Loading…
MAGIC: A Method for Assessing Cyber Incidents Occurrence
The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on...
Saved in:
Published in: | IEEE access 2022, Vol.10, p.73458-73473 |
---|---|
Main Authors: | , , , |
Format: | Article |
Language: | English |
Subjects: | |
Citations: | Items that this one cites Items that cite this one |
Online Access: | Get full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
cited_by | cdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13 |
---|---|
cites | cdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13 |
container_end_page | 73473 |
container_issue | |
container_start_page | 73458 |
container_title | IEEE access |
container_volume | 10 |
creator | Battaglioni, Massimo Rafaiani, Giulia Chiaraluce, Franco Baldi, Marco |
description | The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods. |
doi_str_mv | 10.1109/ACCESS.2022.3189777 |
format | article |
fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1109_ACCESS_2022_3189777</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9825650</ieee_id><doaj_id>oai_doaj_org_article_ada1d65ca1b54599a341ae91152d7f24</doaj_id><sourcerecordid>2691875255</sourcerecordid><originalsourceid>FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</originalsourceid><addsrcrecordid>eNpNkEFPwzAMhSsEEhPsF-xSifNGnDRNw62qBkzatMPgHKWJOzqNZiTdYf-ejE4Tvtiy3vtsvSSZAJkBEPlcVtV8s5lRQumMQSGFEDfJiEIup4yz_PbffJ-MQ9iRWEVccTFKilX5tqhe0jJdYf_lbNo4n5YhYAhtt02rU40-XXSmtdj1IV0bc_QeO4OPyV2j9wHHl_6QfL7OP6r36XIdgeVyajJS9FNgUlhpcl4gkqwh1gCttRSagSY1b6Dm1jaQ2fg90xZoRpkEaUSUEYnAHpLFwLVO79TBt9_an5TTrfpbOL9V2vet2aPSVoPNudERmnEpNctAowTg1IqGZpH1NLAO3v0cMfRq546-i-8rmksoBKecRxUbVMa7EDw216tA1DlxNSSuzomrS-LRNRlcLSJeHbKgPOeE_QItEnlZ</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2691875255</pqid></control><display><type>article</type><title>MAGIC: A Method for Assessing Cyber Incidents Occurrence</title><source>IEEE Xplore Open Access Journals</source><creator>Battaglioni, Massimo ; Rafaiani, Giulia ; Chiaraluce, Franco ; Baldi, Marco</creator><creatorcontrib>Battaglioni, Massimo ; Rafaiani, Giulia ; Chiaraluce, Franco ; Baldi, Marco</creatorcontrib><description>The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.</description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2022.3189777</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>Computer security ; Cyber incident ; cyber risk ; Cybersecurity ; Evaluation ; Factor analysis ; FAIR ; HTMA ; IEC Standards ; ISO Standards ; Organizations ; Probabilistic logic ; Probabilistic models ; Probabilistic risk assessment ; Risk analysis ; Risk assessment ; Risk management ; Standards organizations ; Statistical analysis</subject><ispartof>IEEE access, 2022, Vol.10, p.73458-73473</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</citedby><cites>FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</cites><orcidid>0000-0003-0029-5104 ; 0000-0001-6994-1448 ; 0000-0002-8754-5526 ; 0000-0002-8539-4007</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9825650$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,4024,27633,27923,27924,27925,54933</link.rule.ids></links><search><creatorcontrib>Battaglioni, Massimo</creatorcontrib><creatorcontrib>Rafaiani, Giulia</creatorcontrib><creatorcontrib>Chiaraluce, Franco</creatorcontrib><creatorcontrib>Baldi, Marco</creatorcontrib><title>MAGIC: A Method for Assessing Cyber Incidents Occurrence</title><title>IEEE access</title><addtitle>Access</addtitle><description>The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.</description><subject>Computer security</subject><subject>Cyber incident</subject><subject>cyber risk</subject><subject>Cybersecurity</subject><subject>Evaluation</subject><subject>Factor analysis</subject><subject>FAIR</subject><subject>HTMA</subject><subject>IEC Standards</subject><subject>ISO Standards</subject><subject>Organizations</subject><subject>Probabilistic logic</subject><subject>Probabilistic models</subject><subject>Probabilistic risk assessment</subject><subject>Risk analysis</subject><subject>Risk assessment</subject><subject>Risk management</subject><subject>Standards organizations</subject><subject>Statistical analysis</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>DOA</sourceid><recordid>eNpNkEFPwzAMhSsEEhPsF-xSifNGnDRNw62qBkzatMPgHKWJOzqNZiTdYf-ejE4Tvtiy3vtsvSSZAJkBEPlcVtV8s5lRQumMQSGFEDfJiEIup4yz_PbffJ-MQ9iRWEVccTFKilX5tqhe0jJdYf_lbNo4n5YhYAhtt02rU40-XXSmtdj1IV0bc_QeO4OPyV2j9wHHl_6QfL7OP6r36XIdgeVyajJS9FNgUlhpcl4gkqwh1gCttRSagSY1b6Dm1jaQ2fg90xZoRpkEaUSUEYnAHpLFwLVO79TBt9_an5TTrfpbOL9V2vet2aPSVoPNudERmnEpNctAowTg1IqGZpH1NLAO3v0cMfRq546-i-8rmksoBKecRxUbVMa7EDw216tA1DlxNSSuzomrS-LRNRlcLSJeHbKgPOeE_QItEnlZ</recordid><startdate>2022</startdate><enddate>2022</enddate><creator>Battaglioni, Massimo</creator><creator>Rafaiani, Giulia</creator><creator>Chiaraluce, Franco</creator><creator>Baldi, Marco</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0003-0029-5104</orcidid><orcidid>https://orcid.org/0000-0001-6994-1448</orcidid><orcidid>https://orcid.org/0000-0002-8754-5526</orcidid><orcidid>https://orcid.org/0000-0002-8539-4007</orcidid></search><sort><creationdate>2022</creationdate><title>MAGIC: A Method for Assessing Cyber Incidents Occurrence</title><author>Battaglioni, Massimo ; Rafaiani, Giulia ; Chiaraluce, Franco ; Baldi, Marco</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Computer security</topic><topic>Cyber incident</topic><topic>cyber risk</topic><topic>Cybersecurity</topic><topic>Evaluation</topic><topic>Factor analysis</topic><topic>FAIR</topic><topic>HTMA</topic><topic>IEC Standards</topic><topic>ISO Standards</topic><topic>Organizations</topic><topic>Probabilistic logic</topic><topic>Probabilistic models</topic><topic>Probabilistic risk assessment</topic><topic>Risk analysis</topic><topic>Risk assessment</topic><topic>Risk management</topic><topic>Standards organizations</topic><topic>Statistical analysis</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Battaglioni, Massimo</creatorcontrib><creatorcontrib>Rafaiani, Giulia</creatorcontrib><creatorcontrib>Chiaraluce, Franco</creatorcontrib><creatorcontrib>Baldi, Marco</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005–Present</collection><collection>IEEE Xplore Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998–Present</collection><collection>IEEE/IET Electronic Library</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>DOAJ Directory of Open Access Journals</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Battaglioni, Massimo</au><au>Rafaiani, Giulia</au><au>Chiaraluce, Franco</au><au>Baldi, Marco</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>MAGIC: A Method for Assessing Cyber Incidents Occurrence</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2022</date><risdate>2022</risdate><volume>10</volume><spage>73458</spage><epage>73473</epage><pages>73458-73473</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract>The assessment of cyber risk plays a crucial role for cybersecurity management, and has become a compulsory task for certain types of companies and organizations. This makes the demand for reliable cyber risk assessment tools continuously increasing, especially concerning quantitative tools based on statistical approaches. Probabilistic cyber risk assessment methods, however, follow the general paradigm of probabilistic risk assessment, which requires the magnitude and the likelihood of incidents as inputs. Unfortunately, for cyber incidents, the likelihood of occurrence is hard to estimate based on historical and publicly available data; so, expert evaluations are commonly used, which however leave space to subjectivity. In this paper, we propose a novel probabilistic model, called MAGIC (Method for AssessinG cyber Incidents oCcurrence), to compute the likelihood of occurrence of a cyber incident, based on the evaluation of the cyber posture of the target organization. This allows deriving tailor-made inputs for probabilistic risk assessment methods, like HTMA (How To Measure Anything in cybersecurity risk), FAIR (Factor Analysis of Information Risk) and others, thus considerably reducing the margin of subjectivity in the assessment of cyber risk. We corroborate our approach through a qualitative and a quantitative comparison with several existing methods.</abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2022.3189777</doi><tpages>16</tpages><orcidid>https://orcid.org/0000-0003-0029-5104</orcidid><orcidid>https://orcid.org/0000-0001-6994-1448</orcidid><orcidid>https://orcid.org/0000-0002-8754-5526</orcidid><orcidid>https://orcid.org/0000-0002-8539-4007</orcidid><oa>free_for_read</oa></addata></record> |
fulltext | fulltext |
identifier | ISSN: 2169-3536 |
ispartof | IEEE access, 2022, Vol.10, p.73458-73473 |
issn | 2169-3536 2169-3536 |
language | eng |
recordid | cdi_crossref_primary_10_1109_ACCESS_2022_3189777 |
source | IEEE Xplore Open Access Journals |
subjects | Computer security Cyber incident cyber risk Cybersecurity Evaluation Factor analysis FAIR HTMA IEC Standards ISO Standards Organizations Probabilistic logic Probabilistic models Probabilistic risk assessment Risk analysis Risk assessment Risk management Standards organizations Statistical analysis |
title | MAGIC: A Method for Assessing Cyber Incidents Occurrence |
url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-25T12%3A11%3A13IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=MAGIC:%20A%20Method%20for%20Assessing%20Cyber%20Incidents%20Occurrence&rft.jtitle=IEEE%20access&rft.au=Battaglioni,%20Massimo&rft.date=2022&rft.volume=10&rft.spage=73458&rft.epage=73473&rft.pages=73458-73473&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2022.3189777&rft_dat=%3Cproquest_cross%3E2691875255%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c408t-1397d9c658ee04f0dc12ba97a31a0b5f1b5ddf14d0223ad12423919c712b09e13%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2691875255&rft_id=info:pmid/&rft_ieee_id=9825650&rfr_iscdi=true |