Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Building a Cybersecurity Risk Metamodel for Improved Method and Tool Integration

Christophe Ponsard

TL;DR

This paper reports on the experience in applying a model-driven approach on the initial risk analysis step in connection with a later security testing, using a common metamodel which is used to map, synchronise and ensure information traceability across different tools.

Abstract

Nowadays, companies are highly exposed to cyber security threats. In many industrial domains, protective measures are being deployed and actively supported by standards. However the global process remains largely dependent on document driven approach or partial modelling which impacts both the efficiency and effectiveness of the cybersecurity process from the risk analysis step. In this paper, we report on our experience in applying a model-driven approach on the initial risk analysis step in connection with a later security testing. Our work rely on a common metamodel which is used to map, synchronise and ensure information traceability across different tools. We validate our approach using different scenarios relying domain modelling, system modelling, risk assessment and security testing tools.

Building a Cybersecurity Risk Metamodel for Improved Method and Tool Integration

TL;DR

This paper reports on the experience in applying a model-driven approach on the initial risk analysis step in connection with a later security testing, using a common metamodel which is used to map, synchronise and ensure information traceability across different tools.

Abstract

Nowadays, companies are highly exposed to cyber security threats. In many industrial domains, protective measures are being deployed and actively supported by standards. However the global process remains largely dependent on document driven approach or partial modelling which impacts both the efficiency and effectiveness of the cybersecurity process from the risk analysis step. In this paper, we report on our experience in applying a model-driven approach on the initial risk analysis step in connection with a later security testing. Our work rely on a common metamodel which is used to map, synchronise and ensure information traceability across different tools. We validate our approach using different scenarios relying domain modelling, system modelling, risk assessment and security testing tools.
Paper Structure (16 sections, 12 figures)

This paper contains 16 sections, 12 figures.

Table of Contents

  1. INTRODUCTION
  2. SURVEY OF RISK METAMODELS
  3. Generic Risk Model
  4. Simple ISO27K Cybersecurity Risk Model
  5. EBIOS Risk Model
  6. IEC/ISA 62443 Conduits
  7. Risk Model for Security Engineering
  8. Risk Model for Safety-Security Co-Engineering
  9. CONSOLIDATED CONCEPTUAL RISK MODEL
  10. VALIDATION
  11. piStar Strategic Tool
  12. MONARC Risk Assessment Tool
  13. Capella Tool
  14. CYRUS
  15. DISCUSSION
  16. ...and 1 more sections

Figures (12)

  • Figure 1: Cost-Risk Model from Chouba18
  • Figure 2: Simple Risk Model for ISO27K from Milicevic10
  • Figure 3: EBIOS Risk Model Akoka18
  • Figure 4: Conceptual modelling of zones and conduits in ISO 62443
  • Figure 5: Risk metamodel for security engineering from Faily19
  • ...and 7 more figures