Loading…

MAGIC: A Method for Assessing Cyber Incidents Occurrence

The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on...

Full description

Saved in:
Bibliographic Details
Published in:IEEE access 2022, Vol.10, p.73458-73473
Main Authors: Battaglioni, Massimo, Rafaiani, Giulia, Chiaraluce, Franco, Baldi, Marco
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13
cites cdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13
container_end_page 73473
container_issue
container_start_page 73458
container_title IEEE access
container_volume 10
creator Battaglioni, Massimo
Rafaiani, Giulia
Chiaraluce, Franco
Baldi, Marco
description The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.
doi_str_mv 10.1109/ACCESS.2022.3189777
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1109_ACCESS_2022_3189777</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9825650</ieee_id><doaj_id>oai_doaj_org_article_ada1d65ca1b54599a341ae91152d7f24</doaj_id><sourcerecordid>2691875255</sourcerecordid><originalsourceid>FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</originalsourceid><addsrcrecordid>eNpNkEFPwzAMhSsEEhPsF-xSifNGnDRNw62qBkzatMPgHKWJOzqNZiTdYf-ejE4Tvtiy3vtsvSSZAJkBEPlcVtV8s5lRQumMQSGFEDfJiEIup4yz_PbffJ-MQ9iRWEVccTFKilX5tqhe0jJdYf_lbNo4n5YhYAhtt02rU40-XXSmtdj1IV0bc_QeO4OPyV2j9wHHl_6QfL7OP6r36XIdgeVyajJS9FNgUlhpcl4gkqwh1gCttRSagSY1b6Dm1jaQ2fg90xZoRpkEaUSUEYnAHpLFwLVO79TBt9_an5TTrfpbOL9V2vet2aPSVoPNudERmnEpNctAowTg1IqGZpH1NLAO3v0cMfRq546-i-8rmksoBKecRxUbVMa7EDw216tA1DlxNSSuzomrS-LRNRlcLSJeHbKgPOeE_QItEnlZ</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2691875255</pqid></control><display><type>article</type><title>MAGIC: A Method for Assessing Cyber Incidents Occurrence</title><source>IEEE Xplore Open Access Journals</source><creator>Battaglioni, Massimo ; Rafaiani, Giulia ; Chiaraluce, Franco ; Baldi, Marco</creator><creatorcontrib>Battaglioni, Massimo ; Rafaiani, Giulia ; Chiaraluce, Franco ; Baldi, Marco</creatorcontrib><description>The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.</description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2022.3189777</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>Computer security ; Cyber incident ; cyber risk ; Cybersecurity ; Evaluation ; Factor analysis ; FAIR ; HTMA ; IEC Standards ; ISO Standards ; Organizations ; Probabilistic logic ; Probabilistic models ; Probabilistic risk assessment ; Risk analysis ; Risk assessment ; Risk management ; Standards organizations ; Statistical analysis</subject><ispartof>IEEE access, 2022, Vol.10, p.73458-73473</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</citedby><cites>FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</cites><orcidid>0000-0003-0029-5104 ; 0000-0001-6994-1448 ; 0000-0002-8754-5526 ; 0000-0002-8539-4007</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9825650$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,4024,27633,27923,27924,27925,54933</link.rule.ids></links><search><creatorcontrib>Battaglioni, Massimo</creatorcontrib><creatorcontrib>Rafaiani, Giulia</creatorcontrib><creatorcontrib>Chiaraluce, Franco</creatorcontrib><creatorcontrib>Baldi, Marco</creatorcontrib><title>MAGIC: A Method for Assessing Cyber Incidents Occurrence</title><title>IEEE access</title><addtitle>Access</addtitle><description>The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.</description><subject>Computer security</subject><subject>Cyber incident</subject><subject>cyber risk</subject><subject>Cybersecurity</subject><subject>Evaluation</subject><subject>Factor analysis</subject><subject>FAIR</subject><subject>HTMA</subject><subject>IEC Standards</subject><subject>ISO Standards</subject><subject>Organizations</subject><subject>Probabilistic logic</subject><subject>Probabilistic models</subject><subject>Probabilistic risk assessment</subject><subject>Risk analysis</subject><subject>Risk assessment</subject><subject>Risk management</subject><subject>Standards organizations</subject><subject>Statistical analysis</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>DOA</sourceid><recordid>eNpNkEFPwzAMhSsEEhPsF-xSifNGnDRNw62qBkzatMPgHKWJOzqNZiTdYf-ejE4Tvtiy3vtsvSSZAJkBEPlcVtV8s5lRQumMQSGFEDfJiEIup4yz_PbffJ-MQ9iRWEVccTFKilX5tqhe0jJdYf_lbNo4n5YhYAhtt02rU40-XXSmtdj1IV0bc_QeO4OPyV2j9wHHl_6QfL7OP6r36XIdgeVyajJS9FNgUlhpcl4gkqwh1gCttRSagSY1b6Dm1jaQ2fg90xZoRpkEaUSUEYnAHpLFwLVO79TBt9_an5TTrfpbOL9V2vet2aPSVoPNudERmnEpNctAowTg1IqGZpH1NLAO3v0cMfRq546-i-8rmksoBKecRxUbVMa7EDw216tA1DlxNSSuzomrS-LRNRlcLSJeHbKgPOeE_QItEnlZ</recordid><startdate>2022</startdate><enddate>2022</enddate><creator>Battaglioni, Massimo</creator><creator>Rafaiani, Giulia</creator><creator>Chiaraluce, Franco</creator><creator>Baldi, Marco</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0003-0029-5104</orcidid><orcidid>https://orcid.org/0000-0001-6994-1448</orcidid><orcidid>https://orcid.org/0000-0002-8754-5526</orcidid><orcidid>https://orcid.org/0000-0002-8539-4007</orcidid></search><sort><creationdate>2022</creationdate><title>MAGIC: A Method for Assessing Cyber Incidents Occurrence</title><author>Battaglioni, Massimo ; Rafaiani, Giulia ; Chiaraluce, Franco ; Baldi, Marco</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Computer security</topic><topic>Cyber incident</topic><topic>cyber risk</topic><topic>Cybersecurity</topic><topic>Evaluation</topic><topic>Factor analysis</topic><topic>FAIR</topic><topic>HTMA</topic><topic>IEC Standards</topic><topic>ISO Standards</topic><topic>Organizations</topic><topic>Probabilistic logic</topic><topic>Probabilistic models</topic><topic>Probabilistic risk assessment</topic><topic>Risk analysis</topic><topic>Risk assessment</topic><topic>Risk management</topic><topic>Standards organizations</topic><topic>Statistical analysis</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Battaglioni, Massimo</creatorcontrib><creatorcontrib>Rafaiani, Giulia</creatorcontrib><creatorcontrib>Chiaraluce, Franco</creatorcontrib><creatorcontrib>Baldi, Marco</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005–Present</collection><collection>IEEE Xplore Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998–Present</collection><collection>IEEE/IET Electronic Library</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>DOAJ Directory of Open Access Journals</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Battaglioni, Massimo</au><au>Rafaiani, Giulia</au><au>Chiaraluce, Franco</au><au>Baldi, Marco</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>MAGIC: A Method for Assessing Cyber Incidents Occurrence</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2022</date><risdate>2022</risdate><volume>10</volume><spage>73458</spage><epage>73473</epage><pages>73458-73473</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract>The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.</abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2022.3189777</doi><tpages>16</tpages><orcidid>https://orcid.org/0000-0003-0029-5104</orcidid><orcidid>https://orcid.org/0000-0001-6994-1448</orcidid><orcidid>https://orcid.org/0000-0002-8754-5526</orcidid><orcidid>https://orcid.org/0000-0002-8539-4007</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2169-3536
ispartof IEEE access, 2022, Vol.10, p.73458-73473
issn 2169-3536
2169-3536
language eng
recordid cdi_crossref_primary_10_1109_ACCESS_2022_3189777
source IEEE Xplore Open Access Journals
subjects Computer security
Cyber incident
cyber risk
Cybersecurity
Evaluation
Factor analysis
FAIR
HTMA
IEC Standards
ISO Standards
Organizations
Probabilistic logic
Probabilistic models
Probabilistic risk assessment
Risk analysis
Risk assessment
Risk management
Standards organizations
Statistical analysis
title MAGIC: A Method for Assessing Cyber Incidents Occurrence
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-25T12%3A11%3A13IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=MAGIC:%20A%20Method%20for%20Assessing%20Cyber%20Incidents%20Occurrence&rft.jtitle=IEEE%20access&rft.au=Battaglioni,%20Massimo&rft.date=2022&rft.volume=10&rft.spage=73458&rft.epage=73473&rft.pages=73458-73473&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2022.3189777&rft_dat=%3Cproquest_cross%3E2691875255%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2691875255&rft_id=info:pmid/&rft_ieee_id=9825650&rfr_iscdi=true