Abstract
Threat and Risk Assessment is an important area in cybersecurity. It covers multiple systems and organizations where cybersecurity is significant, such as banking, industry, SCADA, Energy Management System, among many others. The chapter presents a method to help assessing threats and risks associated with computer and networks systems. It integrates the Framework for Improving Critical Infrastructure Cybersecurity—developed by the National Institute of Standards and Technology—with a quantitative method based on the use of a Continuous Logic, the Logic Scoring of Preference (LSP) method. LSP is a method suitable for decision making that provides the guidelines to produce a model to assist the expert in the process of assessing how much a product or system satisfy a number of requirements, in this case associated to the identification, protection, detection, response and recovery of threat and risks in an organization.
TopBackground
The next two subsections discuss related work on threat and risk assessment and introduce some concepts of the LSP method necessary to understand the rest of the work.
Key Terms in this Chapter
Continuous Logic: A logic whose truth values can take continuous values in a given range (i.e. [0, 1], [0, 100]) instead of values like Truth or False.
Threat Assessment: The manner of devising the possibility and importance of a potential threat.
Risk Management: Identify, evaluate, and assign priority to the potential risks with the goal of defining the methods, resources to minimize or mitigate the outcomes from the risk. Closely related with Risk Assessment.
Threat and Risk Assessment: Assessing risks is closely associated with a corresponding threat. Nearly any human endeavour has a potential threat and a risk correlated with it. Assessing both is mandatory in some areas, e.g. building construction, country security, network security, etc.
Risk Assessment: Documenting the evaluation done of the possibility of occurrence of a risk as well as the damage associated and the measures to avoid it or at least mitigate the outcomes from the risk. Closely related with Risk Management.
Decision Theory: The study of choices that a given agent can take.
Decision Method: A procedure, technique or planned way of arriving to a decision. Normally it could be said the decision is the process of making up one´s mind. There are several decision methods ranging from very simple ones to more formal or axiomatic methods.