An Adversarial Risk Analysis Framework for Cybersecurity
This addresses cybersecurity risk analysis for organizations, but it appears incremental as it builds on existing methods.
The authors tackled the problem of suboptimal resource allocation in cybersecurity risk analysis by proposing a comprehensive framework that covers adversarial and non-intentional threats, including insurance, and demonstrated it with a case study.
Cyber threats affect all kinds of organisations. Risk analysis is an essential methodology for cybersecurity as it allows organisations to deal with the cyber threats potentially affecting them, prioritise the defence of their assets and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both adversarial and non-intentional threats and the use of insurance as part of the security portfolio. A case study illustrating the proposed framework is presented, serving as template for more complex cases.