A Methodology to Support Automatic Cyber Risk Assessment Review

Cyber risk assessment is a fundamental activity for enhancing the protection of an organization, identifying and evaluating the exposure to cyber threats. Currently, this activity is carried out mainly manually and the identification and correct quantification of risks deeply depend on the experience and confidence of the human assessor. As a consequence, the process is not completely objective and two parallel assessments of the same situation may lead to different results. This paper takes a step in the direction of reducing the degree of subjectivity by proposing a methodology to support risk assessors with an automatic review of the produced assessment. Our methodology starts from a controls-based assessment performed using well-known cybersecurity frameworks (e.g., ISO 27001, NIST) and maps security controls over infrastructural aspects that can be assessed automatically (e.g., ICT devices, organization policies). Exploiting this mapping, the methodology suggests how to identify controls needing revision. The approach has been validated through a case study from the healthcare domain and a set of statistical analyses.