Skip to main content
SpringerLink
Log in

Quantifying and Analyzing Information Security Risk from Incident Data

  • Conference paper
  • First Online:
Graphical Models for Security (GraMSec 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11720))

Included in the following conference series:

Abstract

Multiple cybersecurity risk assessment and root cause analysis methods propose incident data as a source of information. However, it is not a straightforward matter to apply incident data in risk assessments. The paper trail of incident data is often incomplete, ambiguous, and dependent on the incident handlers routines for keeping records. Current incident classification approaches classify incidents as one specific type, for example, “Data spillage,” “Compromised information,” or “Hacking.” Through incident analysis, we found that the current classification schemes are ambiguous and that most incident consists of additional components. This paper builds on previous work on incident classifications and proposes a method for quantifying and risk analyzing incident data for improving decision-making. The applied approach uses a set of incident data to derive the causes, outcomes, and frequencies of risk events. The data in this paper was gathered from a year of incident handling from a Scandinavian university’s security operations center (SOC), and consists of 550 handled incidents from November 2016 to October 2017. By applying the proposed method, this paper offers empirical insight into the risk frequencies of the University during the period. We demonstrate the utility of the approach by deducting the properties of the most frequent risks and creating graphical representations of risks using a bow-tie diagram. The primary contribution of this paper is the highlighting of the ambiguity of existing incident classification methods and how to address it in risk quantification. Additionally, we apply the data in risk analysis to provide insight into common cyber risks faced by the University during the period. A fundamental limitation is that this study only defines adverse outcomes and does not include consequence estimates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Forum of Incident Response and Security Teams https://www.first.org/resources/guides/csirt_case_classification.html (Visited May 2019).

  2. 2.

    Federal Incident Reporting Guidelines https://www.us-cert.gov/government-users/reporting-requirements (Visited May 2019).

  3. 3.

    Lockheed Martin, Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html (Visited May 2019).

References

  1. Common taxonomy for law enforcement and the national network of csirts, version 1.3. Technical report, ENISA and Europol E3 (2017). https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts

  2. Information technology, security techniques, information security risk management (ISO/IEC 27005:2011)

    Google Scholar 

  3. Reference incident classification taxonomy: Task force status and way forward. Technical report, ENISA, January 2018

    Google Scholar 

  4. Bernsmed, K., Frøystad, C., Meland, P.H., Nesheim, D.A., Rødseth, Ø.J.: Visualizing cyber security risks with bow-tie diagrams. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 38–56. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_3

    Chapter  Google Scholar 

  5. Chapman, J.: How safe is your data? cyber-security in higher education. HEPI Policy Note, 12 April 2019

    Google Scholar 

  6. Edwards, B., Hofmeyr, S., Forrest, S.: Hype and heavy tails: a closer look at data breaches. J. Cybersecur. 2(1), 3–14 (2016)

    Article  Google Scholar 

  7. Florêncio, D., Herley, C.: Sex, lies and cyber-crime surveys. In: Schneier, B. (ed.) Economics of Information Security and Privacy III, pp. 35–53. Springer, New York (2013). https://doi.org/10.1007/978-1-4614-1981-5_3

    Chapter  Google Scholar 

  8. Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Comput. Secur. 24(1), 31–43 (2005)

    Article  Google Scholar 

  9. Hellesen, N., Torres, H., Wangen, G.: Empirical case studies of the root-cause analysis method in information security. Int. J. Adv. Secur. 11(1&2), 60–79 (2018)

    Google Scholar 

  10. Hubbard, D.W., Seiersen, R.: How to Measure Anything In Cybersecurity Risk. Wiley, Hoboken (2016)

    Book  Google Scholar 

  11. Kjaerland, M.: A taxonomy and comparison of computer security incidents from the commercial and government sectors. Comput. Secur. 25(7), 522–538 (2006)

    Article  Google Scholar 

  12. Kuypers, M.A., Maillart, T., Pate-Cornell, E.: An empirical analysis of cyber security incidents at a large organization. Department of Management Science and Engineering, Stanford University, School of Information, UC Berkeley 30 (2016)

    Google Scholar 

  13. Potter, B.: Practical threat modeling. Login 41(3) (2016). https://www.usenix.org/publications/login/fall2016/potter

  14. Romanosky, S.: Examining the costs and causes of cyber incidents. J. Cybersecur. 2(2), 121–135 (2016)

    Google Scholar 

  15. Wangen, G.: The role of malware in reported cyber espionage: a review of the impact and mechanism. Information 6(2), 183–211 (2015)

    Article  Google Scholar 

  16. Wangen, G., Brodin, E.Ø., Skari, B.H., Berglind, C.: Unrecorded security incidents at NTNU 2018 (Mørketallsundersøkelsen ved NTNU 2018). NTNU Open Gjøvik (2019)

    Google Scholar 

  17. Wangen, G., Hallstensen, C., Snekkenes, E.: A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 17, 1–19 (2017)

    Article  Google Scholar 

  18. Wangen, G., Shalaginov, A., Hallstensen, C.: Cyber security risk assessment of a DDoS attack. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 183–202. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_12

    Chapter  Google Scholar 

Download references

Acknowledgements

The NTNU digital security section and SOC consisting of Christoffer Vargtass Hallstensen, Frank Wikstrøm, Harald Hauknes, Hans Åge Marthinsen, Vebjørn Slyngstadli, Gunnar Dørum, Lars Einarsen, and Stian Husemoen. Vivek Agrawal and the anonymous reviewers for help with quality assurance.

Author information

Authors and Affiliations

  1. Norwegian University of Science and Technology, Teknologiveien 22, 2802, Gjøvik, Norway

    Gaute Wangen

Authors
  1. Gaute Wangen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gaute Wangen .

Editor information

Editors and Affiliations

  1. George Mason University , Fairfax, VA, USA

    Massimiliano Albanese

  2. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Ross Horne

  3. Unitec Institute of Technology, Auckland, New Zealand

    Christian W. Probst

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wangen, G. (2019). Quantifying and Analyzing Information Security Risk from Incident Data. In: Albanese, M., Horne, R., Probst, C. (eds) Graphical Models for Security. GraMSec 2019. Lecture Notes in Computer Science(), vol 11720. Springer, Cham. https://doi.org/10.1007/978-3-030-36537-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-36537-0_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-36536-3

  • Online ISBN: 978-3-030-36537-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation