Threat-occurrence predictive models to improve information security risk analysis

The information and communication technologies are essential resources for organizations nowadays, and, with vast amounts of information circulating every day, protection becomes a priority.

Various methodologies of information security risk analysis study and evaluate the security measures used to protect data. Traditional methods base their risk calculations on historical data, using threat- occurrence frequency as one of the input parameters. However, the potential vulnerability changes as new safeguards are implemented. Hence, an interesting approach would be to explore the use of predictive algorithms to estimate threats’ frequency to focus on future events rather than review the previous one.

The authors of this article propose to include a threat-occurrence predictive module in the risk analysis process, taking into account the current state of vulnerabilities affecting the system.

The authors also set to include a prediction component in an information risk analysis methodology, MAGERIT, which was developed by the Spanish government. Magerit computes two types of risk: potential risk and residual risk. The potential risk is a theoretical risk that applies to situations in which there are no safeguards, whereas residual risk is the risk after the implementation of safeguards.

The researchers performed a risk analysis using the MAGERIT methodology in a Spanish SME. To assess the assets threats and vulnerabilities, the authors first conducted interviews with the systems administrators and managers of the SME. They also created a database containing historical data on risks. With the information gathered, the researchers were able to determine which vulnerabilities and threats affected each asset and to extract the set of vulnerabilities.

By using the MAGERIT methodology with a predictive component, the result showed that the risk for all the critical assets changed, increasing for some and decreasing for others. As such, the calculated risk responds to a more updated scenario.

Predicting threat occurrence probabilities instead of using historical data ensures a better knowledge of the system and helps organizations focusing on the most dangerous threats in order to implement better targeted and more adequate safeguards.



To cite: Figueira, P. T., Bravo, C. L and Rivas Lopez, J. L. (2020). Improving information security risk analysis by including threat-occurrence predictive models. Computers & Security, 88, 1-10.