A system to calculate cyber-value-at-risk
In the face of increasing numbers of cyber-attacks, it is critical for organisations to understand the risk they are exposed to even after deploying security controls. This residual risk forms part of the ongoing operational environment, and must be understood and planned for if resilience is to be...
| Main Authors: | , , , , , |
|---|---|
| Format: | Journal article |
| Language: | English |
| Published: |
Elsevier
2021
|
| _version_ | 1797099943180107776 |
|---|---|
| author | Erola, A Agrafiotis, I Nurse, JRC Axon, L Goldsmith, M Creese, S |
| author_facet | Erola, A Agrafiotis, I Nurse, JRC Axon, L Goldsmith, M Creese, S |
| author_sort | Erola, A |
| collection | OXFORD |
| description | In the face of increasing numbers of cyber-attacks, it is critical for organisations to understand the risk they are exposed to even after deploying security controls. This residual risk forms part of the ongoing operational environment, and must be understood and planned for if resilience is to be achieved. However, there is a lack of rigorous frameworks to help organisations reason about how their use of risk controls can change the nature of the potential losses they face, given an often changing threat landscape. To address this gap, we present a system that calculates Cyber-Value-at-Risk (CVaR) of an organisation. CVaR is a probabilistic density function for losses from cyber-incidents, for any given threats of interest and risk control practice. It can take account of varying effectiveness of controls, the consequences for risk propagation through infrastructures, and the cyber-harms that result. We demonstrate the utility of the system in a real case study by calculating the CVaR of an organisation that experienced a significant cyber-incident. We show that the system is able to produce predictions representative of the actual financial loss. The presented system can be used by insurers offering cyber products to better inform the calculation of insurance premiums, and by organisations to reason about the effects of using particular risk control setups on reducing their exposure to cyber-risk.
|
| first_indexed | 2024-03-07T05:30:40Z |
| format | Journal article |
| id | oxford-uuid:e22b206e-5c7b-4298-9519-dcd37fd21bce |
| institution | University of Oxford |
| language | English |
| last_indexed | 2024-03-07T05:30:40Z |
| publishDate | 2021 |
| publisher | Elsevier |
| record_format | dspace |
| spelling | oxford-uuid:e22b206e-5c7b-4298-9519-dcd37fd21bce2022-03-27T09:59:11ZA system to calculate cyber-value-at-riskJournal articlehttp://purl.org/coar/resource_type/c_dcae04bcuuid:e22b206e-5c7b-4298-9519-dcd37fd21bceEnglishSymplectic ElementsElsevier2021Erola, AAgrafiotis, INurse, JRCAxon, LGoldsmith, MCreese, SIn the face of increasing numbers of cyber-attacks, it is critical for organisations to understand the risk they are exposed to even after deploying security controls. This residual risk forms part of the ongoing operational environment, and must be understood and planned for if resilience is to be achieved. However, there is a lack of rigorous frameworks to help organisations reason about how their use of risk controls can change the nature of the potential losses they face, given an often changing threat landscape. To address this gap, we present a system that calculates Cyber-Value-at-Risk (CVaR) of an organisation. CVaR is a probabilistic density function for losses from cyber-incidents, for any given threats of interest and risk control practice. It can take account of varying effectiveness of controls, the consequences for risk propagation through infrastructures, and the cyber-harms that result. We demonstrate the utility of the system in a real case study by calculating the CVaR of an organisation that experienced a significant cyber-incident. We show that the system is able to produce predictions representative of the actual financial loss. The presented system can be used by insurers offering cyber products to better inform the calculation of insurance premiums, and by organisations to reason about the effects of using particular risk control setups on reducing their exposure to cyber-risk. |
| spellingShingle | Erola, A Agrafiotis, I Nurse, JRC Axon, L Goldsmith, M Creese, S A system to calculate cyber-value-at-risk |
| title | A system to calculate cyber-value-at-risk |
| title_full | A system to calculate cyber-value-at-risk |
| title_fullStr | A system to calculate cyber-value-at-risk |
| title_full_unstemmed | A system to calculate cyber-value-at-risk |
| title_short | A system to calculate cyber-value-at-risk |
| title_sort | system to calculate cyber value at risk |
| work_keys_str_mv | AT erolaa asystemtocalculatecybervalueatrisk AT agrafiotisi asystemtocalculatecybervalueatrisk AT nursejrc asystemtocalculatecybervalueatrisk AT axonl asystemtocalculatecybervalueatrisk AT goldsmithm asystemtocalculatecybervalueatrisk AT creeses asystemtocalculatecybervalueatrisk AT erolaa systemtocalculatecybervalueatrisk AT agrafiotisi systemtocalculatecybervalueatrisk AT nursejrc systemtocalculatecybervalueatrisk AT axonl systemtocalculatecybervalueatrisk AT goldsmithm systemtocalculatecybervalueatrisk AT creeses systemtocalculatecybervalueatrisk |