МЕТОДОЛОГИЯ ОЦЕНКИ И УПРАВЛЕНИЯ ЦИФРОВЫМИ РИСКАМИ
УДК 330.341
Ключевые слова: методология оценки рисков, управление рисками, риски цифровизации, киберпреступления, OCTAVE, STRIDE и CIA.
Для цитирования: Криштаносов В. Б. Методология оценки и управления цифровыми рисками // Труды БГТУ. Сер. 5, Экономика и управление. 2021. № 2 (250). С. 15–36. DOI: https://doi.org/10.52065/2520-6877-2021-250-2-15-36.
Аннотация
Выявлены основные подходы к оценке рисков, связанных с внедрением современных технологий, приведен анализ подходов к управлению рисками как на уровне предприятия, так и государства в целом, дана характеристика и выделена специфика качественных и количественных методов оценки цифровых угроз. Обоснована необходимость разработки международных стандартов управления цифровыми рисками. Приведены методы оценки OCTAVE, STRIDE и CIA. Предложена классификация экономических затрат, связанных с кибератаками, выделены факторы, влияющие на возникновение (усиление) новых цифровых рисков. Даны оценки современным стратегиям, разработанным для снижения рисков и эффективного реагирования на инциденты, связанные с рисками. Выявлены наиболее распространенные киберугрозы в динамике их распространения.
Список литературы
- Ruan K. Сyber Risk Management: A New Era of Enterprise Risk Management. Digital Asset Valuation and Cyber Risk Measurement Principles of Cybernomics. Cambridge: Elsevier Inc., 2019. P. 49–73. DOI: 10.1016/B978-0-12-812158-0.00003-X.
- International Organization for Standardization (ISO). Risk Management – Principles and Guidelines: ISO 31000: 2009. URL: https://www.iso.org/iso-31000-risk-management.html (date of access: 11.04.2020).
- Quality vocabulary. Availability, reliability, and maintainability terms. Guide to concepts and related definitions: BS 4778-3.1: 1991. London: British Standards Institution, 1991. 32 р.
- International Risk Governance Council (IRGC). The Emergence of Risks. Contributing Factors. Geneva, 2010. URL: www.irgc.org (date of access: 10.02.2020).
- Ramezani J., Camarinha-Matos L. Approaches for resilience and antifragility in collaborative business ecosystems // Technological Forecasting & Social Change. 2020. No. 151. P. 26. DOI: 10.1016/j.techfore.2019.119846.
- Цифровые дивиденды. Доклад о мировом развитии 2016. Обзор. Вашингтон: Группа Всемирного банка, 2016. 58 с. URL: https://openknowledge.worldbank.org/bitstream/handle/10986/23347/210671RuSum.pdf (дата обращения: 05.02.2020).
- Consumer-facing technology fraud: Economics, attack methods and potential solutions / M. Ali [et al.] // Future Generation Computer Systems. 2019. No. 100. Р. 408–427. DOI: 10.1016/j.future.2019.03.041.
- Sharafaldin I., Lashkari A., Ghorbani A. An evaluation framework for network security visualizations // Computers & Security. 2019. No. 84. P. 30–92. DOI: 10.1016/j.cose.2019.03.005.
- Choo K-Kr. The cyber threat landscape: challenges and future research directions // Computers & Security. 2011. No. 30 (8). P. 719–731. DOI: 10.1016/j.cose.2011.08.004.
- Hunton P. Data attack of the cybercriminal: Investigating the digital currency of cybercrime // Computer Law & Security Review. 2012. No. 28. Р. 201–207. DOI: 10.1016/j.clsr.2012.01.007.
- NIST. Guide for Conducting Risk Assessments. Special Publication 800-30 Rev 1: US Department of Commerce. Washington, DC, 2012. 95 p. URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf (date of access: 01.03.2020).
- Volz D. Cyber attacks loom as growing corporation credit risk. Moody’s, 2015. URL: http://www.reuters.com/article/us-cybersecurity-moody-s-idUSKBN0TC2CP20151123 (date of access: 02.04.2020).
- KKR adds cyber risk score to its assessment of companies. Bloomberg, 2014. URL: https://www.bloomberg.com/news/articles/2014-04-11/kkr-adds-cyber-risk-score-to-its-assessment-of-companies (date of access: 02.04.2020).
- Society for Risk Analysis (SRA). 2020. URL: https://www.sra.org/risk-analysis-introduction/ (date of access: 23.05.2020).
- Scardovi C. Digital Transformation in Financial Services. London: Springer International Publishing AG, 2017. 236 р. DOI: 10.1007/978-3-319-66945-8.
- Towards an Integrative Approach. International Risk Governance Council (IRGC). White Paper on Risk Governance. Geneva, 2005. URL: www.irgc.org (date of access: 04.06.2020).
- Boyson S. Cyber supply chain risk management: Revolutionizing the strategic control of critical it systems // Technovation. 2014. No. 34 (7). P. 342–353. DOI: 10.1016/j.technovation.2014.02.001.
- A cloud-edge based data security architecture for sharing and analysing cyber threat information / D. Chadwick [et al.] // Future Generation Computer Systems. 2020. No. 102. P. 710–722. DOI: 10.1016/j.future.2019.06.026.
- Andrade R., Yoo S. Cognitive security: A comprehensive study of cognitive science in cybersecurity // Journal of Information Security and Applications. 2019. No. 48. Р. 13. URL: https://www.researchgate.net/publication/334909513_Cognitive_security_A_comprehensive_study_of_cognitive_science_in_cybersecurity (date of access: 08.01.2020).
- Tomlin B. On the value of mitigation and contingency strategies for managing supply chain disruption risks // Management Science. 2006. No. 52 (5). P. 639–657. DOI: 10.1287/mnsc.1060.0515.
- Ruan K. Principles of Cybernomics. Digital Asset Valuation and Cyber Risk Measurement. Cambridge: Elsevier Inc., 2019. Р. 141–158. DOI: 10.1016/B978-0-12-812158-0.00009-0.
- Gerber M., von Solms R. Management of risk in the information age // Computer Security. 2005. No. 24. P. 16–30. DOI: 10.1016/j.cose.2004.11.002.
- Lacon M., Marron S. Risk Assessment and Monitoring in Intelligent Data-Centric Systems. Security and Resilience in Intelligent Data-Centric Systems and Communication Networks. Cambridge: Elsevier Inc., 2018. P. 29–52. DOI: 10.1016/B978-0-12-811373-8.00002-1.
- Fischer R., Halibozek E., Walters D. Risk Analysis, Security Surveys and Insurance. Introduction to Security. Cambridge: Elsevier Inc., 2019. Р. 137–168. DOI: 10.1016/B978-0-12-805310-2.00007-X.
- Nauck F., Usher O., Weiss L. The disaster you could have stopped: Preparing for extraordinary risks. McKinsey&Company, 2020. 9 p. URL: https://www.mckinsey.com/business-functions/risk/our-insights/the-disaster-you-could-have-stopped-preparing-for-extraordinary-risks?cid=other-eml-nsl-mip-mck&hlkid=061d027268294196b455863b2fa7bbd6&hctky=11708326&hdpid=89044107-4811-4e7a-a384-9ca7c398bac6 (date of access: 13.03.2020).
- Security and Privacy Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53. National Institute of Standards and Technology. URL: https://nvlpubs.nist.gov/nistpubs/Special Publications/NIST.SP.800-53r4.pdf (date of access: 13.03.2020).
- Introduction to Threat Modeling. Microsoft. URL: https://docs.microsoft.com/en-us/learn/modules/tm-introduction-to-threat-modeling/ (date of access: 10.01.2020).
- What is the CIA Triad? URL: https://www.forcepoint.com/cyber-edu/cia-triad (date of access: 11.05.2020).
- Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience. WEF (World Economic Forum). Cologny, Switzerland, 2012. URL: https://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf (date of access: 09.02.2019).
- Cavusoglu H., Mishra B., Raghunathan S. The effect of Internet security breach announcements on market value of breached firms and Internet security developers // Int. J. Electron. Commerce. 2004. No. 9 (1). P. 69–104. DOI: 10.1080/10864415.2004.11044320.
- Ruan K. Cyber Risk Measurement in the Hyperconnected World. Digital Asset Valuation and Cyber Risk Measurement Principles of Cybernomics. Cambridge: Elsevier Inc., 2019. P. 75–86. DOI: 10.1016/B978-0-12-812158-0.00004-1.
- Intelligent manufacturing in the context of Industry 4.0: A review / R. Zhong [et al.] // Engineering. 2017. No. 3 (5). P. 616–630. DOI: 10.1016/J.ENG.2017.05.015.
- Organization for Economic Co-Operation and Development (OECD). Emerging Systemic Risks in the 21st Century: An Agenda for Action. Paris, 2003. URL: http://www.oecd.org/ (date of access: 14.08.2019).
- Managing emerging technology-related risks. Standard Recommendation: CWA 16649: 2013. URL: https://shop.standards.ie/preview/98705249998.pdf?sku=877230_SAIG_NSAI_NSAI_2084853 (date of access: 28.01.2019).
- Ellwood P., Reynolds J., Duckworth M. Green Jobs and Occupational Safety and Health: Foresight on New and Emerging Risks Associated with New Technologies by 2020. EU-OSHA (European Agency for Safety and Health at Work). Luxembourg, 2014. URL: http://osha.europa.eu (date of access: 23.07.2019).
- Huq N. TrendLabs Research. Follow the Data: Dissecting Data Breaches and Debunking Myths: Trend Micro Analysis of Privacy Rights Clearinghouse 2005–2015 Data Breach Records. Tokyo, Japan: Trend Micro, 2015. P. 51. URL: https://documents.trendmicro.com/assets/wp/wp-follow-the-data.pdf (date of access: 04.05.2021).
- Pursiainen C. Critical infrastructure resilience: A Nordic model in the making? // International Journal of Disaster Risk Reduction. 2018. No. 27. P. 632–641. DOI: 10.1016/j.ijdrr.2017.08.006.
- Mahdavifar S., Ghorbani A. Application of deep learning to cybersecurity: A survey // Neurocomputing. 2019. No. 347. Р. 31–176. DOI: 10.1016/j.neucom.2019.02.056.
- Cyber attack models for smart grid environments / P. Eder-Neuhauser // Sustainable Energy, Grids and Networks. 2017. Р. 22. DOI: 10.1016/j.segan.2017.08.002.
- Malecki F. StorageCraft. Best practices for preventing and recovering from a ransomware attack // Computer Fraud & Security. 2019. March. P. 8–10. DOI: 10.1016/S1361-3723(19)30028-4.
- Annual number of ransomware attacks worldwide from 2014 to 2020. Statista, 2020. URL: https://www.statista.com/statistics/494947/ransomware-attacks-per-year-worldwide/ (date of access: 14.06.2020).
- Ransomware is Costing UK Companies £346 Million Per Annum to their Bottom Line 27th March. 2017. URL: https://www.sentinelone.com/press/ransomware-costing-uk-companies-346-million-per-annum/ (date of access: 18.11.2020).
- Касперский Е. Цифровой преступный мир самоизолировался, но не ушел на каникулы // Harvard Business Review. Россия. 2021. 5 февр. URL: https://hbr-russia.ru/innovatsii/tekhnologii/854790 (дата обращения: 01.04.2020).
- Ransomware 2021. Critical Mid-Year Update. Сhainalysis. 2021. May. 38 p. URL: https://go.chainalysis.com/rs/503-FAP-074/images/Ransomware-2021-update.pdf (date of access: 03.06.2020).
- Luh R., Janicke H., Schrittwieser S. AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes // Computers & Security. 2019. No. 84. P. 31–147. DOI: 10.1016/j.cose.2019.03.015.
- Falliere N., Murchu L., Chien E. W32.stuxnet. dossier. URL: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf (date of access: 01.01.2020).
- Chien E., O’Murchu L., Falliere N. W32. duqu: the precursor to the next Stuxnet // Proceedings of the fifth USENIX workshop on large-scale exploits and emergent threats (LEET). 2012. URL: https://www.usenix.org/conference/leet12/workshop-program/presentation/chien (date of access: 25.08.2021).
- The DUQU 2.0 Technical Details Version: 2.1 (11 June 2015). URL: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf (date of access: 24.01.2020).
- Maestre V. Swarm and Evolutionary Computation. 2017. 15 p. URL: https://www.journals.elsevier.com/swarm-and-evolutionary-computation (date of access: 25.03.2019).
- Europol. The Internet Organized Crime Threat Assessment (iOCTA). 2015. URL: http://www.europol.europa.eu (date of access: 11.10.2019).
- Kurtz J. Noncivilian Government Context. Hacking Wireless Access Points Cracking, Tracking, and Signal Jacking. 2017. P. 109–128. DOI: 10.1016/B978-0-12-805315-7.00008-5.
- Urquhart L., McAuley D. Avoiding the Internet of insecure industrial things // Computer Law & Security Review. 2018. No. 34. P. 32–466. DOI: 10.1016/j.clsr.2017.12.004.
- Zhang T. A comparative study on sanction system of cyber aider from perspectives of German and Chinese criminal law // Computer Law & Security Review: The International Journal of Technology Law and Practice. 2017. No. 33 (1). P. 98–102. DOI: 10.1016/j.clsr.2016.11.017.
- Ransomware threat success factors, taxonomy, and countermeasures: a survey and research direction / B. Al-Rimy [et al.] // Computers & Security. 2018. Р. 49. URL: https://doi.org/10.1016/j.cose.2018.01.001 (date of access: 25.05.2019).
- Goncharov M. Russian Underground 101. Trend Micro Incorporated. Research Paper. 2012. 29 p. URL: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russianunderground-101.pdf?_ga=2.259319754.1186463633.1634981178-1453004565.1634981175 (date of access: 03.11.2019).
- PandaLabs Q1 Report: Trojans Account for 80% of Malware Infections, Set New Record. Panda Security. 2013. URL: https://www.pandasecurity.com/en/mediacenter/press-releases/pandalabs-q1-report-trojans-account-for-80-of-malware-infections-set-new-record/ (date of access: 06.02.2020).
- Степанова Ю. Криминал перешел в Интернет // Коммерсантъ. 2020. 23 окт. URL: https://www.kommersant.ru/doc/4544119?tg (дата обращения: 23.10.2020).
- Economic Impact of Cybercrime – No Slowing Down Report, McAfee. 2018. URL: https://www.mcafee.com/enterprise/en-us/assets/executive-summaries/es-economic-impact-cybercrime.pdf (date of access: 15.10.2020).
- 2017 Norton Cyber Security Insights Report Global Results. 2018. URL: https://www.nortonlifelock.com/us/en/newsroom/press-kits/ncsir-2017/ (date of access: 16.10.2020).
- Cybercrime victimization and subjective well-being: An examination of the buffering effect hypothesis among adolescents and young adults / M. Kaakinen [et al.] // Cyberpsychology Behavior Social Network. 2017. No. 21 (2). P. 129–137. DOI: 10.1089/cyber.2016.0728.
- Srimoolanathan A. Protecting privacy: are today’s national laws a boon or bane? // Biometric Technology Today. 2019. November/December. Р. 8–11. DOI: 10.1016/S0969-4765(19)30143-2.
- Identity Threat and Assessment Prediction (ITAP) 2019’. University of Texas at Austin Center for Identity. URL: https://identity.utexas.edu/research-projects/identity-threat-and-assessment-prediction-itap (date of access: 23.02.2020).
- Future Series: Cybersecurity, emerging technology and systemic risk. Insight Report November 2020. World Economic Forum. URL: http://www3.weforum.org/docs/WEF_Future_Series_Cybersecurity_emerging_technology_and_systemic_risk_2020.pdf (date of access: 15.04.2021).
- Cyber Security: Export Strategy’. Department for International Trade. 2018. 20 p. URL: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/693989/CCS151_CCS0118810124-1_Cyber_Security_Export_Strategy_Brochure_Web_Accessible.pdf (date of access:
26.03.2020). - Q2 Cyber Security Market Report 2017 published by Cyber Security Ventures. URL: https://cybersecurityventures.com/cybersecurity-market-report/ (date of access: 15.12.2020).
- The EU’s Cybersecurity Strategy in the Digital Decade. European Comission. 2020. URL: https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade (date of access: 03.04.2021).
- Threat Forecasting. Leveraging Big Data for Predictive Analysis / J. Pirc [et al.]. Cambridge: Elsevier, 2016. Р. 1–15. DOI: 10.1016/B978-0-12-800006-9.00001-X.