Methods for the Total Risk Assessment of Cybersecurity of Critical Infrastructure Facilities

Abstract

The paper presents the analysis of national and foreign literature on the methods of cybersecurity risk assessment including critical infrastructure facilities. It is stated that cybersecurity and risk assessment are an important issue of critical infrastructure facilities. The paper proposes graphical and analytical methods for assessing the total cybersecurity risk of I&C systems including critical infrastructure facilities. These total risk assessment methods are based on determining the maximum values of consequences for each risk. It is shown that the maximum values of cyber threat effects can be determined by expert means, as the maximum losses that can be caused to the company assets. The proposed methods make it possible to determine the total cybersecurity risk of critical infrastructure, the total losses due to multiple cyber threats, the total losses due to a single cyber threat for a certain period of time, the likelihood of maximum losses due to multiple cyber threats. There are the advantages of these methods for assessing total risk. Based on the proposed methods, it is possible to develop a methodology for assessing the cybersecurity risks of I&C systems including critical infrastructure facilities, and build decision support systems for the application of risk reduction measures. The economic feasibility of applying these or other risk treatment measures, both organizational and technical, is defined by evaluating the cost of such measures with the maximum amount of losses due to the total risk.