Cyber Value At Risk Model for IoT Ecosystems

TL;DR

The paper addresses the challenge of quantifying cybersecurity risk in IoT ecosystems by extending Cyber Value-at-Risk (Cy-VaR) to a layered IoT framework. It introduces a scenario-based, layer-aware Cy-VaR formulation, with per-layer losses $L_{ij}$ and probabilities $P_{ij}$, yielding $CyVaR_{ij}=P_{ij}L_{ij}$ and a total risk $Total\ CyVaR=\sum_{j}\sum_{i}CyVaR_{ij}$. By applying these measures to perception, network, and application layers, the work enables more precise prioritization of security investments and risk mitigation. The discussion points to practical extensions, such as Monte Carlo simulations and agent-based modeling, to capture uncertainty and dynamic interactions, thereby enhancing IoT cybersecurity resilience and decision-making for CIOs and stakeholders.

Abstract

The Internet of Things (IoT) presents unique cybersecurity challenges due to its interconnected nature and diverse application domains. This paper explores the application of Cyber Value-at-Risk (Cy-VaR) models to assess and mitigate cybersecurity risks in IoT environments. Cy-VaR, rooted in Value at Risk principles, provides a framework to quantify the potential financial impacts of cybersecurity incidents. Initially developed to evaluate overall risk exposure across scenarios, our approach extends Cy-VaR to consider specific IoT layers: perception, network, and application. Each layer encompasses distinct functionalities and vulnerabilities, from sensor data acquisition (perception layer) to secure data transmission (network layer) and application-specific services (application layer). By calculating Cy- VaR for each layer and scenario, organizations can prioritize security investments effectively. This paper discusses methodologies and models, including scenario-based Cy-VaR and layer-specific risk assessments, emphasizing their application in enhancing IoT cybersecurity resilience.