Öz
Günümüzde siber saldırıların ve potansiyel zararlarının hızla artmasıyla birlikte, şirketler ve kurumlar için siber güvenliğin sağlanması hayati bir öneme sahip hale gelmiştir. Bu çalışmada, siber risklerin nicel bir analizi için saldırı-savunma ağaçları tabanlı bir yaklaşım geliştirilmiştir. Önerilen yaklaşım, siber tehditleri temsil eden düğümlerin risk seviyelerini ölçerek toplam riski hesaplamak için saldırı-savunma ağacını kullanmaktadır. Ayrıca, belirlenen savunma önlemlerinin alınması durumunda güncellenmiş risk değerini sistematik bir şekilde hesaplamaktadır. Geliştirilen siber risk analizi yaklaşımı, oltalama saldırılarına yönelik yaygın bir senaryoya uygulanmış ve çeşitli savunma stratejileri altında siber risk değerleri hesaplanmıştır. Örneğin, savunma önlemleri alınmadığı durumda siber risk değeri 0,28392 olarak hesaplanırken, teknik savunma önlemlerinin (antivirüs, IDS, erişim denetimi, web içerik sınırlandırma ve spam kontrolü) alınması durumunda risk değeri yaklaşık %97,5 azalarak 0,00721 seviyesine düşmektedir. Teknik savunma önlemlerine ek olarak kullanıcı eğitimi de verildiğinde risk değerindeki azalma %98'e ulaşmaktadır. Sadece bireysel kullanıcılara yönelik temel savunma önlemlerinin (antivirüs ve spam kontrolü) alınması durumunda risk değerindeki azalma ise %90 civarında kalmaktadır. Örnek çalışma üzerinden elde edilen bu sonuçlar, önerilen yaklaşımın doğruluğunu ve önemini kanıtlamaktadır. Geliştirilen yaklaşımın siber güvenlik stratejilerinin belirlenmesi yolunda katkıları tartışma bölümünde detaylandırılmıştır.
Anahtar Kelimeler
Siber risk analizi Saldırı savunma ağacı Siber risk yönetimi Kaynak tahsisi eniyileme
Kaynakça
- Strupczewski G (2021) Defining cyber risk. Safety science, 135, 105143.
- Aldasoro I, Gambacorta L, Giudici P, Leach T (2022) The drivers of cyber risk. Journal of Financial Stability, 60, 100989.
- Jamilov R, Rey H, Tahoun A (2021) The anatomy of cyber risk (No. w28906). National Bureau of Economic Research.
- Cremer F, Sheehan B, Fortmann M, Kia AN, Mullins M, Murphy F, Materne S (2022) Cyber risk and cybersecurity: a systematic review of data availability. The Geneva Papers on risk and insurance-Issues and practice, 47(3), 698-736.
- Eling M, McShane M, Nguyen T (2021) Cyber risk management: History and future research directions. Risk Management and Insurance Review, 24(1), 93-125.
- Sheyner O, Haines J, Jha S, Lippmann R, Wing JM (2002) Automated generation and analysis of attack graphs. In Proceedings 2002 IEEE Symposium on Security and Privacy (pp. 273-284). IEEE.
- Nagaraju V, Fiondella L, Wandji T (2017) A survey of fault and attack tree modeling and analysis for cyber risk management. In 2017 IEEE International Symposium on Technologies for Homeland Security (HST) (pp. 1-6). IEEE.
- Haque MA, Haque S, Kumar K, Singh NK (2021) A comprehensive study of cyber security attacks, classification, and countermeasures in the internet of things. In Handbook of research on digital transformation and challenges to data security and privacy (pp. 63-90). IGI Global, Pennsylvania, USA.
- Kordy B, Mauw S, Radomirović S, Schweitzer P (2014) Attack–defense trees. Journal of Logic and Computation, 24(1), 55-87.
- Bagnato A, Bíró RK, Bonino D, vd. (2017) Designing swarms of cyber-physical systems: The H2020 CPSwarm project. In Proceedings of the Computing Frontiers Conference (pp. 305-312).
- He S, Lei D, Shuang W, Liu C, Gu, Z (2020) Network Security Analysis of Industrial Control System Based on Attack-Defense Tree. In 2020 IEEE International Conference on Artificial Intelligence and Information Systems (ICAIIS) (pp. 651-655). IEEE.
- Rios E, Rego A, Iturbe E, Higuero M, Larrucea X (2020) Continuous quantitative risk management in smart grids using attack defense trees. Sensors, 20(16), 4404.
- Guo H, Ding L, Xu W (2022) Cybersecurity Risk Assessment of Industrial Control Systems Based on Order-α Divergence Measures Under an Interval-Valued Intuitionistic Fuzzy Environment. IEEE Access, 10, 43751-43765.
- Hyder B, Majerus H, Sellars H, vd. (2022) CySec Game: A Framework and Tool for Cyber Risk Assessment and Security Investment Optimization in Critical Infrastructures. In 2022 Resilience Week (RWS) (pp. 1-6). IEEE.
- Mondal SK, Tan T, Khanam S, Kumar K, Kabir HMD, Ni K (2023) Security Quantification of Container-Technology-Driven E-Government Systems. Electronics, 12(5), 1238.
- Bryans J, Liew LS, Nguyen HN, Sabaliauskaite G, Shaikh SA (2023) Formal Template-Based Generation of Attack–Defence Trees for Automated Security Analysis. Information, 14(9), 481.
- Houmb SH, Franqueira VN, Engum EA (2010) Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9), 1622-1634.
- Wu W, Kang R, Li Z (2015) Risk assessment method for cyber security of cyber physical systems. In 2015 First International Conference On Reliability Systems Engineering (ICRSE) (pp. 1-5). IEEE.
- Jakobsson M, Myers S (Eds.) (2006) Phishing and countermeasures: understanding the increasing problem of electronic identity theft. John Wiley & Sons, New York, USA.
- Proofpoint (2020) State of the Phish An in-depth look at user awareness, vulnerability and resilience. Web. https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf Erişim: 23 Ekim 2023.
- MITRE Corporation (2023) MITRE ATT&CK. Web.https://attack.mitre.org/ Erişim: 23 Ekim 2023.
- GARPHUS Kaseya Company (2020) Verizon Says Phishing Still Drives 90% of Cybersecurity Breaches. Web. https://www.graphus.ai/blog/verizon-says-phishing-still-drives-90-of-cybersecurity-breaches/ Erişim: 23 Ekim 2023.
- GARPHUS Kaseya Company (2023) Spear Phishing & Social Engineering. People are your weakest cybersecurity link. What are you going to do about it? Web. https://www.graphus.ai/resources/spear-phishing-social-engineering/ Erişim: 23 Ekim 2023.
- AntivirusGuide (2023) The Best Anti-Phishing Software Of 2023 Web. https://bit.ly/TheBestAnti-PhishingSoftwareOf2023 Erişim: 23 Ekim 2023.
- Shah, SAR, Issac B (2018) Performance comparison of intrusion detection systems and application of machine learning to Snort system. Future Generation Computer Systems, 80, 157-170.
- Qiang W, Yang L, Jin H (2022) Efficient and robust malware detection based on control flow traces using deep neural networks. Computers & Security, 102871.
- Choi H, Zhu BB, Lee H (2011) Detecting malicious web links and identifying their attack types. In 2nd USENIX Conference on Web Application Development (WebApps 11).
- Vladislav Tushkanov (2023) What does ChatGPT know about phishing? Web. https://securelist.com/chatgpt-anti-phishing/109590/ Erişim: 23 Ekim 2023.
Öz
With the rapid increase in cyber-attacks and potential damage in today's world, ensuring cybersecurity has become of paramount importance for companies and organizations. In this study, an approach based on attack-defense trees has been developed for the quantitative analysis of cyber risks. The proposed methodology utilizes attack-defense trees to measure the risk levels of nodes representing cyber threats and systematically calculate the total risk when specific defense measures are implemented. The developed cyber risk analysis approach has been applied to a common scenario involving phishing attacks, and cyber risk values have been calculated under various defense strategies. For instance, when no defense measures are taken, the cyber risk value is calculated as 0.28392. However, when technical defense measures such as antivirus software, intrusion detection systems (IDS), access control, web content filtering, and spam control are implemented, the risk value significantly decreases by approximately 97.5% to 0.00721. Furthermore, incorporating user training results in a 98% reduction in risk value. Implementing basic defense measures targeting individual users, such as antivirus and spam control, leads to a reduction of around 90% in the risk value. The accuracy and significance of the proposed approach are demonstrated through the results obtained from this sample study. The contributions of the developed approach to determining cybersecurity strategies are detailed in the discussion section.
Anahtar Kelimeler
Cyber risk analysis Attack defense tree Cyber risk management Optimal resource allocation
Kaynakça
- Strupczewski G (2021) Defining cyber risk. Safety science, 135, 105143.
- Aldasoro I, Gambacorta L, Giudici P, Leach T (2022) The drivers of cyber risk. Journal of Financial Stability, 60, 100989.
- Jamilov R, Rey H, Tahoun A (2021) The anatomy of cyber risk (No. w28906). National Bureau of Economic Research.
- Cremer F, Sheehan B, Fortmann M, Kia AN, Mullins M, Murphy F, Materne S (2022) Cyber risk and cybersecurity: a systematic review of data availability. The Geneva Papers on risk and insurance-Issues and practice, 47(3), 698-736.
- Eling M, McShane M, Nguyen T (2021) Cyber risk management: History and future research directions. Risk Management and Insurance Review, 24(1), 93-125.
- Sheyner O, Haines J, Jha S, Lippmann R, Wing JM (2002) Automated generation and analysis of attack graphs. In Proceedings 2002 IEEE Symposium on Security and Privacy (pp. 273-284). IEEE.
- Nagaraju V, Fiondella L, Wandji T (2017) A survey of fault and attack tree modeling and analysis for cyber risk management. In 2017 IEEE International Symposium on Technologies for Homeland Security (HST) (pp. 1-6). IEEE.
- Haque MA, Haque S, Kumar K, Singh NK (2021) A comprehensive study of cyber security attacks, classification, and countermeasures in the internet of things. In Handbook of research on digital transformation and challenges to data security and privacy (pp. 63-90). IGI Global, Pennsylvania, USA.
- Kordy B, Mauw S, Radomirović S, Schweitzer P (2014) Attack–defense trees. Journal of Logic and Computation, 24(1), 55-87.
- Bagnato A, Bíró RK, Bonino D, vd. (2017) Designing swarms of cyber-physical systems: The H2020 CPSwarm project. In Proceedings of the Computing Frontiers Conference (pp. 305-312).
- He S, Lei D, Shuang W, Liu C, Gu, Z (2020) Network Security Analysis of Industrial Control System Based on Attack-Defense Tree. In 2020 IEEE International Conference on Artificial Intelligence and Information Systems (ICAIIS) (pp. 651-655). IEEE.
- Rios E, Rego A, Iturbe E, Higuero M, Larrucea X (2020) Continuous quantitative risk management in smart grids using attack defense trees. Sensors, 20(16), 4404.
- Guo H, Ding L, Xu W (2022) Cybersecurity Risk Assessment of Industrial Control Systems Based on Order-α Divergence Measures Under an Interval-Valued Intuitionistic Fuzzy Environment. IEEE Access, 10, 43751-43765.
- Hyder B, Majerus H, Sellars H, vd. (2022) CySec Game: A Framework and Tool for Cyber Risk Assessment and Security Investment Optimization in Critical Infrastructures. In 2022 Resilience Week (RWS) (pp. 1-6). IEEE.
- Mondal SK, Tan T, Khanam S, Kumar K, Kabir HMD, Ni K (2023) Security Quantification of Container-Technology-Driven E-Government Systems. Electronics, 12(5), 1238.
- Bryans J, Liew LS, Nguyen HN, Sabaliauskaite G, Shaikh SA (2023) Formal Template-Based Generation of Attack–Defence Trees for Automated Security Analysis. Information, 14(9), 481.
- Houmb SH, Franqueira VN, Engum EA (2010) Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9), 1622-1634.
- Wu W, Kang R, Li Z (2015) Risk assessment method for cyber security of cyber physical systems. In 2015 First International Conference On Reliability Systems Engineering (ICRSE) (pp. 1-5). IEEE.
- Jakobsson M, Myers S (Eds.) (2006) Phishing and countermeasures: understanding the increasing problem of electronic identity theft. John Wiley & Sons, New York, USA.
- Proofpoint (2020) State of the Phish An in-depth look at user awareness, vulnerability and resilience. Web. https://www.proofpoint.com/sites/default/files/gtd-pfpt-us-tr-state-of-the-phish-2020.pdf Erişim: 23 Ekim 2023.
- MITRE Corporation (2023) MITRE ATT&CK. Web.https://attack.mitre.org/ Erişim: 23 Ekim 2023.
- GARPHUS Kaseya Company (2020) Verizon Says Phishing Still Drives 90% of Cybersecurity Breaches. Web. https://www.graphus.ai/blog/verizon-says-phishing-still-drives-90-of-cybersecurity-breaches/ Erişim: 23 Ekim 2023.
- GARPHUS Kaseya Company (2023) Spear Phishing & Social Engineering. People are your weakest cybersecurity link. What are you going to do about it? Web. https://www.graphus.ai/resources/spear-phishing-social-engineering/ Erişim: 23 Ekim 2023.
- AntivirusGuide (2023) The Best Anti-Phishing Software Of 2023 Web. https://bit.ly/TheBestAnti-PhishingSoftwareOf2023 Erişim: 23 Ekim 2023.
- Shah, SAR, Issac B (2018) Performance comparison of intrusion detection systems and application of machine learning to Snort system. Future Generation Computer Systems, 80, 157-170.
- Qiang W, Yang L, Jin H (2022) Efficient and robust malware detection based on control flow traces using deep neural networks. Computers & Security, 102871.
- Choi H, Zhu BB, Lee H (2011) Detecting malicious web links and identifying their attack types. In 2nd USENIX Conference on Web Application Development (WebApps 11).
- Vladislav Tushkanov (2023) What does ChatGPT know about phishing? Web. https://securelist.com/chatgpt-anti-phishing/109590/ Erişim: 23 Ekim 2023.
Ayrıntılar
| Birincil Dil | Türkçe |
|---|---|
| Konular | Sistem ve Ağ Güvenliği, Endüstri Mühendisliği |
| Bölüm | Araştırma Makaleleri |
| Yazarlar | |
| Yayımlanma Tarihi | 31 Ocak 2024 |
| Gönderilme Tarihi | 25 Ekim 2023 |
| Kabul Tarihi | 14 Aralık 2023 |
| Yayımlandığı Sayı | Yıl 2024 Cilt: 4 Sayı: 1 |
