Research on quantitative OT cyber risk analysis
Goal
In the processes of analyzing, evaluating, or quantifying cyber risk, it is very common to focus on internal aspects related to the organization, essentially its level of maturity (adherence to best practices, strength of deployed controls and effectiveness of their application, etc.) and the potential losses that a security incident could entail. These internal aspects change and evolve over time, but they do so slowly. Therefore, it is usually sufficient to carry out the analysis, evaluation, or quantification processes periodically, every 12 or 18 months, for example.
However, if external aspects are taken into account, such as those related to the threat agent (motivation, TTPs, capabilities) and the organization’s operating context, or hybrid aspects (such as, for example, the attractiveness to the attacker, which has both an internal and an external component), it is quite likely that cyber risk will evolve much more rapidly, and it will be necessary to carry out more frequent or continuous assessments to capture this dynamism.
DeNexus’ Data and Modeling experts led by Romy R. Ravines, and cybersecurity experts from Universidad Rey Juan Carlos (URJC), led by Marta Beltrán, collaborated to Investigate these types of external or hybrid aspects that affect an organization’s cyber risk and its dynamics. The project aimed to identify relevant factors, data sources, and methodologies to incorporate these aspects into cyber risk quantification models effectively. TThe study also included an in-depth investigation into the challenges posed by IT-OT convergence in the context of cyber risk.
Read more about the project here.