SpringerBriefs in Computer Science

Transcription

1 SpringerBriefs in Computer Science

2 More information about this series at

3 Atle Refsdal Bjørnar Solhaug Ketil Stølen Cyber-Risk Management 123

4 Atle Refsdal SINTEF ICT Oslo Norway Ketil Stølen SINTEF ICT Oslo Norway Bjørnar Solhaug SINTEF ICT Oslo Norway ISSN ISSN (electronic) SpringerBriefs in Computer Science ISBN ISBN (ebook) DOI / Library of Congress Control Number: Springer Cham Heidelberg New York Dordrecht London The Author(s) 2015 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. Printed on acid-free paper Springer International Publishing AG Switzerland is part of Springer Science+Business Media (

5 Preface Information and communication technologies (ICT) have over several decades brought significant benefits to enterprises, individuals, and society as a whole. This is clearly evident when considering the wide and profound impact of the Internet in a great many parts of our daily lives. The Internet, and more broadly cyberspace, has become a cornerstone for a broad range of services and activities that today we take for granted. Due to cyberspace and its underlying infrastructure, people and organizations have access to more and better services than ever before. This is the case within several domains of society, including banking and finance, communication, entertainment, health, power supply, social interactions, transportation, trade, and social participation. As a result, our daily lives, fundamental rights, economies, and social security depend on ICT working seamlessly. At the same time, cyberspace has introduced, and continues to introduce, numerous new threats and vulnerabilities. Stakeholders are exposed to cybersecurity incidents of many different kinds and degrees of severity. These include information theft, disruption of services, privacy and identity abuse, fraud, espionage, and sabotage. At a larger scale, societies are threatened by possible attacks on critical infrastructures via cyberspace, as well as the potential for cyber-terrorism and even cyber-warfare. In addition to the many possibilities for cyber-crime and malicious attacks come all the accidental and other non-malicious threats that may lead to cybersecurity incidents. In fact, the ubiquity of cyberspace has brought societies to a point where a very large number of the risks that we traditionally have been exposed to in the physical world today arise in cyberspace and have become cyber-risks. In order to ensure a satisfactory level of cybersecurity, stakeholders need to understand the nature of cyber-risk and what distinguishes cyber-risk from other kinds of risk, and they need adequate methods and techniques for cyber-risk management. Our main objective with this book is to give a short introduction to risk management, focusing on cybersecurity and cyber-risk assessment. We introduce the reader to the underlying terminology, we present and explain the processes of cyber-risk management, and we provide guidance and hands-on examples on how to conduct cyber-risk assessment in practice. We moreover address many of the typical challenges that risk assessors face, and we give advice on how to tackle them. v

6 vi Preface There are many different techniques, tools, modeling languages, and documentation formats that are available to support cyber-risk assessment. This book is oblivious to any such specific approach; while we have based the contents on established standards and industry best practices, we present the risk assessment process and the examples in a format that can be instantiated by any specific approach that complies with the ISO risk management standard. The intended target audience is practitioners, as well as graduate and undergraduate students, in particular within the ICT domain. We also aim to provide lecturers with teaching material on the fundamentals of cyber-risk management and the basic principles and techniques of cyber-risk assessment. We moreover believe that the book illuminates and clarifies many aspects and underlying concepts of the domain of cybersecurity. The book can therefore be useful also for researchers and standardization bodies that have activities related to cybersecurity. Our own knowledge about and experience of cybersecurity and cyber-risk management, and therefore also the contents of this book, largely stem from academic research and empirical studies that we have conducted jointly with colleagues and with collaborators from industry. We express our acknowledgments to all of those who in different ways have helped out in the work on this book. We owe many thanks to our close colleagues Gencer Erdogan, Yan Li, Aida Omerovic, and Fredrik Seehusen for their many and valuable comments and suggestions on several parts of this book. We are very grateful to Kristian Beckers, Karin Bernsmed, Aslak Wegner Eide, Marika Lüders, and Ragnhild Kobro Runde for reviewing the manuscript and providing good and helpful feedback. Prior to and during the work on this book we have benefited greatly from collaboration with people from academia and industry on several research projects. These include Jürgen Großmann, Maritta Heisel, Fabio Martinelli, Wolter Pieters, Alexander Pretschner, Christian W. Probst, and Aristotelis Tzafalias. Some of the research activities that the work on this book has benefited from have partly been funded by the Research Council of Norway, in particular through the projects Diamonds and AGRA. Relevant research activities have also been funded by the European Commission, in particular through the projects RASEN and NES- SOS, but also through CONCERTO. Oslo, Norway July 2015 Atle Refsdal Bjørnar Solhaug Ketil Stølen

7 Contents 1 Introduction Aim and Emphasis Policy of Writing and Presentation Structure and Organization Part I: Conceptual Introduction Part II: Cyber-risk Assessment Exemplified Part III: Known Challenges Intended Readers and Ways to Read Relevant Standards Part I Conceptual Introduction 2 Risk Management What is Risk? What is Risk Management? Communication and Consultation Establish a Consultative Team Define a Plan for Communication and Consultation Ensure Endorsement of the Risk Management Process Communicate Risk Assessment Results Risk Assessment Context Establishment Risk Identification Risk Analysis Risk Evaluation Risk Treatment Monitoring and Review Monitoring and Review of Risks Monitoring and Review of Risk Management Further Reading vii

8 viii Contents 3 Cyber-systems What is a Cyberspace? What is a Cyber-system? Further Reading Cybersecurity What is Cybersecurity? How Does Cybersecurity Relate to Information Security? How Does Cybersecurity Relate to Critical Infrastructure Protection? How Does Cybersecurity Relate to Safety? Further Reading Cyber-risk Management What is Cyber-risk? Communication and Consultation of Cyber-risk Cyber-risk Assessment Context Establishment for Cyber-risk Identification of Malicious Cyber-risk Identification of Non-malicious Cyber-risk Analysis of Cyber-risk Evaluation of Cyber-risk Treatment of Cyber-risk Monitoring and Review of Cyber-risk Monitoring and Review of Cyber-risk Monitoring and Review of Cyber-risk Management Further Reading Part II Cyber-risk Assessment Exemplified 6 Context Establishment Context, Goals, and Objectives External Context Internal Context Goals and Objectives Target of Assessment Electricity Customer Distribution System Operator Communication Channels Between Components Interface to Cyberspace and Attack Surface Scope, Focus, and Assumptions Scope Focus Assumptions Assets, Scales, and Risk Evaluation Criteria Assets Likelihood Scale... 58

9 Contents ix Consequence Scales Risk Evaluation Criteria Further Reading Risk Identification Risk Identification Techniques Malicious Risks Threat Source Identification Threat Identification Vulnerability Identification Incident Identification Non-malicious Risks Incident Identification Vulnerability Identification Threat Identification Threat Source Identification Further Reading Risk Analysis Threat Analysis Malicious Threats Non-malicious Threats Vulnerability Analysis Malicious Threat Vulnerabilities Non-malicious Threat Vulnerabilities Likelihood of Incidents Consequence of Incidents Further Reading Risk Evaluation Consolidation of Risk Analysis Results Evaluation of Risk Level Risk Aggregation Risk Grouping Further Reading Risk Treatment Risk Treatment Identification Malicious Risks Non-malicious Risks Risk Acceptance Further Reading...103

10 x Contents Part III Known Challenges and How to Address Them in Practice 11 Which Measure of Risk Level to Use? Two-factor Measure Three-factor Measure Many-factor Measure Which Measure to Use for Cyber-risk? Further Reading What Scales Are Best Suited Under What Conditions? Classification of Scales Qualitative Versus Quantitative Risk Assessment Scales for Likelihood Scales for Consequence What Scales to Use for Cyber-risk? Further Reading How to Deal with Uncertainty? Conceptual Clarification Kinds of Uncertainty Representing Uncertainty Reducing Uncertainty How to Handle Uncertainty for Cyber-risk? Further Reading High-consequence Risk with Low Likelihood Dealing with Black Swans Identifying Gray Swans Communicating Gray Swans Dealing with Gray Swans Recognizing Gray Swans in Cyberspace Further Reading Conclusion What We Have Put Forward in General What We Have Put Forward in Particular What We Have not Covered Glossary References Index...141

11 Acronyms AMI ARPANET CAPEC CIIP CIP CNSS COBIT CWE DDoS DoS ENISA EU EUROPOL GAO GPRS ICT IEC ISACA ISO IT ITU LAN NIACAP NIST NSFNET OWASP SLA UML WAN Advanced metering infrastructure Advanced Research Projects Agency Network Common Attack Pattern Enumeration and Classification Critical information infrastructure protection Critical infrastructure protection Committee on National Security Systems Control Objectives for Information and Related Technology Common Weakness Enumeration Distributed denial of service Denial of service European Union Agency for Network and Information Security European Union European Police Office US Government Accountability Office General packet radio service Information and communication technology International Electrotechnical Commission Information Systems Audit and Control Association International Organization for Standardization Information technology International Telecommunication Union Local area network National Information Assurance Certification and Accreditation Process National Institute of Standards and Technology National Science Foundation Network Open Web Application Security Project Service level agreement Unified Modeling Language Wide area network xi