Considering Security Measures Mitigations in Automatic Cyber Risk Assessment

Over the past few decades, we have witnessed how the world around us has become increasingly digitalized. Technology deeply pervades our lives, causing an ever greater dependence on it. However, the evolution of cybersecurity has not been as fast, creating a gap that can be exploited by malicious actors and, therefore, increasing the possibility of attacks occurring and the severity of their consequences. In this context, risk assessment has become increasingly important over time and attempts to automate it are becoming more and more common. However, these solutions often overlook how the implemented security measures influence the outcome of the process, focusing mainly on identifying vulnerabilities or threats. This Thesis aims to make risk assessment operations simpler and faster for a cybersecurity expert by automating them, thus eliminating all those manual activities that did not allow the workflow to be more dynamic and fast to adapt to change. For this purpose, Pyra, an existing tool used to conduct the risk assessment of a network infrastructure, was extended by adding the information needed to model the implemented security mechanisms. The proposed solution takes as input the ontology model of the target ICT infrastructure that is to be analyzed, extends with the necessary information on vulnerabilities and risks related to the assets. As output a report is produced that, while evaluating identified risk values, takes into consideration implemented cybersecurity mechanisms and how these may mitigate the risk. This approach is fundamental in presenting affective results for risk management prioritization by the organization. The proposed solution, in particular, follows two different workflows to populate the ontology with the risks associated with each resource: on the one hand threat modeling is automated resorting to SWRL rules and ontology reasoners, and on the other hand known vulnerabilities and weaknesses information is identified and associated to the corresponding threats. This double approach allows us to have a more detailed view of the risks; first, risks are associated with identified vulnerabilities, while SWRL rules for threat modeling aim at filling those gaps that may happen by considering only vulnerabilities and reducing false negatives. It then uses the information on the security mechanisms connected to the various infrastructure assets to obtain, with a linear combination of the various information, a score that considers not only the probability and impact of the risk, but also how much that specific countermeasure mitigates the score. The advantages of this approach are, first, supporting through automation activities of cybersecurity experts as well as reducing possible personal bias during the analysis; while at the same time providing a solution easily adaptable to various context and needs. In fact, given the necessary inputs, the analysis of information and inference of results are automatically calculated, so the solution is suitable to being adapted as needed. Pyra is certainly a first step on the road to the automation of risk assessment, following which other studies and expansions will be necessary to be considered effective, but at the same time it lays the first foundations for exploring an approach that in the literature can be considered truly innovative.