tions
First, however, we exclude methodologies not provided by professional organisa- tions as a design choice, as an approach to achieving the goal of the development of a risk management framework. The advantages of choosing a risk methodology from a professional organisation are that their methods have been implemented and there is already information available as to the efficacy, validity and other vital prop- erties here. There are also advantages in terms of tooling supporting methodologies from professional organisations: In an investigation of research projects listed by
Shameli-Sendi and others found by literature searches, (See [40], [57] and [55]) and
often the required software could not be located or was not supported. For exam- ple, with respect to TREsPASS and the Attack Navigator, a graphical approach to security risk assessment, the software could not be started, and support requests
were not met.[105] Similarly the software (CIPTIMEFL) for providing dependency
modelling for critical infrastructures using cyber-physical components was not yet
available when requested.[100]
It is also possible to choose methodologies from non-professional organisations, such as directly from research projects or even from scratch that may also meet the requirements for a risk management framework, though arguably requiring more ef- forts to satisfy the generic criteria for design artefacts and specific criteria identified . As well, as an approach used here, suggestions from research projects can also be used to enhance risk methodologies from professional and non-professional organi- sations where necessary. Nevertheless, as a design choice, the initial methodologies were selected from those provided by professional organisations.
5.2.1 Appraisement - Qualitative vs Quantitative Approaches
To narrow the selection of cyber security risk methodology, we first examine the first dimension from Shameli-Sendi et al., namely, whether the risk assessment can be quantitative or only qualitative. For one, the identified lack of historical data (See
Subsection3.2.5) makes this an essential consideration in the selection of method-
ologies, although other factors are relevant in choosing a qualitative methodology, as considered in the next subsection.
Figure 14.5: The Four Quadrants with Risk Classifications.Based on Taleb[143]
area, with a corresponding applicability study of statistical methods. We can conclude that there is a trade-off between the complexity of supplementary analytic and the risk’s harm. It implies that trivial statistical methods are not suitable to deal with threat Intelligence in dangerous risks, yet general knowledge derived from such methods are reliable to make predictions better than random. Moreover, the statistical methods can not only be use- ful in quantitative analysis, yet also give a basis for qualitative measures. The observable outcomes may not always find a justification from the history since it might be some co- incidence of logical triggers and human errors. Also, the implications of the study have discovered severe limitations of quantitative forecasts when it comes to targeted attacks, namely malicious individuals, and sophisticated threat agents. The increase in both com- plexity and interconnectivity limits our ability to forecast. It means that future advanced models such as Soft Computing should be considered to be able to expand the understand- ing of the covert malicious actions and make a better quantitative risk assessment.
Acknowledgments
The authors acknowledge Professors Jan Arild Audestad, Einar Snekkenes and Katrin Franke, and the data contributions made by the Shadowserver Foundation. The authors also recognize the sponsorship from COINS Research School for information security.
157
FIGURE5.2: The Four Quadrants with Risk Classifications, Reprinted
From [113, p. 157]
The Four Quadrants Classification of Cyber Security Risk
Useful guidance as to whether a cyber security risk assessment can be quantitative is provided by Wangen. Wangen uses a classification of risks generally by Taleb, into four quadrants to determine whether it is possible to apply quantitative or qualita- tive risk analysis methods and where it is possible to safely rely on statistical meth-
ods.[112, p. i] Taleb proposes a Four Quadrant risk classification system, linking risk
to decision theory and consists of two types of decision to classify the predictability
of risk, namely randomness and decisions. See Fig. 5.2. For the first dimension, de-
cisions, there are two types of decision: Binary decisions where the decisions as so what course of action to take are simple, and complex decisions on the other-hand. For the later, the decision maker must also consider the impact or a function of the impact. For the second dimension, the classes of randomness there are Mediocristan (low exposure to extreme events, with low randomness e.g. a height distribution) and Extremistan (where small probabilities and extreme events rule). Wangen et al. observe that Extremistan is often a product of interconnectivity in modern soci-
ety.[113, p. 41]
The classification of risks into the fourth quadrant are significant here as such risks should avoid quantitative appraisement: For fourth quadrant risks, Wangen recommends avoiding long-term quantitative predictions due to their uncertain prop-
erties “caused by a considerable complexity-knowledge gap”. [112, p. 156] Similarly,
statistical risk management methods for cyber security can only be applied in the
case of a significant amount of historical data.[113, p. 156] Which factors, accord-
ing to Wangen, then lead to a fourth quadrant classification? Wangen identifies the following factors as significant, and these are considered in turn.
lead to a complexity knowledge gap, with the larger the system, the more uncer- tainty. With the advent of highly integrated value chains in Industry 4.0, there may well be such a gap in many cases. Even within machine learning systems, neural networks work very opaquely in identify patterns in large data sets and then make decisions based on pattern matching. The logic and causation that risk management
relies upon is challenging to ascertain here.[85, p. 4]
Interconnection and Single Points of Failure Similarly, interconnectedness is a feature of Industry 4.0 and there may well be single points of the failure in industry processes, unless these are avoided in architectures and process design. (See Subsec-
tion3.2.3.)
Unpredictable Active Adversary For this factor, Wangen observes that the “com- plexity of cyber-warfare or cyber-terrorism in the information security domain is so high that we can hardly notice it unless the damage is done, and the outcomes are
obvious.”[112, p. 155] Also, any reliance on any historical data (which is presently
lacking) is dangerous as advanced attackers will seek a new way to mount their at-
tacks and achieve their aims.[112, p. 156] In the context of machine learning systems,
as we have seen, integrity attacks are likely to be subtle and imperceptible to humans and their new algorithms and new forms of attacks emerging, and hence the actions
of adversaries are challenging to predict. (See subsection2.3.5.)
Vulnerabilities to Cascading and Systemic Risks Wangen also identifies cascad- ing and systemic risks as a factor leading to a fourth quadrant classification. Cascad- ing risks may flow through an ecosystem where one crucial component fails, lead- ing to overloads in interconnected components. Such cascading risks can well be evident with interconnected systems in Industry 4.0. Systemic risks, which are risks that have the capacity to cause global harm to a system, may occur where reliance is made on one machine learning system for several use cases in a single factory and where a machine learning system is relied upon in several factories. It is important to note that none of these factors identified by Wangen relate to the severity of the impact, nor harm to persons and so would seem to apply regardless of the potential to cause harm to humans. Hence, these factors lead in many instances in Indus- try 4.0 to a fourth quadrant classification and so to the necessity to avoid long-term quantitative predictions, even if the historical data becomes available for machine learning systems in Industry 4.0 and independent as to whether human safety is at risk.
Criticisms of the Four Quadrants Approach Lindley has lampooned the distinc- tion between the Mediocristan and Extremistan and Aven also doubts whether the distinction can be given “a proper scientific justification in view of existing risk the-
ories and perspectives.”[61] Nevertheless, Aven concludes that there is a need to
extend beyond a probabilistic approach for an uncertainty assessment.[12] Despite
this criticism, the arguments by Wangen and the identification of factors that lead to a recommendation not to apply quantitative methods, including statistical meth- ods, are compelling and applicable to machine learning systems in the context of Industry 4.0. As well, Shameli-Sendi et al. summarise that quantitative methods are lengthy and time-consuming processes, requiring sufficient historical incident data.
JOURNAL OF COMPUTERS & SECURITY - ELSEVIER
TABLE I: Summary of existing information security risk assessment approaches
T itle Perspecti v e T echnique used
Appraisement Input/Output Resource
V aluation Risk Measurement Risk Phases Professional Organizations
CRAMM [47] ADa Multiplication Operation QLb - V(I)+H(I)c d NPe 1. RAf2. REg3. RRh CORAS [48] AD Multiplication Operation QL - V(I)+H(I) NP 1. RA 2. RE 3. RR OCTAVE [49] AD Multiplication Operation QL - V(I)+H(I) NP 1. RA 2. RE 3. RR Magerit V2i[50] AD Multiplication Operation QNj/ QL - V(I)+H(I) NP 1. RA 2. RE 3. RR Microsoft [51] AD Multiplication Operation HBk - V(I)+H(I) NP 1. RA 2. RE 3. RR Mehari [52] AD Multiplication Operation HB - V(I)+H(I) NP 1. RA 2. RE 3. RR OCTAVE Allegro [53] AD Multiplication Operation HB - V(I)+H(I) NP 1. RA 2. RE 3. RR ISO/IEC 27005 [72] AD Multiplication Operation HB - V(I)+H(I) NP 1. RA 2. RE 3. RR NIST 800-30rev1 [34] AD Multiplication Operation HB - V(I)+H(I) NP 1. RA 2. RE 3. RR
Research Projects
Guan et al. [64] AD Multi-Criteria Decision-Making QL Linguistic variables/Range V(I)+H(I) NP 1. RA 2. RE 3. RR Karabacak and Sogukpinar [71] AD Mathematical Operations QN Non-Monetary/Non-Monetary V(I)+H(I) NP 1. RA 2. RE Sun et al. [24] AD Dempster-Shafer Theory QN Monetary/Monetary V(I)+H(I) NP 1. RA 2. RE 3. RR Kondakci [65] AD Labeling QN Non-Monetary/Non-Monetary V(I)+H(I) NP 1. RA 2. RE Shameli-Sendi et al. [26] AD Fuzzy QL Range/Rank V(I)+H(I) NP 1. RA 2. RE Khanmohammadi and Houmb [77] BDl Multiplication Operation QN Non-Monetary/Non-Monetary V(I)+H(I) NP 1. RA 2. RE Deng et al. [57] AD Dempster-Shafer and Fuzzy Set Theory HB Non-Monetary/Non-Monetary V(I)+H(I) NP 1. RA 2. RE Lo and Chen [56] AD DEMATEL, ANP, FLQ-MEOWA HB Non-Monetary/Non-Monetary V(I)+H(I) NP 1. RA 2. RE 3. RR Su et al. [79] AD N/A QL N/A V(AB)m+H(I) NP 1. RA 2. RE Eom et al. [80] AD Mathematical Operations QL Range/Non-Monetary V(AB)+H(I) NP 1. RA 2. RE Danfeng et al. [81] SDn Mathematical Operations QN Non-Monetary/Non-Monetary V(I)+H(D)o NP 1. RA 2. RE Mahmoud et al. [86] AD Mathematical Operations QN Non-Monetary/Non-Monetary V(I)+H(I) Pp 1. RA 2. RE Loloei et al. [87] AD Mathematical Operations QN Non-Monetary/Non-Monetary V(AB)+H(D) NP 1. RA Jahnke et al. [88] SD Mathematical Operations QN Non-Monetary/Non-Monetary V(I)+H(I) P 1. RA 2. RE 3. RR Kheir et al. [89] SD Mathematical Operations QN Non-Monetary/Non-Monetary V(I)+H(I) P 1. RA 2. RE 3. RR Letchford and Vorobeychik [68] AD Game Theory QL Non-Monetary/Non-Monetary V(I)+H(D) NP 1. RA 2. RE Suh and Han [92] AD Mathematical Operations QN Monetary/Monetary V(AB)+H(D) NP 1. RA 2. RE Alpcan and Bambos [67] AD Graph-theoretic QN Non-Monetary/Non-Monetary V(I)+H(I) P 1. RA 2. RE Sawilla and Ou [69] AD Attack Graph QL Rank/Rank V(I)+H(D) NP 1. RA 2. RE Samantra et al. [93] AD Fuzzy set theory QL Linguistic variables/Range V(I)+H(I) NP 1. RA 2. RE 3. RR Schmidt and Albayrak [95] AD Mathematical Operations QN Monetary/Monetary V(ASB)q+H(D) P 1. RA 2. RE 3. RR Houmb et al. [75] AD Bayesian Belief Network HB Non-Monetary/Non-Monetary V(I)+H(I) NP 1. RA 2. RE 3. RR aAsset-driven bQualitative cVertical view is independent dHorizontal view is independent eNon-Propagated fRisk Analysis gRisk Evaluation hResponding to Risk iIt can be applied both quantitatively and qualitatively jQuantitative kHybrid lBusiness-driven mVertical view is dependent (asset to business) nService-driven oHorizontal view is dependent pPropagated qVertical view is dependent (asset to service to business)
As discussed, information security risk assess- ment appraisements can be quantitative, qualitative, or hybrid. Organizations base their choice on their culture and their attitude toward risk [61]. As we have seen, the existing qualitative and quantitative information security risk assessment approaches are subject to a number of weaknesses, problems, and constraints [24], [63]. In quantitative risk assess- ment, the goal is to assign objective numerical val- ues to information assets, risks, safeguards, and im- pacts using statistical tools [51], [56], [60]. A great deal of work is required to precisely determine the monetary value of information assets, the frequency of threats, and the cost of controls [6], [51], [56], [66]. As mentioned, Annualized Loss Expectancy (ALE) is one of the most influencing quantitative approaches. There is no adequate information in ALE on how to calculate the Exposure Factor
(EF). The majority of quantitative risk assessment approaches do not provide a means to calculate EFwith a standard method, and leave this task to the user [25]. Calculating the Annualized Rate of Occurrence (ARO) is equivalent to the probability of a threat arising to an information asset, and is yet another ambiguity in ALE. TheAROis usually calculated based on the history of the incidents that have occurred and the advice of information security experts [4]. These probabilities are not easy to estimate, and existing methods only provide users with some general suggestions and examples, leaving them to take care of the large number of interrelated relevant factors [24]. Moreover, the quantitative appraisement, which presents results in monetary terms only, may be difficult for non- technical individuals to interpret [51], [56].
In contrast, qualitative risk management appraise- 14
FIGURE5.3: Summary of Existing Information Security Risk Assess-
ment Approaches, Reprinted From [95, p. 14]
“Due to the limited time, money, and human resources available faced by organiza-
tions, implementing this approach will not be easy.”[95, p. 7] We therefore exclude
purely quantitative approaches from our selection of risk-informed methodologies.
5.2.2 Qualitative Approaches
Excluding quantitative approaches and excluding research projects from the analy-
sis of Shameli-Samedi in Fig. 5.3, leads to the following remaining qualitative risk
assessment approaches offered by professional organisations: 1. CRAMM
2. CORAS 3. OCTAVE
We turn to the consideration of the three other dimensions of the risk assessment taxonomy by Shameli-Sendi. These are perspective, risk measurement and resource valuation. In considering CRAMM, CORAS and OCTAVE being applied to machine learning in Industry 4.0, we do not exclude any of these three approaches, though some limitations in their application are identified.
Perspective
Shameli-Sendi et al. offer a perspective dimension, with three different levels of bottom-up abstraction, namely asset, service, and business process. That is, the risk
Shameli-Sendi identifies that the majority of approaches are at the asset level, they cite new studies that are changing the perspective, with the advantage that working
on the service level or business process level is easier and more accurate.[95, p. 3]
Indeed, the level of complexity in Industry 4.0 suggests that it would be preferable to work at the business process level or at the service level, where distinct suppliers of internet technologies are providing services. In this regard, CRAMM, CORAS and
OCTAVE are all at the asset abstraction level, per Shameli-Sendi. (See Fig5.3.) This
high abstraction level makes the assessment error-prone and inefficient, though still
capable of execution.[95, p. 15]
Risk Measurement
The third category in their risk assessment taxonomy refers to the risk measure- ment. Based on the identified importance in other studies, this dimension refers to the fact that the impact of the attack on a resource is usually propagated to other resources, and therefore in a risk assessment, we should consider the risk propaga-
tion to have a better understanding of the damage cost.[95, p. 4] This propagation
of the impact on a resource, including an attack on a machine learning system, is significant in Industry 4.0 with the interconnectedness of systems. For example, an attack on a machine learning system may lead to a false classification or even no classification in the case of an availability attack. This need to model propagation of impacts is also clearly evident with reprogramming attacks, where the machine learning system is used as a platform to attack other systems. Other systems here could well include systems within the value chain as well as systems external to the value chain. The major disadvantage of not being able to model propagation is the
real possibility of selection of inappropriate security controls.[95, p. 15] CRAMM,
CORAS and OCTAVE are “non-propagated”, per Shameli-Sendi (See Fig5.3) This
classification can be questioned, at least with respect to CORAS, which appears to be able to model propagation: It may be that the authors included in their classi- fication whether the propagation can be assessed quantitatively or not. Hence, we retain CRAMM, CORAS and OCTAVE.
Resource Valuation
The final category in the taxonomy of Shameli-Sendi et al. is related to the resource valuation model. There are dependent and independent resource valuation models in the risk assessment methods. A dependent model considers the dependencies between resources (i.e. assets, services or business processes) in the current level to compute the accurate value of each resource. A dependent model then refers to this fact that resources are not independent and their values usually depend on others.
Machine learning systems with trained learning models that work for a single classification are likely to be independent resources alone in this sense. However, interconnected systems in the value chain may well be dependent, in which case a methodology able to handle dependent resources is essential in Industry 4.0. A criti- cal disadvantage of independent resource valuation is that the value of resources are
not based on their impact on other resources.[95, p. 15] CRAMM, CORAS and OC-
TAVE are independent resource valuation models, per Shameli-Sendi (See Fig5.3)
Again, we retain CRAMM, CORAS and OCTAVE in the selection, with this limita- tion. The risk-informed methodologies of CRAMM, CORAS and OCTAVE can be
further evaluated using the criteria suggested by Gritzalis et al. of cost and usabil- ity.[43]
5.2.3 Comparison of Tooling, Cost, Usability for CRAMM, CORAS and
OCTAVE
Although not dimensions in their taxonomy, costs and usability of the risk assess- ment methods are characteristics considered by Shameli-Sendi et al. and are consis-
tent with the criteria identified in Subsection4.1. For practical reasons and in terms
of the design approach, CRAMM is excluded from this study because it is commer-
cial and requires the purchase of software and there is a support fee.[43, 11:19] In
terms of ease of use, of the remaining two approaches, both CORAS and OCTAVE are judged by Gritzalis et al. as being “Quite Satisfactory”. The possible scope for both is “Big and Small” which covers Industry 4.0 settings. CORAS has had a more recent update (2010 vs. 2005 for OCTAVE).
5.2.4 Stages of Risk Management Addressed
OCTAVE appears to be wider, and cover broader risk management, not only risk
assessments, unlike CORAS, which only covers risk assessments.[43, 11:25] In con-
trast to this conclusion, Gritzalis et al. point out that the OCTAVE does not cover risk mitigation or consideration of safeguards to prevent attacks. Also, CORAS appears to only not cover the communicating and consulting and surveying and evaluating
steps in risk management.[86, p. 6] Hence, CORAS covers more, not fewer steps in
risk management than OCTAVE. CORAS is then chosen over OCTAVE, due to the importance of modelling the machine learning specific and general defences as miti- gation, even though it may be possible to extend OCTAVE to cover risk mitigations.
5.2.5 Selection of CORAS
Consolidating the criteria and the assessment of those criteria by Shameli-Samedi,
we arrive at the following table (See Table5.1). Because of most of all a) more stages
of risk management are addressed b) ruling out CRAMM for its costs, and c) the more recent updating of CORAS over OCTAVE, we ultimately choose CORAS for further consideration and improvement. It is noted that this is a design choice and a plausible alternative design choice, based on this analysis, could have well been to choose OCTAVE and consider the enhancements necessary. However, further consideration of OCTAVE is beyond the scope of this research.