Including insider threats into risk management through Bayesian threat graph networks

Abstract

Cybersecurity incidents do represent a serious danger for companies. In fact, the number of cyber crimes is exponentially growing in a scenario where the global COVID-19 pandemic determined several conditions that have negatively affected companies' cyber-security posture. The adoption of risk management processes can help reduce security threats and mitigate both financial and reputation losses. In computer systems, it is crucial to relate security risks to the system infrastructure. Bayesian attack graph models can help reach such a goal. The approach is very effective as it allows to define the attack paths an attacker would perform against a specific network infrastructure. In this way, it is possible to construct a truthful representation of a company's security risks that cannot be obtained with other approaches. Still, Bayesian risk management approaches are usually based on advanced threats. Namely, those threats relate to vulnerabilities that can only be exploited by a skilled attacker. Although several works enrich the expressiveness of the proposed Bayesian model, current proposals do not provide insights into how it is possible to estimate security control costs, asset values, and threat probabilities for other types of threats. Furthermore, they do not take insider threats into consideration. This work shows that a risk management framework based on Bayesian Attack Graphs can be adapted to include a variety of threats, including those related to the insiders. We first extend an interesting work based on Bayesian Decision Networks to cover a broader range of threats. Then, we formalize several concepts, such as security control coverage and risk strategy, and show that our model can easily integrate insider threats when specific properties are defined. Finally, in order to address insider threats, we enrich the model with security controls that differ from the standard ones, such as technical IT training sessions and employee satisfaction surveys.