A Cybersecurity Risk Analysis Framework for Systems with Artificial Intelligence Components

TL;DR

This work presents a quantitative cybersecurity risk analysis framework tailored for AI-enabled systems, motivated by regulatory initiatives such as the EU AI Act and NIST AIRMF. It combines an attacker-transit model over a block-structured cyber-organization with a Monte Carlo risk pipeline to estimate probabilities and losses, enabling VaR and CVaR risk measures. The framework maps AI trustworthiness concepts (accuracy, reliability, safety, explainability, privacy, fairness) to cybersecurity objectives and supports risk management through optimal mitigation portfolios, including AI-based defenses and cyber insurance. A detailed ADS case study demonstrates problem framing, threat modeling, defense options, and risk-optimization results, illustrating the framework’s practicality and potential for certification-like assessment and security-by-design integration.

Abstract

The introduction of the European Union Artificial Intelligence Act, the NIST Artificial Intelligence Risk Management Framework, and related norms demands a better understanding and implementation of novel risk analysis approaches to evaluate systems with Artificial Intelligence components. This paper provides a cybersecurity risk analysis framework that can help assessing such systems. We use an illustrative example concerning automated driving systems.

Figures (6)

• Figure 1: Main components in a cybersecurity risk management framework. Black arrows indicate AI-affected elements. Adapted from rios2021adversarial.
• Figure 2: Cybersecurity objectives (CSO) tree in CV20. Dashed box, monetary objective; solid line box, non-monetary.
• Figure 3: Cyber organization structured according to 6 blocks in three levels.
• Figure 4: Security evaluation curve of a deep network for MNIST data under four defense mechanisms (NONE, AT, ALP, ARA) against FGSM attack. From gallego.
• Figure 5: ADS architecture. Three blocks and two levels.