Automatic Cybersecurity Risk Analysis

Since the management of technology has become central to the operations of organizations worldwide, digital assets have also emerged as critical weak points, making it essential for companies to assess cyber threat levels to prevent security breaches and meet requirements from insurers and regulatory bodies. The evaluation of cyber risks, however, is time-consuming, resource-intensive, and requires skilled personnel, comprehensive data gathering and rigorous analysis. Building upon RiskMan, an expert system for automatic assessment of organization cyber-risk, based on open-source tools and publicly available data, this thesis aims to expand the framework through the evaluation and subsequent integration of additional tools, enhancing the process through the use of AI. The research involves a comprehensive analysis of open-source cybersecurity tools, with particular attention paid to the inputs required and the resulting outputs, followed by the selection of the tool that best suits integration in the existing framework. Additionally, large language models are investigated and incorporated into the workflow, aiming to remove the necessity for human expertise while achieving equally good risk estimations. Finally, the enhanced expert system is evaluated in comparison to the previous version to analyze differences in the produced risk scores. The resulting framework minimizes the need for expert intervention and provides a more adaptable, intelligent approach to cyber risk management, accessible to organizations with limited budgets and personnel. Through these developments, this research presents a robust, automated solution for cyber risk assessment that brings sophisticated risk management capabilities within reach for a wider range of organizations.