Building a cyber risk treatment taxonomy

Leave a Comment / Tecnologías de la información área desarrollo de software multiplataforma / By
Bookmark (0)
Please login to bookmark Close

Cyber risk treatment is a crucial stage of cyber risk management. During the risk treatment stage, countermeasures are applied to reduce the impact and likelihood of cyber risks. These countermeasures are categorized according to cybersecurity risk taxonomies such as CIS 8, NIST CSF taxonomy and MITRE D3fend. These taxonomies are especially designed to align with established risk management methodologies, models or frameworks (e.g., ISO 27001 or NIST 800-30). However, these countermeasure taxonomies have a number of problems: (a) they are complex to apply, (b) they each have their own structure and are, therefore, not standardized, (c) they have limited scopes of application, and (d) there are frequent changes in cybersecurity risks that impair countermeasures. To solve the above problems, a taxonomy of cybersecurity risk countermeasures, called Cyber Risk Treatment Taxonomy (CRTT), has been built leveraging the strengths of existing cybersecurity countermeasure taxonomies. We adopted the European Commission’s Science and Knowledge Service model, which is based on Whittaker & Breininger’s knowledge management taxonomy development framework, specifically adapted to the cybersecurity domain. The proposed cybersecurity countermeasure taxonomy can be applied without adhering to a specific risk management methodology, model or framework, although it is compatible with most existing methodologies, models and frameworks. The results include a taxonomy of 229 countermeasures, categorized into 19 second-level and five first-level taxa. This taxonomy was applied in an access management case study implemented at a banking organization. The steps described by Yin were used as a guide to drive the case study. The organization previously applied 12 countermeasures. As a result of the application of CRTT, however, six additional countermeasures were identified. Therefore, the organization considered that CRTT was a valuable resource to help organizations select and implement appropriate countermeasures based on their specific cybersecurity needs and decided to continue to apply the CRTT as part of a pilot program.

​Cyber risk treatment is a crucial stage of cyber risk management. During the risk treatment stage, countermeasures are applied to reduce the impact and likelihood of cyber risks. These countermeasures are categorized according to cybersecurity risk taxonomies such as CIS 8, NIST CSF taxonomy and MITRE D3fend. These taxonomies are especially designed to align with established risk management methodologies, models or frameworks (e.g., ISO 27001 or NIST 800-30). However, these countermeasure taxonomies have a number of problems: (a) they are complex to apply, (b) they each have their own structure and are, therefore, not standardized, (c) they have limited scopes of application, and (d) there are frequent changes in cybersecurity risks that impair countermeasures. To solve the above problems, a taxonomy of cybersecurity risk countermeasures, called Cyber Risk Treatment Taxonomy (CRTT), has been built leveraging the strengths of existing cybersecurity countermeasure taxonomies. We adopted the European Commission’s Science and Knowledge Service model, which is based on Whittaker & Breininger’s knowledge management taxonomy development framework, specifically adapted to the cybersecurity domain. The proposed cybersecurity countermeasure taxonomy can be applied without adhering to a specific risk management methodology, model or framework, although it is compatible with most existing methodologies, models and frameworks. The results include a taxonomy of 229 countermeasures, categorized into 19 second-level and five first-level taxa. This taxonomy was applied in an access management case study implemented at a banking organization. The steps described by Yin were used as a guide to drive the case study. The organization previously applied 12 countermeasures. As a result of the application of CRTT, however, six additional countermeasures were identified. Therefore, the organization considered that CRTT was a valuable resource to help organizations select and implement appropriate countermeasures based on their specific cybersecurity needs and decided to continue to apply the CRTT as part of a pilot program. Read More

Related posts:

Default ThumbnailWhat is a risk map (risk heat map)? Default ThumbnailFalse positives: Mitigating concerns from cybersecurity-minded users Default ThumbnailEffect of traffic-calming countermeasures on vehicle speed near a pedestrian crossing. A driving simulator study 86% of cyber professionals cite unknown cyber risks as a top concern Default ThumbnailGovernment faces claims of serious security and data protection problems in One Login digital ID Default ThumbnailAssessing the pros and cons of AI for cybersecurity