GGrantIndex
← Search

CRII: SaTC: Graph-based Probabilistic Cyber Risk Modeling

$191,000FY2020CSENSF

Suny At Albany, Albany NY

Investigators

Abstract

Cybersecurity risk analysis is one of the primary tools for managing the consequences of cyber incidents. There are several limitations of the current cybersecurity risk analysis methods. First, cyber risk is often treated as an information technology problem rather than a vital part of enterprise risk management. Another deficiency of the cyber risk analysis methods is the insufficiency of the utilized metrics to support investment decisions. Qualitative metrics and operational terms are often used as cyber risk indicators rather than quantified financial measures that guide investment decisions. Besides these, the lack of quantification of how investments in specific controls change risk level is another limitation of the current cyber risk analysis methods. This project aims to develop a probabilistic quantitative cybersecurity risk analysis model to relate asset-level risk to organizational-level risk and supply chain level risk to respond to the aforementioned deficiencies of the current cyber risk analysis methods. The results from this research enables effective and accurate supply-chain cyber risk assessment, which, in turn, increases economic competitiveness by enabling more effective and efficient mitigation of cyber risks and well-informed cybersecurity investments. The project provides training opportunities for students at different levels and from under-represented groups. Education materials developed in the project will be shared nationally through the National Security Agency supported CLARK repository of cybersecurity learning objects. The main research problem of this study is what kind of a probabilistic quantitative cybersecurity risk analysis model can be developed to relate asset-level risk to organizational-level risk and supply chain level risk. This project employs probabilistic attack graphs, which are based on known vulnerabilities in computer software and network topologies. The dynamic risk assessment capabilities are augmented in the attack graph using Bayesian Belief Networks. A graph-theoretical functional dependency model is also developed to model the ripple effects of cyber-attacks on enterprise missions to failures in supply-chains. Simulations and sensitivity analysis are conducted on a smart grid testbed to validate the developed risk analysis model. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →