Survey and Guidelines about Learning Cyber Security Risk Assessment

Survey and Guidelines about Learning Cyber Security Risk Assessment

Christophe Ponsard, Philippe Massonet, Survey and Guidelines about Learning Cyber Security Risk Assessment, 8th International Conference on Information Systems Security and Privacy, online, Feb 9-11 2022

Risk assessment is a key part of all cyber security frameworks, standards and related certification schemes. It is a complex process involving both the business domain to assess impact and the technical domain to measure feasibility. It requires to produce a realistic risk matrix based on qualitative information and then to decide about measures aligned with relevant standards. Getting experienced in this area is a difficult learning process with many possible pitfalls. In this paper, we report about our lessons learned based on a controlled experiment of 26 risk analyses across different domains including some operators of essential services. We also provide some methodological recommendations for efficient tool support, including model-based.