SIM-Ciber: A Solution Based on Probabilistic Simulations for Quantifying Risks and Impacts of Cyberattacks Using Statistical Reports
Abstract
The evolution of technologies and the growing dependence on digital devices increase cyber risks and cyber attacks, making it essential to understand the risks and their potential impacts from a technical and economic perspective. In this context, this article proposes SIM-Ciber, a solution for simulating risks and technical and financial impacts on companies. SIM-Ciber is based on cybersecurity reports and statistics from reputable companies (e.g., consultancies and service providers) and applies simulation techniques (e.g., Monte Carlo and Bayes Theorem) to understand the risks and impacts of cyberattacks on companies of different sizes, regions, and sectors. The feasibility of SIM-Ciber is demonstrated for Malware, Phishing, and DDoS attacks in different industry sectors, showing high accuracy for determining financial impacts based on real statistics.References
Ahmed, M., Panda, S., Xenakis, C., and Panaousis, E. (2022). MITRE ATTCK-Driven Cyber Risk Assessment. In 17th International Conference on Availability, Reliability and Security (ARES), New York, NY, USA. Association for Computing Machinery.
Alawida, M., Omolara, A. E., Abiodun, O. I., and Al-Rajab, M. (2022). A deeper look into cybersecurity issues in the wake of covid-19: A survey. Journal of King Saud University-Computer and Information Sciences, 34(10):8176–8206.
Berger, C. E., de Boer, H. H., and van Wijk, M. (2020). Use of Bayes’ Theorem in Data Analysis and Interpretation. In Statistics and probability in forensic anthropology, pages 125–135. Elsevier.
Chockalingam, S., Pieters, W., Teixeira, A., and van Gelder, P. (2017). Bayesian Network Models in Cyber Security: A Systematic Review. In 22nd Nordic Conference, pages 105–122, Tartu, Estonia. Springer.
Engström, V. and Lagerström, R. (2022). Two Decades of Cyberattack Simulations: A Systematic Literature Review. Computers Security, 116:102681.
Ferreira, L., Silva, D. C., and Itzazelaia, M. U. (2023). Recommender Systems in Cybersecurity. Knowledge and Information Systems, 65(12):5523–5559.
Fortinet (2021). Retail Cybersecurity Statistics Not To Be Ignored. Fortinet, [link].
Franco, M. F., Granville, L. Z., and Stiller, B. (2023a). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Künzler, F., von der Assen, J., Feng, C., and Stiller, B. (2024). RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports. Computers & Security, page 103737.
Franco, M. F., Lacerda, F. M., and Stiller, B. (2022a). A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises. Revista de Gestão e Projetos, 13(3):1–25.
Franco, M. F., Omlin, C., Kamer, O., Scheid, E. J., and Stiller, B. (2023b). SECAdvisor: a Tool for Cybersecurity Planning using Economic Models.
Franco, M. F., Sula, E., Huertas, A., Scheid, E. J., Granville, L. Z., and Stiller, B. (2022b). SecRiskAI: A Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses. In 2022 IEEE 24th Conference on Business Informatics (CBI), volume 1, pages 1–10, Amsterdam, Netherlands. IEEE.
Gordon, L. A., Loeb, M. P., and Zhou, L. (2021). Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12:115–136.
Gore, R., Padilla, J., and Diallo, S. (2017). Markov chain modeling of cyber threats. The Journal of Defense Modeling and Simulation, 14(3):233–244.
Havakhor, T., Rahman, M. S., and Zhang, T. (2020). Cybersecurity investments and the cost of capital. SSRN Electronic Journal, pages 1–48.
Huang, K., Wang, X., Wei, W., and Madnick, S. (2023). The Devastating Business Impacts of a Cyber Breach. [link].
IBM (2023). Cost of a Data Breach Report 2023. [link].
Jacobs, J., Romanosky, S., Suciu, O., Edwards, B., and Sarabi, A. (2023). Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW 2023), pages 194–206, Delft, Netherlands. IEEE.
Jawad, A. and Jaskolka, J. (2021). Modeling and Simulation Approaches for Cybersecurity Impact Analysis: State-of-the-Art. In Annual Modeling and Simulation Conference (ANNSIM), pages 1–12, Fairfax, USA.
Kavak, H., Padilla, J. J., Vernon-Bido, D., Diallo, S. Y., Gore, R., and Shetty, S. (2021). Simulation for Cybersecurity: State of the Art and Future Directions. Journal of Cybersecurity, 7(1):tyab005.
Kia, A. N., Murphy, F., Sheehan, B., and Shannon, D. (2024). A cyber risk prediction model using common vulnerabilities and exposures. Expert Systems with Applications, 237:121599.
Kianpour, M., Kowalski, S. J., and Øverby, H. (2021). Systematically Understanding Cybersecurity Economics: A Survey. Sustainability, 13(24):13677.
Microsoft (2022). DDoS Attack Trends and Insights. [link].
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., and Basto-Fernandes, V. (2017). A Comparison of Cybersecurity Risk Analysis Tools. Procedia Computer Science, 121:568–575.
Snider, K. L., Shandler, R., Zandani, S., and Canetti, D. (2021). Cyberattacks, Cyber Threats, and Attitudes Toward Cybersecurity Policies. Journal of Cybersecurity, 7(1):tyab019.
SonicWall (2023). 2023 SonicWall Cyber Threat Report. [link].
Sophos (2021). The State of Ransomware 2021. [link].
Sophos (2023). The State of Ransomware in Financial Services 2023. [link].
Subroto, A. and Apriyana, A. (2019). Cyber risk prediction through social media big data analytics and statistical machine learning. Journal of Big Data, 6(50):1–19.
Verizon (2023). 2023 Data Breach Investigations Report. [link].
Yamin, M. M. and Katt, B. (2022). Modeling and Executing Cyber Security Exercise Scenarios in Cyber Ranges. Computers Security, 116:102635.
Zimperium (2023). 2023 Global Mobile Threat Report. [link].
Alawida, M., Omolara, A. E., Abiodun, O. I., and Al-Rajab, M. (2022). A deeper look into cybersecurity issues in the wake of covid-19: A survey. Journal of King Saud University-Computer and Information Sciences, 34(10):8176–8206.
Berger, C. E., de Boer, H. H., and van Wijk, M. (2020). Use of Bayes’ Theorem in Data Analysis and Interpretation. In Statistics and probability in forensic anthropology, pages 125–135. Elsevier.
Chockalingam, S., Pieters, W., Teixeira, A., and van Gelder, P. (2017). Bayesian Network Models in Cyber Security: A Systematic Review. In 22nd Nordic Conference, pages 105–122, Tartu, Estonia. Springer.
Engström, V. and Lagerström, R. (2022). Two Decades of Cyberattack Simulations: A Systematic Literature Review. Computers Security, 116:102681.
Ferreira, L., Silva, D. C., and Itzazelaia, M. U. (2023). Recommender Systems in Cybersecurity. Knowledge and Information Systems, 65(12):5523–5559.
Fortinet (2021). Retail Cybersecurity Statistics Not To Be Ignored. Fortinet, [link].
Franco, M. F., Granville, L. Z., and Stiller, B. (2023a). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Künzler, F., von der Assen, J., Feng, C., and Stiller, B. (2024). RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports. Computers & Security, page 103737.
Franco, M. F., Lacerda, F. M., and Stiller, B. (2022a). A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises. Revista de Gestão e Projetos, 13(3):1–25.
Franco, M. F., Omlin, C., Kamer, O., Scheid, E. J., and Stiller, B. (2023b). SECAdvisor: a Tool for Cybersecurity Planning using Economic Models.
Franco, M. F., Sula, E., Huertas, A., Scheid, E. J., Granville, L. Z., and Stiller, B. (2022b). SecRiskAI: A Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses. In 2022 IEEE 24th Conference on Business Informatics (CBI), volume 1, pages 1–10, Amsterdam, Netherlands. IEEE.
Gordon, L. A., Loeb, M. P., and Zhou, L. (2021). Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12:115–136.
Gore, R., Padilla, J., and Diallo, S. (2017). Markov chain modeling of cyber threats. The Journal of Defense Modeling and Simulation, 14(3):233–244.
Havakhor, T., Rahman, M. S., and Zhang, T. (2020). Cybersecurity investments and the cost of capital. SSRN Electronic Journal, pages 1–48.
Huang, K., Wang, X., Wei, W., and Madnick, S. (2023). The Devastating Business Impacts of a Cyber Breach. [link].
IBM (2023). Cost of a Data Breach Report 2023. [link].
Jacobs, J., Romanosky, S., Suciu, O., Edwards, B., and Sarabi, A. (2023). Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW 2023), pages 194–206, Delft, Netherlands. IEEE.
Jawad, A. and Jaskolka, J. (2021). Modeling and Simulation Approaches for Cybersecurity Impact Analysis: State-of-the-Art. In Annual Modeling and Simulation Conference (ANNSIM), pages 1–12, Fairfax, USA.
Kavak, H., Padilla, J. J., Vernon-Bido, D., Diallo, S. Y., Gore, R., and Shetty, S. (2021). Simulation for Cybersecurity: State of the Art and Future Directions. Journal of Cybersecurity, 7(1):tyab005.
Kia, A. N., Murphy, F., Sheehan, B., and Shannon, D. (2024). A cyber risk prediction model using common vulnerabilities and exposures. Expert Systems with Applications, 237:121599.
Kianpour, M., Kowalski, S. J., and Øverby, H. (2021). Systematically Understanding Cybersecurity Economics: A Survey. Sustainability, 13(24):13677.
Microsoft (2022). DDoS Attack Trends and Insights. [link].
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., and Basto-Fernandes, V. (2017). A Comparison of Cybersecurity Risk Analysis Tools. Procedia Computer Science, 121:568–575.
Snider, K. L., Shandler, R., Zandani, S., and Canetti, D. (2021). Cyberattacks, Cyber Threats, and Attitudes Toward Cybersecurity Policies. Journal of Cybersecurity, 7(1):tyab019.
SonicWall (2023). 2023 SonicWall Cyber Threat Report. [link].
Sophos (2021). The State of Ransomware 2021. [link].
Sophos (2023). The State of Ransomware in Financial Services 2023. [link].
Subroto, A. and Apriyana, A. (2019). Cyber risk prediction through social media big data analytics and statistical machine learning. Journal of Big Data, 6(50):1–19.
Verizon (2023). 2023 Data Breach Investigations Report. [link].
Yamin, M. M. and Katt, B. (2022). Modeling and Executing Cyber Security Exercise Scenarios in Cyber Ranges. Computers Security, 116:102635.
Zimperium (2023). 2023 Global Mobile Threat Report. [link].
Published
2024-09-16
How to Cite
NUNES, João; FRANCO, Muriel; SCHEID, Eder; KOZENIESKI, Geancarlo; LINDEMANN, Henrique; SOARES, Laura; NOBRE, Jéferson; GRANVILLE, Lisandro.
SIM-Ciber: A Solution Based on Probabilistic Simulations for Quantifying Risks and Impacts of Cyberattacks Using Statistical Reports. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 570-585.
DOI: https://doi.org/10.5753/sbseg.2024.241682.
