Affiliation:
1. Department of Computer Science, International Hellenic University, 654 04 Kavala, Greece
Abstract
Traditional information security risk assessment (RA) methodologies and standards, adopted by information security management systems and frameworks as a foundation stone towards robust environments, face many difficulties in modern environments where the threat landscape changes rapidly and new vulnerabilities are being discovered. In order to overcome this problem, dynamic risk assessment (DRA) models have been proposed to continuously and dynamically assess risks to organisational operations in (near) real time. The aim of this work is to analyse the current state of DRA models that have been proposed for cybersecurity, through a systematic literature review. The screening process led us to study 50 DRA models, categorised based on the respective primary analysis methods they used. The study provides insights into the key characteristics of these models, including the maturity level of the examined models, the domain or application area in which these models flourish, and the information they utilise in order to produce results. The aim of this work is to answer critical research questions regarding the development of dynamic risk assessment methodologies and provide insights on the already developed methods as well as future research directions.
Subject
Computer Networks and Communications
Reference76 articles.
1. Ross, R., McEvilley, M., and Oren, J.C. (2018). Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.
2. (2009). Risk Management—Vocabulary. Standard No. ISO Guide 73:2009.
3. Joint Task Force Interagency Working Group (2020). Security and Privacy Controls for Information Systems and Organizations, Technical report.
4. (2018). Risk Management—Guidelines. Standard No. ISO 31000:2018.
5. Joint Task Force Transformation Initiative (2018). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.