Towards an Automated and Dynamic Risk Management Response System

  • Gustavo Gonzalez-GranadilloEmail author
  • Ender Alvarez
  • Alexander Motzek
  • Matteo Merialdo
  • Joaquin Garcia-Alfaro
  • Hervé Debar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


Achieving a fully automated and dynamic system in critical infrastructure scenarios is an open issue in ongoing research. Generally, decisions in SCADA systems require a manual intervention, that in most of the cases is performed by highly experienced operators. In this paper we propose a framework consisting of a proactive management software that aims at anticipating the occurrence of potential attacks. It conducts an initial evaluation of reported proactive evidences based on a quantitative metric of monetary return on response investment. The framework evaluates and selects mitigation actions from a pool of candidates, by ranking them in terms of financial and operational impacts. The purpose of this process is to select an optimal set of mitigation actions from financial and operational perspectives and propose them to reduce the risk of threats against the monitored system, without sacrificing an organization’s missions in favor of security. A real world case study of a SCADA environment shows the applicability of the model, from the analysis of the input data to the selection of the response plan.


Dynamic response system RORI Operational impact Automatic response Critical infrastructures 



This work received funding from the Panoptesec project, as part of the 7th Framework Programme (FP7) of the European Commission (GA 610416).


  1. 1.
    Filiol, E., Gallais, C.: Critical infrastructure: where we stand today? In: 9th International Conference on Cyber Warefare and Security (2014)Google Scholar
  2. 2.
    Gordon, K., Dion, M.: Protection of Critical Infrastructure and the role of investment policies relating to National Security. OECD, Whitepaper (2008)Google Scholar
  3. 3.
    Ben Mustapha, Y., Debar, H., Blanc, G.: Policy enforcement point model. In: Conference on Security and Privacy in Communication Networks, pp. 278–286 (2014)Google Scholar
  4. 4.
    Gonzalez-Granadillo, G., Belhaouane, M., Debar, H., Jacob, G.: RORI-based countermeasure selection using the OrBAC formalism. Int. J. Inf. Secur. 13(1), 63–79 (2014)CrossRefGoogle Scholar
  5. 5.
    Schmidt, M. Return on Investment (ROI): Meaning and Use, Encyclopedia of Business Terms and Methods (2011)Google Scholar
  6. 6.
    Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI) a practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45–56 (2006)Google Scholar
  7. 7.
    Mizzi, A.: Return on information security investment: the viability of an anti-spam solution in a wireless environment. Int. J. Netw. Secur. 10(1), 18–24 (2010)Google Scholar
  8. 8.
    Gonzalez-Granadillo, G., Garcia-Alfaro, J., Debar, H.: A polytope-based approach to measure the impact of events against critical infrastructures. J. Comput. Syst. Sci. 1–19 (2016).
  9. 9.
    Gonzalez-Granadillo, G., Motzek, A., Garcia-Alfaro, J., Debar, H.: Selection of mitigation actions based on financial and operational impact assessments. In: International Conference on Availability, Reliability and Security (2016)Google Scholar
  10. 10.
    Lockstep Consulting: A guide for government agencies calculating return on security investment (2004).
  11. 11.
    Motzek, A., Moller, R., Lange, M., Dubus, S.: Probabilistic mission impact assessment based on widespread local events. NATO IST-128 Workshop on Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact (2015)Google Scholar
  12. 12.
    Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 5th International Conference on Cyber Conflict (2013)Google Scholar
  13. 13.
    Kotenko, I., Doynikova, E.: Dynamical calculation of security metrics for countermeasure selection in computer networks. In: 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (2016)Google Scholar
  14. 14.
    Agosta, G., Barenghi, A., Pelosi, G.: A code morphing methodology to automate power analysis countermeasures. In: 49th Annual Design Automation Conference, pp. 77–82 (2012)Google Scholar
  15. 15.
    Ossenbuhl, S., Steinberger, J., Baier, H.: Towards automated incident handling: how to select an appropriate response against a network-based attack? In: Conference on IT Security Incident Management & IT Forensics (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Gustavo Gonzalez-Granadillo
    • 1
    Email author
  • Ender Alvarez
    • 1
  • Alexander Motzek
    • 2
  • Matteo Merialdo
    • 3
  • Joaquin Garcia-Alfaro
    • 1
  • Hervé Debar
    • 1
  1. 1.Institut Mines-Télécom, Télécom SudParis, CNRS UMR 5157 SAMOVAREvryFrance
  2. 2.Institute of Information SystemsUniversität zu LübeckLübeckGermany
  3. 3.RHEA GroupWavreBelgium

Personalised recommendations