Abstract
Multiple cybersecurity risk assessment and root cause analysis methods propose incident data as a source of information. However, it is not a straightforward matter to apply incident data in risk assessments. The paper trail of incident data is often incomplete, ambiguous, and dependent on the incident handlers routines for keeping records. Current incident classification approaches classify incidents as one specific type, for example, “Data spillage,” “Compromised information,” or “Hacking.” Through incident analysis, we found that the current classification schemes are ambiguous and that most incident consists of additional components. This paper builds on previous work on incident classifications and proposes a method for quantifying and risk analyzing incident data for improving decision-making. The applied approach uses a set of incident data to derive the causes, outcomes, and frequencies of risk events. The data in this paper was gathered from a year of incident handling from a Scandinavian university’s security operations center (SOC), and consists of 550 handled incidents from November 2016 to October 2017. By applying the proposed method, this paper offers empirical insight into the risk frequencies of the University during the period. We demonstrate the utility of the approach by deducting the properties of the most frequent risks and creating graphical representations of risks using a bow-tie diagram. The primary contribution of this paper is the highlighting of the ambiguity of existing incident classification methods and how to address it in risk quantification. Additionally, we apply the data in risk analysis to provide insight into common cyber risks faced by the University during the period. A fundamental limitation is that this study only defines adverse outcomes and does not include consequence estimates.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Forum of Incident Response and Security Teams https://www.first.org/resources/guides/csirt_case_classification.html (Visited May 2019).
- 2.
Federal Incident Reporting Guidelines https://www.us-cert.gov/government-users/reporting-requirements (Visited May 2019).
- 3.
Lockheed Martin, Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (Visited May 2019).
References
Common taxonomy for law enforcement and the national network of csirts, version 1.3. Technical report, ENISA and Europol E3 (2017). https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts
Information technology, security techniques, information security risk management (ISO/IEC 27005:2011)
Reference incident classification taxonomy: Task force status and way forward. Technical report, ENISA, January 2018
Bernsmed, K., Frøystad, C., Meland, P.H., Nesheim, D.A., Rødseth, Ø.J.: Visualizing cyber security risks with bow-tie diagrams. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 38–56. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_3
Chapman, J.: How safe is your data? cyber-security in higher education. HEPI Policy Note, 12 April 2019
Edwards, B., Hofmeyr, S., Forrest, S.: Hype and heavy tails: a closer look at data breaches. J. Cybersecur. 2(1), 3–14 (2016)
Florêncio, D., Herley, C.: Sex, lies and cyber-crime surveys. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 35–53. Springer, New York (2013). https://doi.org/10.1007/978-1-4614-1981-5_3
Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Comput. Secur. 24(1), 31–43 (2005)
Hellesen, N., Torres, H., Wangen, G.: Empirical case studies of the root-cause analysis method in information security. Int. J. Adv. Secur. 11(1&2), 60–79 (2018)
Hubbard, D.W., Seiersen, R.: How to Measure Anything In Cybersecurity Risk. Wiley, Hoboken (2016)
Kjaerland, M.: A taxonomy and comparison of computer security incidents from the commercial and government sectors. Comput. Secur. 25(7), 522–538 (2006)
Kuypers, M.A., Maillart, T., Pate-Cornell, E.: An empirical analysis of cyber security incidents at a large organization. Department of Management Science and Engineering, Stanford University, School of Information, UC Berkeley 30 (2016)
Potter, B.: Practical threat modeling. Login 41(3) (2016). https://www.usenix.org/publications/login/fall2016/potter
Romanosky, S.: Examining the costs and causes of cyber incidents. J. Cybersecur. 2(2), 121–135 (2016)
Wangen, G.: The role of malware in reported cyber espionage: a review of the impact and mechanism. Information 6(2), 183–211 (2015)
Wangen, G., Brodin, E.Ø., Skari, B.H., Berglind, C.: Unrecorded security incidents at NTNU 2018 (Mørketallsundersøkelsen ved NTNU 2018). NTNU Open Gjøvik (2019)
Wangen, G., Hallstensen, C., Snekkenes, E.: A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 17, 1–19 (2017)
Wangen, G., Shalaginov, A., Hallstensen, C.: Cyber security risk assessment of a DDoS attack. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 183–202. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_12
Acknowledgements
The NTNU digital security section and SOC consisting of Christoffer Vargtass Hallstensen, Frank Wikstrøm, Harald Hauknes, Hans Åge Marthinsen, Vebjørn Slyngstadli, Gunnar Dørum, Lars Einarsen, and Stian Husemoen. Vivek Agrawal and the anonymous reviewers for help with quality assurance.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Wangen, G. (2019). Quantifying and Analyzing Information Security Risk from Incident Data. In: Albanese, M., Horne, R., Probst, C. (eds) Graphical Models for Security. GraMSec 2019. Lecture Notes in Computer Science(), vol 11720. Springer, Cham. https://doi.org/10.1007/978-3-030-36537-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-36537-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36536-3
Online ISBN: 978-3-030-36537-0
eBook Packages: Computer ScienceComputer Science (R0)