Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

As the economic cost from cyberattacks has been skyrocketing, state actors have been increasingly directing efforts towards cybersecurity. However, current cybersecurity risk assessing tools rely on quantifying probabilities of certain well known risk scenarios, which does not apply to many cases of cyberattacks that are not related to the well known ones. Moreover, the risk scenarios have to be constantly updated in order for this method to be relevant. The paper presents an alternative approach based on multicriteria decision analysis (MCDA), which already has been employed by multiple state actors, such as US Coast Guard and US Army Corps of Engineers, in physical domains.

The main goal of the application of MCDA on cybersecurity is analyzing risk by partitioning it into three subsets: threats, vulnerabilities, and consequences. Threats mean “a person or an organization that intends to cause harm.” Then, few factors related to threats could be assessed, such as motivation and resources of the threats. Vulnerabilities describe the software and hardware capabilities (and deficiencies) of the defending actor. Existence of certain factors like obsolete hardware or counterfeit software would increase the risk factor related to vulnerabilities. Last item is consequences, which relate to the impact of a cyberattack. Cyberattack could degrade the integrity of the defending system or reduce the availability of it. This view could provide new tools to state actors and public sectors for strengthening cybersecurity.