Available at: http://www.pandasecurity.com/mediacenter/press-releases/pandalabs-q1-report-trojans-account-for-80-of-malware-infections-set-new-record/ (accessed 06.02.2020).
- Stepanova Yu. Crime moved to the Internet. Kommersant, 2020, 23 October. Available at: https://www.kommersant.ru/doc/4544119?tg (accessed 23.10.2020).
- Economic Impact of Cybercrime – No Slowing Down Report, McAfee. 2018. Available at: https://goo.gl/QLjj8H (accessed 15.10.2020).
- 2017 Norton Cyber Security Insights Report Global Results. 2018. Available at: https://goo.gl/nF88NN (accessed 16.10.2020).
- Kaakinen M., Keipi T., Rasanen P., Oksanen A. Cybercrime victimization and subjective well-being: An examination of the buffering effect hypothesis among adolescents and young adults. Cyberpsychology Behavior Social Network, 2017, no. 21 (2), pp. 129–137. Available at: https://DOI:10.1089/cyber.2016.0728 (accessed 03.10.2019).
- Srimoolanathan A. Protecting privacy: are today’s national laws a boon or bane? Biometric Technology Today, 2019, November/December, рp. 8–11.
- Identity Threat and Assessment Prediction (ITAP) 2019’. University of Texas at Austin Center for Identity. Available at: https://identity.utexas.edu/research-projects/identity-threat-and-assessmentprediction-itap (accessed 23.02.2020).
- Future Series: Cybersecurity, emerging technology and systemic risk. Insight Report November 2020. World Economic Forum. Available at: http://www3.weforum.org/docs/WEF_Future_Series_Cybersecurity_emerging_technology_and_systemic_risk_2020.pdf (accessed 15.04.2021).
- Cyber Security: Export Strategy’. Department for International Trade. 2018. 20 p. Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/693989/CCS151_CCS0118810124-1_Cyber_Security_Export_Strategy_Brochure_Web_Accessible.pdf (accessed 26.03.2020).
- Q2 Cyber Security Market Report 2017 published by Cyber Security Ventures. Available at: https://cybersecurityventures.com/cybersecurity-market-report/ (accessed 15.12.2020).
- The EU’s Cybersecurity Strategy in the Digital Decade. European Commission. 2020. Available at: https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade (accessed 03.04.2021).
- Pirc J., DeSanto D., Davison I., Gragido W. Threat Forecasting. Leveraging Big Data for Predictive Analysis. Cambridge, Elsevier, 2016, рp. 1–15. Available at: http://dx.doi.org/10.1016/B978-0-12-800006-9.00001-X (accessed 13.12.2019).