Abstract
Although multiple approaches for the combination of safety and security analysis exist, there are still some major gaps to overcome before they can be used for combined risk management. This paper presents the existing gaps, based on an overview of available methods, which is followed by the proposal towards a solution to achieve coordinated risk management by applying a quantitative security risk assessment methodology. This methodology extends established safety and security risk analysis methods with an integrated model, denoting the relationship between adversary and victim, including the used capabilities and infrastructure. This model is used to estimate the resistance strength and threat capabilities, to determine attack probabilities and security risks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Caltagirone, S., Pendergast, A., Betz, C.: The diamond model of intrusion analysis. Technical report, Center for Cyber Intelligence Analysis and Threat Research Hanover MD (2013)
Cox, A.L.: What’s wrong with risk matrices? Risk Anal. 28(2), 497–512 (2008). https://doi.org/10.1111/j.1539-6924.2008.01030.x
Cox, L.A.: Some limitations of “risk = threat vulnerability consequence” for risk analysis of terrorist attacks. Risk Anal. 28(6), 1749–1761 (2008)
Elmaghraby, A.S., Losavio, M.M.: Cyber security challenges in smart cities: safety, security and privacy. J. Adv. Res. 5(4), 491–497 (2014)
European Commission: A European strategy on Cooperative Intelligent Transport Systems, a milestone towards cooperative, connected and automated mobility. Technical report, European Commission, November 2016
Freund, J.: Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann, Oxford (2015)
Hubbard, D., Evans, D.: Problems with scoring methods and ordinal scales in risk assessment. IBM J. Res. Dev. 54(3), 2 (2010)
Hubbard, D.W., Seiersen, R.: How to Measure Anything in Cybersecurity Risk. Wiley, Hoboken (2016)
IEC: IEC 60812: Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) (2006)
ISO: ISO 31000 - risk management - guidelines
ISO: ISO 26262 Road vehicles - Functional safety (2011)
ISO/IEC: ISO/IEC directives, part 1
ISO/IEC: ISO/IEC 15408: Information Technology Security Evaluation (2005)
Johnson, C.W.: Why we cannot (yet) ensure the cybersecurity of safety-critical systems. In: Proceedings of 24th Safety-Critical Systems Symposium, pp. 171–182 (2016)
Joint Task Force Transformation Initiative: Guide for conducting risk assessments. https://doi.org/10.6028/NIST.SP.800-30r1
Lisova, E., Sljivo, I., Causevic, A.: Safety and security co-analyses: a systematic literature review (2018)
Macher, G., et al.: Integration of security in the development lifecycle of dependable automotive CPS (2017)
Macher, G., Höller, A., Sporer, H., Armengaud, E., Kreiner, C.: A comprehensive safety, security, and serviceability assessment method. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9337, pp. 410–424. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24255-2_30
Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Design, Automation and Test in Europe Conference and Exhibition (2015)
Malcolm, D.G., Roseboom, J.H., Clark, C.E., Fazar, W.: Application for a technique for research and development program evaluation (1959)
Microsoft Corporation: The STRIDE Threat Model (2005). http://msdn.microsoft.com/en-us/library/ee823878%28v =cs.20%29.aspx
Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10506-2_21
Schneier, B.: Attack trees (1999). http://www.schneier.com/attacktrees.pdf
International Organization for Standardization (ISO), I.E.C.I.: Information technology – Security techniques – Information security risk management (2008)
The Open Group: Risk Analysis (O-RA), October 2013
The Open Group: Risk Taxonomy (O-RT) 2.0, October 2013
Xu, L.D., Xu, E.L., Li, L.: Industry 4.0: state of the art and future trends. Int. J. Prod. Res. 56(8), 2941–2962 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Dobaj, J., Schmittner, C., Krisper, M., Macher, G. (2019). Towards Integrated Quantitative Security and Safety Risk Assessment. In: Romanovsky, A., Troubitsyna, E., Gashi, I., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2019. Lecture Notes in Computer Science(), vol 11699. Springer, Cham. https://doi.org/10.1007/978-3-030-26250-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-26250-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26249-5
Online ISBN: 978-3-030-26250-1
eBook Packages: Computer ScienceComputer Science (R0)