Difference between revisions of "Journal:Automated cyber and privacy risk management toolkit"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 36: Line 36:
Cyber [[risk management]] has traditionally been a fundamental challenge of every organization that seeks ways to protect its assets against cyber threats.<ref>{{Cite book |last=Whitman |first=Michael E. |last2=Mattord |first2=Herbert J. |date=2012 |title=Principles of information security |edition=4th ed |publisher=Course Technology |place=Boston, MA |isbn=978-1-111-13821-9}}</ref> This typically involves the use of [[cybersecurity]] countermeasures (technical, operational, and physical) to prevent, detect, and respond to cyber attacks prohibiting the exploitation of the organization. Technical controls can be anything from “inventory and control of hardware assets” to “penetration tests and red team exercises,” according to the Center for Internet Security (CIS) Controls.<ref>{{Cite web |last=Center for Internet Security |title=CIS Controls |url=https://www.cisecurity.org/controls/ |accessdate=31 May 2021}}</ref> Operational controls refer to standards, policies, and frameworks adopted by the organization, while physical security measures can prevent physical access to the cyber infrastructure.
Cyber [[risk management]] has traditionally been a fundamental challenge of every organization that seeks ways to protect its assets against cyber threats.<ref>{{Cite book |last=Whitman |first=Michael E. |last2=Mattord |first2=Herbert J. |date=2012 |title=Principles of information security |edition=4th ed |publisher=Course Technology |place=Boston, MA |isbn=978-1-111-13821-9}}</ref> This typically involves the use of [[cybersecurity]] countermeasures (technical, operational, and physical) to prevent, detect, and respond to cyber attacks prohibiting the exploitation of the organization. Technical controls can be anything from “inventory and control of hardware assets” to “penetration tests and red team exercises,” according to the Center for Internet Security (CIS) Controls.<ref>{{Cite web |last=Center for Internet Security |title=CIS Controls |url=https://www.cisecurity.org/controls/ |accessdate=31 May 2021}}</ref> Operational controls refer to standards, policies, and frameworks adopted by the organization, while physical security measures can prevent physical access to the cyber infrastructure.


In most cases, implementing all controls is neither possible nor required, although some controls are necessary for an organization to operate. For example, corporate cybersecurity strategies dictate the need for aligning with [[information]] security frameworks such as the [[International Organization for Standardization]]'s ISO 27001 and 27002 standards.<ref>{{Cite web |last=International Organization for Standardization |title=ISO/IEC 27001 Information Security Management |url=https://www.iso.org/isoiec-27001-information-security.html |publisher=International Organization for Standardization |accessdate=14 June 2021}}</ref> Regarding the different types of organizations, the National Institute of Standards and Technology (NIST) has published the ''Framework for Improving Critical Infrastructure Cybersecurity'', stating that different organizations exhibit different cyber risks due to their different security requirements and infrastructures to be protected. For instance, financial and healthcare organizations have [[Regulatory compliance|regulatory requirements]] to satisfy, while the second also have to protect human lives.<ref>{{Cite journal |last=Kruse |first=Clemens Scott |last2=Frederick |first2=Benjamin |last3=Jacobson |first3=Taylor |last4=Monticone |first4=D. Kyle |date=2017-01-01 |title=Cybersecurity in healthcare: A systematic review of modern threats and trends |url=https://content.iospress.com/articles/technology-and-health-care/thc1263 |journal=Technology and Health Care |language=en |volume=25 |issue=1 |pages=1–10 |doi=10.3233/THC-161263 |issn=0928-7329}}</ref>
In most cases, implementing all controls is neither possible nor required, although some controls are necessary for an organization to operate. For example, corporate cybersecurity strategies dictate the need for aligning with [[information]] security frameworks such as the [[International Organization for Standardization]]'s [[ISO/IEC 27000-series|ISO 27001 and 27002 standards]].<ref>{{Cite web |last=International Organization for Standardization |title=ISO/IEC 27001 Information Security Management |url=https://www.iso.org/isoiec-27001-information-security.html |publisher=International Organization for Standardization |accessdate=14 June 2021}}</ref> Regarding the different types of organizations, the National Institute of Standards and Technology (NIST) has published the ''Framework for Improving Critical Infrastructure Cybersecurity'', stating that different organizations exhibit different cyber risks due to their different security requirements and infrastructures to be protected. For instance, financial and healthcare organizations have [[Regulatory compliance|regulatory requirements]] to satisfy, while the second also have to protect human lives.<ref>{{Cite journal |last=Kruse |first=Clemens Scott |last2=Frederick |first2=Benjamin |last3=Jacobson |first3=Taylor |last4=Monticone |first4=D. Kyle |date=2017-01-01 |title=Cybersecurity in healthcare: A systematic review of modern threats and trends |url=https://content.iospress.com/articles/technology-and-health-care/thc1263 |journal=Technology and Health Care |language=en |volume=25 |issue=1 |pages=1–10 |doi=10.3233/THC-161263 |issn=0928-7329}}</ref>


Our work is motivated by the need to undertake cyber risk management in the healthcare domain. Nevertheless, cyber risk management methodologies and tools are generally applicable to a variety of industries, with the underlying models and system components largely remaining the same. Our choice was initially motivated by the criticality of this domain determined by cyber–physical impact inflicted by cyber risks as human lives can be at risk following a cyber incident. In the 2020 ''Data Breach Investigations Report'', published by Verizon, healthcare is listed as the industry with the majority of data breaches.<ref>{{Cite web |last=Verizon |date=2020 |title=2020 Data Breach Investigations Report |url=https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf |format=PDF |publisher=Verizon |accessdate=30 March 2021}}</ref>
Our work is motivated by the need to undertake cyber risk management in the healthcare domain. Nevertheless, cyber risk management methodologies and tools are generally applicable to a variety of industries, with the underlying models and system components largely remaining the same. Our choice was initially motivated by the criticality of this domain determined by cyber–physical impact inflicted by cyber risks as human lives can be at risk following a cyber incident. In the 2020 ''Data Breach Investigations Report'', published by Verizon, healthcare is listed as the industry with the majority of data breaches.<ref>{{Cite web |last=Verizon |date=2020 |title=2020 Data Breach Investigations Report |url=https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf |format=PDF |publisher=Verizon |accessdate=30 March 2021}}</ref>
Line 46: Line 46:
Even worse, healthcare data are more valuable than many other data in the Dark Web, because of the potential adversarial use of it, including blackmailing to gain some financial gain, selling intelligence to pharmaceutical companies, as well as compromising data integrity to create chaos in a country or a hospital, such as the recent incident at Valley Hospital, in California, which was hit by a ransomware attack on October 11, 2020. The case of WannaCry clearly demonstrated that U.K. hospitals had not invested in cybersecurity controls, while post-incident analysis shows that 65 NHS Trusts spent 612 million pounds on IT two years after the attack took place<ref name="HughesNHS19">{{cite web |url=https://www.digitalhealth.net/2019/08/nhs-trusts-it-spend-up-more-than-150m-since-wannacry/ |title=NHS trust IT spend up more than £150m since WannaCry |author=Hughes, O. |work=DigitalHealth |date=15 August 2019 |accessdate=10 May 2021}}</ref>, which corresponds to 33% budget increase compared to the year preceding this incident.
Even worse, healthcare data are more valuable than many other data in the Dark Web, because of the potential adversarial use of it, including blackmailing to gain some financial gain, selling intelligence to pharmaceutical companies, as well as compromising data integrity to create chaos in a country or a hospital, such as the recent incident at Valley Hospital, in California, which was hit by a ransomware attack on October 11, 2020. The case of WannaCry clearly demonstrated that U.K. hospitals had not invested in cybersecurity controls, while post-incident analysis shows that 65 NHS Trusts spent 612 million pounds on IT two years after the attack took place<ref name="HughesNHS19">{{cite web |url=https://www.digitalhealth.net/2019/08/nhs-trusts-it-spend-up-more-than-150m-since-wannacry/ |title=NHS trust IT spend up more than £150m since WannaCry |author=Hughes, O. |work=DigitalHealth |date=15 August 2019 |accessdate=10 May 2021}}</ref>, which corresponds to 33% budget increase compared to the year preceding this incident.


While everything shows that cybersecurity has been more of an afterthought for healthcare organizations than, for instance, for the banking industry, it is also clear that due to the [[General Data Protection Regulation]] (GDPR)<ref>{{Cite web |title=General Data Protection Regulation (GDPR) |url=https://gdpr-info.eu/ |publisher=Intersoft Consulting |accessdate=08 June 2021}}</ref>, hospitals are obliged to report incidents or breaches in data processing. Furthermore, enabling traceability in these domains serves the purpose of demonstrating accountability, which has been recently studied extensively as part of the the literature on [[blockchain]].  
While everything shows that cybersecurity has been more of an afterthought for healthcare organizations than, for instance, for the banking industry, it is also clear that due to the [[General Data Protection Regulation]] (GDPR)<ref name=":2">{{Cite web |title=General Data Protection Regulation (GDPR) |url=https://gdpr-info.eu/ |publisher=Intersoft Consulting |accessdate=08 June 2021}}</ref>, hospitals are obliged to report incidents or breaches in data processing. Furthermore, enabling traceability in these domains serves the purpose of demonstrating accountability, which has been recently studied extensively as part of the the literature on [[blockchain]].  


Traditionally, [[information privacy]] and cybersecurity have been treated as distinct concepts. Even though managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, since privacy risks can also arise by other means unrelated to cybersecurity incidents<ref>{{Cite journal |last=National Institute of Standards and Technology |date=16 January 2020 |title=NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management |url=https://doi.org/10.6028/NIST.CSWP.01162020 |journal= |place=Gaithersburg, MD |doi=10.6028/nist.cswp.01162020}}</ref>, while loss of personal data does not equate to a loss of privacy. In data terms, privacy is violated if and only if the data are used in a manner that actually violates the data subject’s fundamental right to privacy. However, as the number of privacy and data protection regulations increase, the overlap between privacy and cybersecurity increases.
Traditionally, [[information privacy]] and cybersecurity have been treated as distinct concepts. Even though managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, since privacy risks can also arise by other means unrelated to cybersecurity incidents<ref>{{Cite journal |last=National Institute of Standards and Technology |date=16 January 2020 |title=NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management |url=https://doi.org/10.6028/NIST.CSWP.01162020 |journal= |place=Gaithersburg, MD |doi=10.6028/nist.cswp.01162020}}</ref>, while loss of personal data does not equate to a loss of privacy. In data terms, privacy is violated if and only if the data are used in a manner that actually violates the data subject’s fundamental right to privacy. However, as the number of privacy and data protection regulations increase, the overlap between privacy and cybersecurity increases.
Line 75: Line 75:


===Privacy risk assessment===
===Privacy risk assessment===
The use of a privacy impact assessment (PIA) is considered part of a systematic risk management approach which aims towards an evaluation of potential effects that systems may have on privacy<ref name=":3">{{Cite journal |last=Clarke, R. |date=2009-01-01 |title=Privacy impact assessment: Its origins and development |url=https://www.sciencedirect.com/science/article/abs/pii/S0267364909000302 |journal=Computer Law & Security Review |language=en |volume=25 |issue=2 |pages=123–135 |doi=10.1016/j.clsr.2009.02.002 |issn=0267-3649}}</ref> and fostering trust by implementing the privacy-by-design principle.<ref name=":4">{{Cite journal |last=Oetzel |first=Marie Caroline |last2=Spiekermann |first2=Sarah |date=2014-03-01 |title=A systematic methodology for privacy impact assessments: a design science approach |url=https://doi.org/10.1057/ejis.2013.18 |journal=European Journal of Information Systems |volume=23 |issue=2 |pages=126–150 |doi=10.1057/ejis.2013.18 |issn=0960-085X}}</ref> Several standardization bodies and data protection authorities have established legal frameworks and guidelines which mandate the conduction of PIA, among them the GDPR regulation.<ref name=":2" /> However, even though the initial notion of a PIA method dates back to 2009<ref name=":3" />, and several published frameworks and guidelines set the principles for the conduction of privacy impact assessment, PIA remains a challenging and difficult process due to the multiple aspects that an assessor needs to consider.<ref name=":5">{{Cite journal |last=Vemou, K.; Karyda, M. |year=2018 |title=An Evaluation Framework for Privacy Impact Assessment Methods |url=https://aisel.aisnet.org/mcis2018/5/ |journal=MCIS 2018 Proceedings |at=5}}</ref> According to GDPR, a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, thus the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Nevertheless, PIA shall be an on-going process, regularly applied to personal data processing for identifying and mitigating risks in a more dynamic manner.<ref>{{Cite journal |last=Papamartzivanos |first=Dimitrios |last2=Menesidou |first2=Sofia Anna |last3=Gouvas |first3=Panagiotis |last4=Giannetsos |first4=Thanassis |date=2021/2 |title=A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly |url=https://www.mdpi.com/1999-5903/13/2/30 |journal=Future Internet |language=en |volume=13 |issue=2 |pages=30 |doi=10.3390/fi13020030}}</ref>
Privacy data protection standards (e.g., BS 10012:2017<ref>{{Cite web |last=British Standards Institution |title=BS 10012 Personal Information Management System |url=https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/ |publisher=British Standards Institution |accessdate=12 July 2021}}</ref>, ISO/IEC 29151:2017<ref>{{Cite web |last=International Organization for Standardization |date=August 2017 |title=ISO/IEC 29151:2017 Information technology — Security techniques — Code of practice for personally identifiable information protection |url=https://www.iso.org/standard/62726.html |publisher=International Organization for Standardization |accessdate=12 July 2021}}</ref>, and ISO/IEC 27018:2014<ref>{{Cite web |last=International Organization for Standardization |date=August 2014 |title=ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors |url=https://www.iso.org/standard/61498.html |publisher=International Organization for Standardization |accessdate=12 July 2021}}</ref>), can be found in the literature focusing on PIA as a requirement in the execution of cybersecurity risk assessments. PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes<ref name=":4" /><ref name=":6">{{Cite journal |last=Wei |first=Yu-Chih |last2=Wu |first2=Wei-Chen |last3=Lai |first3=Gu-Hsin |last4=Chu |first4=Ya-Chi |date=2018-04-23 |title=pISRA: privacy considered information security risk assessment model |url=https://doi.org/10.1007/s11227-018-2371-0 |journal=The Journal of Supercomputing |language=en |volume=76 |issue=3 |pages=1468–1481 |doi=10.1007/s11227-018-2371-0 |issn=0920-8542}}</ref>, with a clear gap on automated tools, methods, and models that implement PIA.<ref name=":5" /> Even though standards (e.g., ISO/IEC 29134:2017<ref>{{Cite web |last=International Organization for Standardization |date=June 2017 |title=ISO/IEC 29134:2017 Information technology — Security techniques — Guidelines for privacy impact assessment |url=https://www.iso.org/standard/62289.html |publisher=International Organization for Standardization |accessdate=12 July 2021}}</ref>) provide details and guidance to conduct privacy impact assessments, they are very generic and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment.<ref name=":6" /> Although the literature provides a wide variety of privacy metrics, they mainly consider properties of privacy-enhancing technologies such as the amount of sensitive information leaked or the number of indistinguishable users, instead of the privacy impact.<ref>{{Cite journal |last=Wagner |first=Isabel |last2=Eckhoff |first2=David |date=2018-06-12 |title=Technical Privacy Metrics: A Systematic Survey |url=https://doi.org/10.1145/3168389 |journal=ACM Computing Surveys |volume=51 |issue=3 |pages=57:1–57:38 |doi=10.1145/3168389 |issn=0360-0300}}</ref> Recently, the NIST proposed a privacy framework in the form of a solid documentation and a practical tool to manage the privacy risks of an organization by prioritizing privacy protection activities through enterprise risk management. [9] The NIST also developed the Privacy Risk Assessment Methodology (PRAM), which applies the risk model from NISTIR 8062<ref name="NIST8062">{{cite web |url=https://www.nist.gov/privacy-framework/nistir-8062 |title=NISTIR 8062 |author=National Institute of Standards and Technology |publisher=National Institute of Standards and Technology |date=16 January 2020 |accessdate=07 July 2021}}</ref> and helps organizations analyze, assess, and prioritize privacy risks.<ref>{{Cite web |last=National Institute of Standards and Technology |date=16 January 2020 |title=NIST PRAM |url=https://www.nist.gov/privacy-framework/nist-pram |publisher=National Institute of Standards and Technology |accessdate=29 March 2021}}</ref>
In addition, several national regulators have published guidelines for a data protection impact assessment (DPIA), including the French Commission for Informatics and Freedom (CNIL)<ref>{{Cite web |last=Commission nationale de l'informatique et des libertés |date=February 2018 |title=Privacy Impact Assessment (PIA) Methodology |url=https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-1-en-methodology.pdf |format=PDF |publisher=Commission nationale de l'informatique et des libertés |accessdate=08 November 2020}}</ref> and the British Information Commissioner’s Office (ICO).<ref>{{Cite web |last=Information Commissioner's Office |title=Data protection impact assessments |url=https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ |publisher=Information Commissioner's Office |accessdate=08 November 2020}}</ref> Such guidance has been updated to address GDPR’s DPIAs and to provide detailed guidelines about their regulatory requirements and processes. These guidelines follow different approaches and propose diverse steps for conducting PIA. Thus, the adoption of a single methodology becomes a difficult task for an organization, and organizing a PIA project becomes a maze-like process. [33] While there are differences in the aforementioned approaches, they are equally suitable for conducting a DPIA and produce largely similar results.
The ENISA’s on-line tool [44], which consists of six steps for the calculation of the privacy risk is one of the available PIA tools. The assessment of risks is the first step towards the adoption of appropriate security measures for the protection of personal data. Furthermore, CNIL’s PIA tool [42] considers data controllers that are familiar with the PIA process. This tool lacks automation, in terms of ICT asset inventory and detection of threats or vulnerabilities that can affect privacy, which can increase the awareness of the risk assessor, while the resulted risk levels do not consider the cyber security status of the organization. The GDPR DPIA Tool (DPIA Tool) [45] is a web-based tool for assisting organizations to evaluate data protection risks with respect to GDPR. The tool was developed to support the implementation of DPIA and provides a structured, risk-oriented approach to identification and assessment of potential data protection risks. The structure of the DPIA Tool is based on a questionnaire and thus, it offers a rather limited automation of the assessment of processing activities on personal data within the organization. Last, the Compliance-Kit 2.0 tool [46] follows the British standard BS 10012, GDPR, and ISO 29100, and it is based on the legal obligation to comply with the requirements of GDPR and management’s strategic decisions to implement these regulations with the goal of establishing, maintaining, and developing practical and process-oriented data protection management.
In addition to the aforementioned regulatory efforts, academic research has also proposed improvements to DPIA processes. These efforts include making the DPIA process more systematic and structured by proposing formal modelling techniques for privacy threats. [38] Manna ''et al.'' [47], for example, proposed a comprehensive methodology for identifying data privacy risks and quantifying them, while the risk values are computed at different levels to help both senior management and operational personnel in assessing and mitigating privacy risks. Wei ''et al.'' [38] proposed a systematic privacy-considered information security risk assessment (pISRA) model, which can take both a privacy impact analysis and risk assessment into consideration. Finally, Henriksen-Bulmer ''et al.'' presented an empirically evaluated privacy risk assessment framework based on contextual integrity—the DPIA Data Wheel—that practitioners can use to inform decision making around the privacy risks of cyber physical systems (CPS). However, most of these aforementioned research efforts do not implement their proposed method/model.
===Optimal risk control and cyber investments===




Revision as of 17:02, 5 October 2021

Full article title Automated cyber and privacy risk management toolkit
Journal Sensors
Author(s) Gonzalez-Granadillo, Gustavo; Menesidou, Sofia A.; Papamartzivanos, Dimitrious; Romeu, Roman; Navarro-Llobet, Diana; Okoh, Caxton; Nifakos, Sokratis; Xenakis, Christos; Panaousis, Emmanouil
Author affiliation(s) Atos Spain, UBITECH Ltd., Fundació Privada Hospital Asil de Granollers, University of Greenwich, Karolinska Institutet Department of Learning, Informatics, Management and Ethics, University of Piraeus
Primary contact Email: gustavo dot gonzalez at atos dot net
Editors Mylonas, Alexios; Pitropakis, Nikolaos
Year published 2021
Volume and issue 21(16)
Article # 5493
DOI 10.3390/s21165493
ISSN 1424-8220
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/1424-8220/21/16/5493/htm
Download https://www.mdpi.com/1424-8220/21/16/5493/pdf (PDF)
Emblem-important-yellow.svg This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Addressing cyber and privacy risks has never been more critical for organizations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a privacy impact assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and personally identifiable information (PII) that may occur during the dynamic lifecycle of systems.

In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner, but it also offers decision-support capabilities to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organization, as a reference sector that faces critical cyber and privacy threats.

Keywords: toolkit, cybersecurity, privacy, risk assessment, risk control, healthcare

Introduction

Cyber risk management has traditionally been a fundamental challenge of every organization that seeks ways to protect its assets against cyber threats.[1] This typically involves the use of cybersecurity countermeasures (technical, operational, and physical) to prevent, detect, and respond to cyber attacks prohibiting the exploitation of the organization. Technical controls can be anything from “inventory and control of hardware assets” to “penetration tests and red team exercises,” according to the Center for Internet Security (CIS) Controls.[2] Operational controls refer to standards, policies, and frameworks adopted by the organization, while physical security measures can prevent physical access to the cyber infrastructure.

In most cases, implementing all controls is neither possible nor required, although some controls are necessary for an organization to operate. For example, corporate cybersecurity strategies dictate the need for aligning with information security frameworks such as the International Organization for Standardization's ISO 27001 and 27002 standards.[3] Regarding the different types of organizations, the National Institute of Standards and Technology (NIST) has published the Framework for Improving Critical Infrastructure Cybersecurity, stating that different organizations exhibit different cyber risks due to their different security requirements and infrastructures to be protected. For instance, financial and healthcare organizations have regulatory requirements to satisfy, while the second also have to protect human lives.[4]

Our work is motivated by the need to undertake cyber risk management in the healthcare domain. Nevertheless, cyber risk management methodologies and tools are generally applicable to a variety of industries, with the underlying models and system components largely remaining the same. Our choice was initially motivated by the criticality of this domain determined by cyber–physical impact inflicted by cyber risks as human lives can be at risk following a cyber incident. In the 2020 Data Breach Investigations Report, published by Verizon, healthcare is listed as the industry with the majority of data breaches.[5]

Last year, the same report indicated that healthcare stands out due to the fact that 59% of breaches are associated with internal actors, and 81% of the incidents within healthcare corresponds to miscellaneous errors, privilege misuse, and web applications. Only in the United States, healthcare organizations have reported since 2016 over 170 individual ransomware attacks, affecting around 1,500 healthcare centers and over 6.5 million patients, which represents an estimated cost to the industry of USD $157 million.[6] This rising number of security incidents has also led to data breaches (e.g., 72% of the data breaches were medical[7]), due to the massive amount of sensitive data that is processed. The observations worsen if we look at the currently overwhelmed healthcare domain due to the COVID-19 pandemic.[8]

The well-known WannaCry ransomware, although not targeting healthcare organizations per se, managed to massively affect the U.K.’s National Healthcare System (NHS), posing not only financial damages but also life-threatening ones, e.g., via operations which could not take place when systems went down during the attack.[8] The low security posture of many hospitals was the reason for WannaCry exploiting so successfully its various hosts, causing tremendous impact during a limited period of time. Having a state actor behind this attack is not the only source of danger to healthcare organizations, which may also be susceptible to attacks launched by anyone ranging from script kiddies through to organized crime and state actors.

Even worse, healthcare data are more valuable than many other data in the Dark Web, because of the potential adversarial use of it, including blackmailing to gain some financial gain, selling intelligence to pharmaceutical companies, as well as compromising data integrity to create chaos in a country or a hospital, such as the recent incident at Valley Hospital, in California, which was hit by a ransomware attack on October 11, 2020. The case of WannaCry clearly demonstrated that U.K. hospitals had not invested in cybersecurity controls, while post-incident analysis shows that 65 NHS Trusts spent 612 million pounds on IT two years after the attack took place[9], which corresponds to 33% budget increase compared to the year preceding this incident.

While everything shows that cybersecurity has been more of an afterthought for healthcare organizations than, for instance, for the banking industry, it is also clear that due to the General Data Protection Regulation (GDPR)[10], hospitals are obliged to report incidents or breaches in data processing. Furthermore, enabling traceability in these domains serves the purpose of demonstrating accountability, which has been recently studied extensively as part of the the literature on blockchain.

Traditionally, information privacy and cybersecurity have been treated as distinct concepts. Even though managing cybersecurity risk contributes to managing privacy risk, it is not sufficient, since privacy risks can also arise by other means unrelated to cybersecurity incidents[11], while loss of personal data does not equate to a loss of privacy. In data terms, privacy is violated if and only if the data are used in a manner that actually violates the data subject’s fundamental right to privacy. However, as the number of privacy and data protection regulations increase, the overlap between privacy and cybersecurity increases.

Organizations are spending valuable resources by duplicating efforts to mitigate the consequences on privacy and cybersecurity attacks, competing for the same budgets. This brings us to a major challenge of having to spend a proportion of the IT budget of the organization on countermeasures that mitigate cyber and privacy risks. This has given rise to a fairly rich literature of cyber investments seeking answers to what the best ways are to select a portfolio of countermeasures given some predefined financial limitations.[12] Within the same domain, researchers are also investigating the role of indirect costs of these countermeasures to the selection process, how countermeasures interact with each other, and what is the minimal set of countermeasures required to achieved a desirable level of overall risk.

Our work on risk assessment and control has led to the development of an innovative toolkit called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit). Although AMBIENT has been designed based on end-user requirements elicited by healthcare professionals, inevitably, its functionalities can be used in other domains. Nevertheless, the knowledge bases of AMBIENT (e.g., vulnerabilities) as well as values for parameters used during risk assessment (e.g., probabilities of attack occurrence) are drawn from the healthcare domain, as published in industrial reports such as the Verizon 2021 Data Breach Investigations Report.

Our motivation behind creating AMBIENT was the lack of automated software that not only conducts cyber risk assessment in the traditional way, but also takes into consideration the GDPR and healthcare processes, and then addresses the fundamental challenge of investing a financial budget to the most effective combination of cybersecurity controls. The automation nature of a cyber risk management tool is critical, because it can save time and resources of an organization that either outsources this task or allocates a significant amount of time to combine the outcomes of the cyber and privacy risk assessments with a tool that suggests best ways to mitigate the identified risks. AMBIENT is a decision support platform that exhibits cyber risk assessment, privacy risk assessment according to GDPR terms and requirements, and proactive cyber risk control (i.e., before threats have materialized) and reactive mitigation (i.e., when signs of intrusions are present or new risks have been identified). At the same time, AMBIENT determines an optimal allocation of a financial budget to various cyber controls by adopting the weakest link model.[13]

AMBIENT is augmented with real-time intrusion detection capabilities to be able to derive changes in the risk that are worthy of being considered by system administrators. Once these notifications are triggered, AMBIENT relies on a Cybersecurity and a Privacy Risk Assessment module, as solutions that take advantage of a variety of input data to perform the analysis and provide qualitative and quantitative scores that will advise organizations on the risks they are exposed to and the mitigation measures they can implement to reduce their attack surface. Such mitigation measures are shared with the Optimal Safeguard Recommendation module that performs further analysis and optimization in order to compute a prioritized list of remediation actions to be taken, acting as a holistic decision support cybersecurity toolkit.

The remainder of this paper is structured as follows. The next section presents the related work in cybersecurity and privacy risk assessments, as well as in optimization of controls. An introduction to the AMBIENT toolkit architecture and details of its main modules follow the related work. Then the applicability of the proposed toolkit is discussed by analyzing security threats in a healthcare infrastructure, followed by a discusses of the preliminary results. The final section of the paper highlights the main advantages and limitations of our proposed toolkit, and provides conclusions as well as perspectives for future work.

Related work

Cyber risk assessment

An integral part of the risk assessment process is the selection of a risk assessment model or methodology. There is a vast variety of risk assessment models in the literature and tools available in the market. Examples of models used in quantitative risk assessments[14] include Fault Tree Analysis[15][16], Bayesian Networks[17][18], Monte Carlo Simulation[19], and Markov Chains.[20][21]

Examples of qualitative risk assessment tools include EBIOS RM (Expression of Needs and Identification of Security Objectives)[22], MEHARI (Harmonised Risk Analysis Method)[23], and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation).[24] IT-Grundschutz (IT Baseline Protection Manual)[25] is an example of a tool performing quantitative risk assessment. Other tools such as MAGERIT (Risk Analysis and Management Methodology for Information Systems)[26] and CORAS (a method for risk analysis of security-critical systems)[27] are widely used for both qualitative and quantitative risk assessments. Regardless, the choice of risk assessment tool largely depends on the purpose and the data available (e.g., impact, likelihood of occurrence, etc.).[28][29][30]

Previous work by Ganin et al.[31] addressed the gap between risk assessment and risk management and how to allow a structured and transparent process of selecting risk management alternatives. The authors proposed a decision-analysis-based approach that quantifies threats, vulnerabilities, and consequences based on multiple criteria to assess the cybersecurity risk levels. The proposed approach provides justifiable methods for selecting risk management actions consistent with stakeholder values and technical data.

Radanliev et al.[32] proposed a model for the definition of individual risks and their measurement. Authors focused on internet of things (IoT) scenarios and integrated an impact assessment methodology to improve understanding of the economic impact values associated with particular devices. As a result, new risk metrics were developed by considering uncertainties and potential challenges specific to the IoT environment. The major limitation of this approach is the lack of evaluation of cyber risks for the unknown but potential vulnerabilities.

Varela-Vaca et al.[33] addressed the problem of automatic security risk management by proposing a risk assessment methodology that enables the analysis and evaluation of multiple activities combined in a business process model to determine the compliance of the model with regards to the security-risk objectives. Authors focused on combining business process management and security-risk descriptions to assess the risk level of the entire process and to identify the risk responsible for a nonconformity. Artificial intelligence techniques were used to automate the presented diagnostic process.

Advances in the area of IoT have brought novel methods that integrate various cyber risk assessment approaches (e.g., Cyber Value at Risk[34] and MicroMort[35]) to compute the economic impact of IoT cyber risks.[32] Recent cyber risk assessment models use a variety of techniques including text mining[36], fuzzy fractional ordinary differential equations[37], and Lognormal probabilistic distributions[38], among others, aiming to rapidly adapt to changing environments and provide accurate risk assessment results.

Privacy risk assessment

The use of a privacy impact assessment (PIA) is considered part of a systematic risk management approach which aims towards an evaluation of potential effects that systems may have on privacy[39] and fostering trust by implementing the privacy-by-design principle.[40] Several standardization bodies and data protection authorities have established legal frameworks and guidelines which mandate the conduction of PIA, among them the GDPR regulation.[10] However, even though the initial notion of a PIA method dates back to 2009[39], and several published frameworks and guidelines set the principles for the conduction of privacy impact assessment, PIA remains a challenging and difficult process due to the multiple aspects that an assessor needs to consider.[41] According to GDPR, a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, thus the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Nevertheless, PIA shall be an on-going process, regularly applied to personal data processing for identifying and mitigating risks in a more dynamic manner.[42]

Privacy data protection standards (e.g., BS 10012:2017[43], ISO/IEC 29151:2017[44], and ISO/IEC 27018:2014[45]), can be found in the literature focusing on PIA as a requirement in the execution of cybersecurity risk assessments. PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes[40][46], with a clear gap on automated tools, methods, and models that implement PIA.[41] Even though standards (e.g., ISO/IEC 29134:2017[47]) provide details and guidance to conduct privacy impact assessments, they are very generic and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment.[46] Although the literature provides a wide variety of privacy metrics, they mainly consider properties of privacy-enhancing technologies such as the amount of sensitive information leaked or the number of indistinguishable users, instead of the privacy impact.[48] Recently, the NIST proposed a privacy framework in the form of a solid documentation and a practical tool to manage the privacy risks of an organization by prioritizing privacy protection activities through enterprise risk management. [9] The NIST also developed the Privacy Risk Assessment Methodology (PRAM), which applies the risk model from NISTIR 8062[49] and helps organizations analyze, assess, and prioritize privacy risks.[50]

In addition, several national regulators have published guidelines for a data protection impact assessment (DPIA), including the French Commission for Informatics and Freedom (CNIL)[51] and the British Information Commissioner’s Office (ICO).[52] Such guidance has been updated to address GDPR’s DPIAs and to provide detailed guidelines about their regulatory requirements and processes. These guidelines follow different approaches and propose diverse steps for conducting PIA. Thus, the adoption of a single methodology becomes a difficult task for an organization, and organizing a PIA project becomes a maze-like process. [33] While there are differences in the aforementioned approaches, they are equally suitable for conducting a DPIA and produce largely similar results.

The ENISA’s on-line tool [44], which consists of six steps for the calculation of the privacy risk is one of the available PIA tools. The assessment of risks is the first step towards the adoption of appropriate security measures for the protection of personal data. Furthermore, CNIL’s PIA tool [42] considers data controllers that are familiar with the PIA process. This tool lacks automation, in terms of ICT asset inventory and detection of threats or vulnerabilities that can affect privacy, which can increase the awareness of the risk assessor, while the resulted risk levels do not consider the cyber security status of the organization. The GDPR DPIA Tool (DPIA Tool) [45] is a web-based tool for assisting organizations to evaluate data protection risks with respect to GDPR. The tool was developed to support the implementation of DPIA and provides a structured, risk-oriented approach to identification and assessment of potential data protection risks. The structure of the DPIA Tool is based on a questionnaire and thus, it offers a rather limited automation of the assessment of processing activities on personal data within the organization. Last, the Compliance-Kit 2.0 tool [46] follows the British standard BS 10012, GDPR, and ISO 29100, and it is based on the legal obligation to comply with the requirements of GDPR and management’s strategic decisions to implement these regulations with the goal of establishing, maintaining, and developing practical and process-oriented data protection management.

In addition to the aforementioned regulatory efforts, academic research has also proposed improvements to DPIA processes. These efforts include making the DPIA process more systematic and structured by proposing formal modelling techniques for privacy threats. [38] Manna et al. [47], for example, proposed a comprehensive methodology for identifying data privacy risks and quantifying them, while the risk values are computed at different levels to help both senior management and operational personnel in assessing and mitigating privacy risks. Wei et al. [38] proposed a systematic privacy-considered information security risk assessment (pISRA) model, which can take both a privacy impact analysis and risk assessment into consideration. Finally, Henriksen-Bulmer et al. presented an empirically evaluated privacy risk assessment framework based on contextual integrity—the DPIA Data Wheel—that practitioners can use to inform decision making around the privacy risks of cyber physical systems (CPS). However, most of these aforementioned research efforts do not implement their proposed method/model.

Optimal risk control and cyber investments

References

  1. Whitman, Michael E.; Mattord, Herbert J. (2012). Principles of information security (4th ed ed.). Boston, MA: Course Technology. ISBN 978-1-111-13821-9. 
  2. Center for Internet Security. "CIS Controls". https://www.cisecurity.org/controls/. Retrieved 31 May 2021. 
  3. International Organization for Standardization. "ISO/IEC 27001 Information Security Management". International Organization for Standardization. https://www.iso.org/isoiec-27001-information-security.html. Retrieved 14 June 2021. 
  4. Kruse, Clemens Scott; Frederick, Benjamin; Jacobson, Taylor; Monticone, D. Kyle (1 January 2017). "Cybersecurity in healthcare: A systematic review of modern threats and trends" (in en). Technology and Health Care 25 (1): 1–10. doi:10.3233/THC-161263. ISSN 0928-7329. https://content.iospress.com/articles/technology-and-health-care/thc1263. 
  5. Verizon (2020). "2020 Data Breach Investigations Report" (PDF). Verizon. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf. Retrieved 30 March 2021. 
  6. Bischoff, P. (10 March 2021). "Ransomware attacks on US healthcare organizations cost $20.8bn in 2020". CompariTech. https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/. Retrieved 30 March 2021. 
  7. Verizon (2019). "2019 Data Breach Investigations Report" (PDF). Verizon. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf. Retrieved 12 April 2021. 
  8. 8.0 8.1 Martin, Guy; Ghafur, Saira; Kinross, James; Hankin, Chris; Darzi, Ara (4 June 2018). "WannaCry—a year on" (in en). BMJ 361: k2381. doi:10.1136/bmj.k2381. ISSN 0959-8138. PMID 29866711. https://www.bmj.com/content/361/bmj.k2381. 
  9. Hughes, O. (15 August 2019). "NHS trust IT spend up more than £150m since WannaCry". DigitalHealth. https://www.digitalhealth.net/2019/08/nhs-trusts-it-spend-up-more-than-150m-since-wannacry/. Retrieved 10 May 2021. 
  10. 10.0 10.1 "General Data Protection Regulation (GDPR)". Intersoft Consulting. https://gdpr-info.eu/. Retrieved 08 June 2021. 
  11. National Institute of Standards and Technology (16 January 2020). NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Gaithersburg, MD. doi:10.6028/nist.cswp.01162020. https://doi.org/10.6028/NIST.CSWP.01162020. 
  12. Nespoli, Pantaleone; Papamartzivanos, Dimitrios; Gómez Mármol, Félix; Kambourakis, Georgios (Secondquarter 2018). "Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks". IEEE Communications Surveys Tutorials 20 (2): 1361–1396. doi:10.1109/COMST.2017.2781126. ISSN 1553-877X. https://ieeexplore.ieee.org/document/8169023/. 
  13. Arce, I. (1 March 2003). "The weakest link revisited [information security"]. IEEE Security Privacy 1 (2): 72–76. doi:10.1109/MSECP.2003.1193216. ISSN 1558-4046. https://ieeexplore.ieee.org/document/1193216/. 
  14. Vavoulas, Nikos; Xenakis, Christos (2011), Xenakis, Christos; Wolthusen, Stephen, eds., "A Quantitative Risk Analysis Approach for Deliberate Threats", Critical Information Infrastructures Security (Berlin, Heidelberg: Springer Berlin Heidelberg) 6712: 13–25, doi:10.1007/978-3-642-21694-7_2, ISBN 978-3-642-21693-0, http://link.springer.com/10.1007/978-3-642-21694-7_2 
  15. Stamatelatos, M.; Vesely, W.; Dugan, J. et al. (August 2002). "Fault Tree Handbook with Aerospace Applications". NASA. http://www.mwftr.com/CS2/Fault%20Tree%20Handbook_NASA.pdf. Retrieved 31 May 2021. 
  16. "Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools" (in en). Computer Science Review 15-16: 29–62. 1 February 2015. doi:10.1016/j.cosrev.2015.03.001. ISSN 1574-0137. https://www.sciencedirect.com/science/article/abs/pii/S1574013715000027. 
  17. Jiang, Xia; Neapolitan, Richard E.; Barmada, M. Michael; Visweswaran, Shyam (31 March 2011). "Learning genetic epistasis using Bayesian network scoring criteria". BMC Bioinformatics 12 (1): 89. doi:10.1186/1471-2105-12-89. ISSN 1471-2105. PMC PMC3080825. PMID 21453508. https://doi.org/10.1186/1471-2105-12-89. 
  18. Koumenides, Christos L.; Shadbolt, Nigel R. (2012). "Combining link and content-based information in a Bayesian inference model for entity search" (in en). Proceedings of the 1st Joint International Workshop on Entity-Oriented and Semantic Search - JIWES '12 (Portland, Oregon: ACM Press): 1–6. doi:10.1145/2379307.2379310. ISBN 978-1-4503-1601-9. http://dl.acm.org/citation.cfm?doid=2379307.2379310. 
  19. Haugh, M. (2016). "Monte-Carlo Methods for Risk Management" (PDF). IEOR E4602: Quantitative Risk Management. https://martin-haugh.github.io/files/QRM/MC_RiskManage.pdf. Retrieved 12 April 2021. 
  20. Komorowski, Matthieu; Raffa, Jesse (2016), "Markov Models and Cost Effectiveness Analysis: Applications in Medical Research" (in en), Secondary Analysis of Electronic Health Records (Cham: Springer International Publishing): 351–367, doi:10.1007/978-3-319-43742-2_24, https://doi.org/10.1007/978-3-319-43742-2_24 
  21. Yu-Ting, Ding; Hai-Peng, Qu; Xi-Long, Teng (1 April 2014). "Real-time risk assessment based on hidden Markov model and security configuration". 2014 International Conference on Information Science, Electronics and Electrical Engineering (Sapporo, Japan: IEEE): 1600–1603. doi:10.1109/InfoSEEE.2014.6946191. ISBN 978-1-4799-3197-2. http://ieeexplore.ieee.org/document/6946191/. 
  22. "EBIOS Risk Manager - The Method". ANSSI. https://www.ssi.gouv.fr/guide/ebios-risk-manager-the-method/. Retrieved 15 June 2021. 
  23. "Bienvenue sur le site officiel de MEHARI". MEHARIPedia. Avada. http://meharipedia.org/home/. Retrieved 15 June 2021. 
  24. Caralli, Richard; Stevens, James F.; Young, Lisa R.; Wilson, William R. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. pp. 951038 Bytes. doi:10.1184/R1/6574790.V1. https://kilthub.cmu.edu/articles/Introducing_OCTAVE_Allegro_Improving_the_Information_Security_Risk_Assessment_Process/6574790/1. 
  25. "IT-Grundschutz". Federal Office for Information Security. https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html. Retrieved 15 June 2021. 
  26. "Magerit". European Union Agency for Cybersecurity. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_magerit.html. Retrieved 15 June 2021. 
  27. "The CORAS Method". SourceForge. 16 November 2015. http://coras.sourceforge.net/. Retrieved 15 June 2021. 
  28. Gonzalez Granadillo, G.; Doynikova, E.; Garcia-Alfaro, J. et al. (1 October 2020). "Stateful RORI-based countermeasure selection using hypergraphs" (in en). Journal of Information Security and Applications 54: 102562. doi:10.1016/j.jisa.2020.102562. ISSN 2214-2126. https://www.sciencedirect.com/science/article/abs/pii/S221421262030716X. 
  29. Gonzalez-Granadillo, G.; Dubus, S.; Motzek, A. et al. (1 June 2018). "Dynamic risk management response system to handle cyber threats" (in en). Future Generation Computer Systems 83: 535–552. doi:10.1016/j.future.2017.05.043. ISSN 0167-739X. https://www.sciencedirect.com/science/article/abs/pii/S0167739X17311433. 
  30. Gonzalez-Granadillo, Gustavo; Alvarez, Ender; Motzek, Alexander; Merialdo, Matteo; Garcia-Alfaro, Joaquin; Debar, Hervé (2016), "Towards an Automated and Dynamic Risk Management Response System" (in en), Secure IT Systems (Cham: Springer International Publishing): 37–53, doi:10.1007/978-3-319-47560-8_3, https://doi.org/10.1007/978-3-319-47560-8_3 
  31. Ganin, Alexander A.; Quach, Phuoc; Panwar, Mahesh; Collier, Zachary A.; Keisler, Jeffrey M.; Marchese, Dayton; Linkov, Igor (2020). "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management" (in en). Risk Analysis 40 (1): 183–199. doi:10.1111/risa.12891. ISSN 1539-6924. https://onlinelibrary.wiley.com/doi/abs/10.1111/risa.12891. 
  32. 32.0 32.1 Radanliev, P.; De Roure, D.C.; Nicolescu, R. et al. (1 November 2018). "Future developments in cyber risk assessment for the internet of things" (in en). Computers in Industry 102: 14–22. doi:10.1016/j.compind.2018.08.002. ISSN 0166-3615. https://www.sciencedirect.com/science/article/pii/S0166361518301817. 
  33. Varela-Vaca, Ángel J.; Parody, Luisa; Gasca, Rafael M.; Gómez-López, María T. (2019). "Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models". IEEE Access 7: 26448–26465. doi:10.1109/ACCESS.2019.2901408. ISSN 2169-3536. https://ieeexplore.ieee.org/document/8651587/. 
  34. Bay Dynamics (2017). "Cyber Value at Risk: Quantify the Financial Impact of Cyber Risk" (PDF). Bay Dynamics. https://www.ten-inc.com/presentations/2017_ISE_NE_BayDynamics_WP.pdf. Retrieved 05 August 2021. 
  35. Fry, A.M.; Harrison, A.; Daigneault, M. (1 February 2016). "Micromorts - what is the risk?". British Journal of Oral and Maxillofacial Surgery 54 (2): 230–231. doi:10.1016/j.bjoms.2015.11.023. ISSN 0266-4356. https://doi.org/10.1016/j.bjoms.2015.11.023. 
  36. Biswas, B.; Mukhopadhyay, A.; Bhattacharjee, S. et al. (22 July 2021). "A text-mining based cyber-risk assessment and mitigation framework for critical analysis of online hacker forums" (in en). Decision Support Systems: 113651. doi:10.1016/j.dss.2021.113651. ISSN 0167-9236. https://www.sciencedirect.com/science/article/abs/pii/S0167923621001615. 
  37. Wang, Z.; Chen, L.; Song, S. et al. (1 August 2020). "Automatic cyber security risk assessment based on fuzzy fractional ordinary differential equations" (in en). Alexandria Engineering Journal 59 (4): 2725–2731. doi:10.1016/j.aej.2020.05.014. ISSN 1110-0168. https://www.sciencedirect.com/science/article/pii/S1110016820302283. 
  38. Derbyshire, R.; Green, B.; Hutchison, D. (1 April 2021). "“Talking a different Language”: Anticipating adversary attack cost for cyber risk assessment" (in en). Computers & Security 103: 102163. doi:10.1016/j.cose.2020.102163. ISSN 0167-4048. https://www.sciencedirect.com/science/article/pii/S0167404820304363. 
  39. 39.0 39.1 Clarke, R. (1 January 2009). "Privacy impact assessment: Its origins and development" (in en). Computer Law & Security Review 25 (2): 123–135. doi:10.1016/j.clsr.2009.02.002. ISSN 0267-3649. https://www.sciencedirect.com/science/article/abs/pii/S0267364909000302. 
  40. 40.0 40.1 Oetzel, Marie Caroline; Spiekermann, Sarah (1 March 2014). "A systematic methodology for privacy impact assessments: a design science approach". European Journal of Information Systems 23 (2): 126–150. doi:10.1057/ejis.2013.18. ISSN 0960-085X. https://doi.org/10.1057/ejis.2013.18. 
  41. 41.0 41.1 Vemou, K.; Karyda, M. (2018). "An Evaluation Framework for Privacy Impact Assessment Methods". MCIS 2018 Proceedings: 5. https://aisel.aisnet.org/mcis2018/5/. 
  42. Papamartzivanos, Dimitrios; Menesidou, Sofia Anna; Gouvas, Panagiotis; Giannetsos, Thanassis (2021/2). "A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly" (in en). Future Internet 13 (2): 30. doi:10.3390/fi13020030. https://www.mdpi.com/1999-5903/13/2/30. 
  43. British Standards Institution. "BS 10012 Personal Information Management System". British Standards Institution. https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/. Retrieved 12 July 2021. 
  44. International Organization for Standardization (August 2017). "ISO/IEC 29151:2017 Information technology — Security techniques — Code of practice for personally identifiable information protection". International Organization for Standardization. https://www.iso.org/standard/62726.html. Retrieved 12 July 2021. 
  45. International Organization for Standardization (August 2014). "ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors". International Organization for Standardization. https://www.iso.org/standard/61498.html. Retrieved 12 July 2021. 
  46. 46.0 46.1 Wei, Yu-Chih; Wu, Wei-Chen; Lai, Gu-Hsin; Chu, Ya-Chi (23 April 2018). "pISRA: privacy considered information security risk assessment model" (in en). The Journal of Supercomputing 76 (3): 1468–1481. doi:10.1007/s11227-018-2371-0. ISSN 0920-8542. https://doi.org/10.1007/s11227-018-2371-0. 
  47. International Organization for Standardization (June 2017). "ISO/IEC 29134:2017 Information technology — Security techniques — Guidelines for privacy impact assessment". International Organization for Standardization. https://www.iso.org/standard/62289.html. Retrieved 12 July 2021. 
  48. Wagner, Isabel; Eckhoff, David (12 June 2018). "Technical Privacy Metrics: A Systematic Survey". ACM Computing Surveys 51 (3): 57:1–57:38. doi:10.1145/3168389. ISSN 0360-0300. https://doi.org/10.1145/3168389. 
  49. National Institute of Standards and Technology (16 January 2020). "NISTIR 8062". National Institute of Standards and Technology. https://www.nist.gov/privacy-framework/nistir-8062. Retrieved 07 July 2021. 
  50. National Institute of Standards and Technology (16 January 2020). "NIST PRAM". National Institute of Standards and Technology. https://www.nist.gov/privacy-framework/nist-pram. Retrieved 29 March 2021. 
  51. Commission nationale de l'informatique et des libertés (February 2018). "Privacy Impact Assessment (PIA) Methodology" (PDF). Commission nationale de l'informatique et des libertés. https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-1-en-methodology.pdf. Retrieved 08 November 2020. 
  52. Information Commissioner's Office. "Data protection impact assessments". Information Commissioner's Office. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/. Retrieved 08 November 2020. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. Numerous links that were originally posted inline in the text were turned into full citations for this version, adding significantly to the total citation count.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:Automated_cyber_and_privacy_risk_management_toolkit&oldid=44486"