A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management

Pietro Russo; Alberto Caponi; Marco Leuti; Giuseppe Bianchi

doi:10.3390/info10070242

A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management

Information ◽

10.3390/info10070242 ◽

2019 ◽

Vol 10 (7) ◽

pp. 242

Author(s):

Pietro Russo ◽

Alberto Caponi ◽

Marco Leuti ◽

Giuseppe Bianchi

Keyword(s):

Risk Management ◽

Risk Analysis ◽

Vulnerability Assessment ◽

Cyber Security ◽

Assessment Tool ◽

Security Assessment ◽

Software Platform ◽

Web Based ◽

Custom Made ◽

Cyber Risk

Cyber risk management is a very important problem for every company connected to the internet. Usually, risk management is done considering only Risk Analysis without connecting it with Vulnerability Assessment, using external and expensive tools. In this paper we present CYber Risk Vulnerability Management (CYRVM)—a custom-made software platform devised to simplify and improve automation and continuity in cyber security assessment. CYRVM’s main novelties are the combination, in a single and easy-to-use Web-based software platform, of an online Vulnerability Assessment tool within a Risk Analysis framework following the NIST 800-30 Risk Management guidelines and the integration of predictive solutions able to suggest to the user the risk rating and classification.

Download Full-text

Maritime Cyber Risk Management: An Experimental Ship Assessment

Journal of Navigation ◽

10.1017/s0373463318001157 ◽

2019 ◽

Vol 72 (5) ◽

pp. 1108-1120 ◽

Cited By ~ 3

Author(s):

Boris Svilicic ◽

Junzo Kamahara ◽

Matthew Rooks ◽

Yoshiji Yano

Keyword(s):

Risk Management ◽

Cyber Security ◽

Software Tool ◽

Assessment Process ◽

Security Level ◽

Security Assessment ◽

Critical Systems ◽

Electronic Chart ◽

Experimental Process ◽

Cyber Risk

The maritime transport industry is increasingly reliant on computing and communication technologies, and the need for cyber risk management of critical systems and assets on vessels is becoming critically important. In this paper, a comprehensive cyber risk assessment of a ship is presented. An experimental process consisting of assessment preparation activities, assessment conduct and results communication has been developed. The assessment conduct relies on a survey developed and performed by interviewing a ship's crew. Computational vulnerability scanning of the ship's Electronic Chart Display and Information System (ECDIS) is introduced as a specific part of this cyber security assessment. The assessment process presented has been experimentally tested by evaluating the cyber security level of Kobe University's training ship Fukae-maru. For computational vulnerability scanning, an industry-leading software tool has been used, and a quantitative cyber risk analysis has been conducted to evaluate cyber risks on the ship.

Download Full-text

Cyber risk management in SMEs: insights from industry surveys

The Journal of Risk Finance ◽

10.1108/jrf-02-2020-0024 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Felicitas Hoppe ◽

Nadine Gatzert ◽

Petra Gruner

Keyword(s):

Risk Management ◽

Cyber Security ◽

Future Research ◽

Management Process ◽

Content Type ◽

Security Culture ◽

Current State ◽

Enterprise Risk ◽

Risk Management Process ◽

Cyber Risk

PurposeThis article aims to gain insights on the current state of small- and medium-sized enterprises’ (SMEs’) cyber risk management process and to derive future research directions.Design/methodology/approachThis is done by collecting market insights from 37 recent industry surveys and structuring them based on the steps of the risk management process. From this analysis, major challenges are derived and future fields of research identified.FindingsThe results indicate that deficiencies in risk culture as well as the strained market for IT experts are the major obstacles with respect to the implementation of cyber risk management in SMEs, and that these challenges are similar across countries. The findings suggest that especially the relationship between cyber security culture and cyber risk management should be investigated further, and that a stronger link between the research streams on enterprise risk management and cyber risk management would be desirable.Originality/valueThis paper contributes to the literature by providing a systematic overview on the current state of SMEs' cyber risk management from a market perspective. The findings provide support for the existing academic literature by emphasizing the central role of cyber security culture (perception, knowledge, attitude) for a successful cyber risk management, which however should be addressed in more depth in future (empirical) research.

Download Full-text

Cybersecurity as a global concern in need of global solutions: an overview of financial regulatory developments in 2015

Journal of Investment Compliance ◽

10.1108/joic-01-2016-0003 ◽

2016 ◽

Vol 17 (1) ◽

pp. 101-111 ◽

Cited By ~ 2

Author(s):

V. Gerard Comizio ◽

Behnam Dayanim ◽

Laura Bain

Keyword(s):

Financial Institutions ◽

Cyber Security ◽

Assessment Tool ◽

The United States ◽

Regulatory Compliance ◽

The European Union ◽

Content Type ◽

Cyber Threats ◽

Cyber Risk ◽

Financial Regulatory

Purpose To provide financial institutions an overview of the developments in cybersecurity regulation of financial institutions during 2015 by the United States, the United Kingdom, and the European Union, as well as guidance for developing effective cyber-risk management programs in light of evolving cyber-threats and cyber-regulatory expectations. Design/methodology/approach Reviews US, UK and EU regulatory developments in the cybersecurity area and provides several best practice tips financial institutions should consider and implement to improve their cybersecurity compliance programs. Findings While cyber-threats and financial regulators’ expectations for cyber-security are constantly evolving, recent guidance and enforcement efforts by the US, UK and EU illustrate the need for financial institutions to develop effective cybersecurity programs that address current regulatory compliance requirements and prepare for emergency cyber responses. Practical implications Financial institutions should utilize the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to assess their cyber-risk profile and cyber-preparedness. Originality/value Practical guidance from experienced financial regulatory and privacy lawyers that provides a survey of the current regulatory environment and recommendations for cyber-security compliance.

Download Full-text

Obtaining reasonable assurance on cyber resilience

Managerial Auditing Journal ◽

10.1108/maj-11-2017-1690 ◽

2019 ◽

Vol ahead-of-print (ahead-of-print) ◽

Cited By ~ 2

Author(s):

Filip Caron

Keyword(s):

Risk Management ◽

Real World ◽

Cyber Security ◽

Design Methodology ◽

Content Type ◽

Security Controls ◽

Conceptual Designs ◽

Testing Techniques ◽

Traditional Process ◽

Cyber Risk

PurposeThe purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.Design/methodology/approachThe paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.FindingsCyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.Originality/valueThe presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.

Download Full-text

RISK MANAGEMENT IN THE FINANCIAL SECTOR OF UKRAINE IN THE CONTEXT OF CYBER THREATS AND POST-PANDEMIC ECONOMIC RECOVERY

INNOVATIVE ECONOMY ◽

10.37332/2309-1533.2021.3-4.3 ◽

2021 ◽

pp. 19-27

Author(s):

Nazar Demchyshak ◽

Anastasiia Shkyria

Keyword(s):

Risk Management ◽

National Security ◽

Cyber Security ◽

Financial Sector ◽

Cyber Attacks ◽

Cyber Threats ◽

The World ◽

Cyber Threat ◽

Security Index ◽

Cyber Risk

Purpose. The aim of the article is substantiation of approaches of domestic and foreign scientists to risk management in the financial sector of Ukraine in the context of cyber threats and the need to ensure national security and post-pandemic economic recovery. Methodology of research. General scientific and special methods of scientific research are used in the article, in particular: induction, deduction, scientific abstraction - to reveal the essence of the concepts of "cyber threat", “cyber security" and "digitalization"; statistical and graphical methods - to assess the current situation in the field of cyber defence in the world and the national cyber security index; methods of analysis and synthesis - in substantiating the conclusions of the research. Finding. Definitions of cyber risk, approaches to its interpretation and classification were considered. The importance of cyber security in the digitalization of the national economy was argued. The Strategy of Ukrainian Financial Sector Development until 2025 is analysed. The world statistics of frequency and losses due to cyber-attacks are studied and the cyber threats that caused the greatest losses in Ukraine are identified. The analysis of Ukraine’s positions in the National Cyber Security Index 2020 is carried out. The directions of cyber threat prevention that can be useful for Ukrainian companies are substantiated. Originality. The author’s definition of the term "cyber risk" is proposed, in which special attention in focused on the effects of cyber threats. The importance of cyber risk management in the conditions of inevitability of digitalization in the financial sector of Ukraine is substantiated. Approaches to the prevention of cyber-attacks, the implementation of which is necessary for the successful digital transformation of Ukraine, are proposed. Practical value. The results of the research will contribute to the formation of an effective risk management system in the financial sector of Ukraine in terms of digitalization of the financial space and post-pandemic recovery of the national economy. Key words: national security, cyber risk, cyber threat, cyber defence, digitalization, post-pandemic recovery, fintech.

Download Full-text

Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

Law & Social Inquiry ◽

10.1111/lsi.12303 ◽

2018 ◽

Vol 43 (02) ◽

pp. 417-440 ◽

Cited By ~ 16

Author(s):

Shauhin A. Talesh

Keyword(s):

Risk Management ◽

Cyber Security ◽

Participant Observation ◽

Legal Regulation ◽

Insurance Companies ◽

Organizational Sociology ◽

Cyber Insurance ◽

Privacy Laws ◽

Cyber Risk ◽

Management Services

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.

Download Full-text

MILITARY-BASED CYBER RISK ASSESSMENT FRAMEWORK FOR SUPPORTING CYBER WARFARE IN THAILAND

Journal of Information and Communication Technology ◽

10.32890/jict2017.16.2.8229 ◽

2017 ◽

Author(s):

Aniwat Hemanidhi ◽

Sanon Chimmanee

Keyword(s):

Risk Assessment ◽

Risk Management ◽

Cyber Security ◽

Risk Evaluation ◽

Qualitative Data ◽

Cyber Warfare ◽

Security Planning ◽

Assessment Standard ◽

Network Risk ◽

Cyber Risk

Information Technology (IT) Risk Management is designed to confirm the sufficiency of information security. There are many risk management/assessment standards, e.g. IS0 27005:2011 and NIST SP 800-30rev1, which are mainly designed for general organizations such as governments or businesses. Cyber risk assessment focused on military strategy has been rarely studied. Hence, this paper presents an innovative cyber risk assessment conceptual framework named “Cyber Risk Assessment (CRA)” which is extended from previous work with Military Risk Evaluation (MRE). This proposed CRA is the collection and integration of both quantitative and qualitative data. The Vulnerability Detection (VD) tools in Network Risk Evaluation (the previous studies) were used for the quantitative data collection and the focus group in the MRE (the proposed method) was used to collect qualitative data, which enhance the general risk assessment standard to achieve the objective of the research. The complexity of cyberspace domains with a military perspective is thoughtfully contemplated into the cyber risk assessment for national cyber security. Results of the proposed framework enable the possibility of cyber risk evaluation into score for national cyber security planning.

Download Full-text

Digital transformation risk management complex economic systems

The Economy under Guard ◽

10.36511/2588-0071-2020-1-37-43 ◽

2020 ◽

pp. 37-43

Author(s):

Vladimir Zakharov ◽

Vladislav Frolov

Keyword(s):

Risk Management ◽

Cyber Security ◽

Basic Research ◽

Digital Transformation ◽

Consumer Confidence ◽

Economic Systems ◽

Risk Prioritization ◽

Key Competencies ◽

Scientific Project ◽

Cyber Risk

The article provides an overview of the results of recent studies carried out in different countries on the management of cyber risks in complex economic systems. It is shown that the leaders of large enterprises strive to balance the distribution of funds between different areas of cyber security to reduce the overall risk of digital transformation. Weaknesses were identified in cyber risk management, the most significant of which, according to managers, are data management and cyber risk prioritization. It is proposed to pay special attention to data protection, because data insecurity can lead to the loss of key competencies of companies, its revenues and consumer confidence in it. The study was carried out with the financial support of the Russian Foundation for Basic Research in the framework of the scientific project no. 18-010-00781.

Download Full-text

Commercial Maritime and Cyber Risk Management

Safety & Defense ◽

10.37105/sd.42 ◽

2019 ◽

Vol 5 (1) ◽

pp. 46-48

Author(s):

Akash RANA

Keyword(s):

Risk Management ◽

Best Practices ◽

Cyber Security ◽

Cyber Attacks ◽

Signal Interference ◽

Cyber Crime ◽

British Government ◽

Code Of Practice ◽

Starting Point ◽

Cyber Risk

The starting point of the paper is the recognition of the growing threat of cyber-attacks to commercial maritime. Constantly growing dependency on technology has obvious advantages, on the other hand, however, it makes commercial maritime vessels progressively more vulnerable to cyber-crime, including GPS signal interference, malware attacks or even gaining control over ships’ systems and networks. The main objective of the paper is to present and discuss the Guidelines on Cyber Security Onboard Ships developed by the International Maritime Organization, including best practices for implementation of cyber risk management. The article’s goal is to summarize the guidelines and to familiarize the reader with the reasons why and the methods how they should be implemented. The paper is concluded with an example how the Guidelines can be adopted by national authorities, i.e., a brief presentation of “Code of Practice: Cyber Security for Ships” – a document developed by the British government that transposes the IMO guidelines.

Download Full-text

Optimal Investment in Cyber-Security under Cyber Insurance for a Multi-Branch Firm

Risks ◽

10.3390/risks9010024 ◽

2021 ◽

Vol 9 (1) ◽

pp. 24

Author(s):

Alessandro Mazzoccoli ◽

Maurizio Naldi

Keyword(s):

Risk Management ◽

Cyber Security ◽

Management Strategies ◽

Limited Liability ◽

Optimal Investment ◽

Cyber Insurance ◽

Risk Management Strategies ◽

Cyber Risk ◽

Investment Choices ◽

Very High

Investments in security and cyber-insurance are two cyber-risk management strategies that can be employed together to optimize the overall security expense. In this paper, we provide a closed form for the optimal investment under a full set of insurance liability scenarios (full liability, limited liability, and limited liability with deductibles) when we consider a multi-branch firm with correlated vulnerability. The insurance component results to be the major expense. It ends up being the only recommended approach (i.e., setting zero investments in security) when the intrinsic vulnerability is either very low or very high. We also study the robustness of the investment choices when our knowledge of vulnerability and correlation is uncertain, concluding that the uncertainty induced on investment by either uncertain correlation or uncertain vulnerability is not significant.

Download Full-text