SIM-Ciber: Uma Solução Baseada em Simulações Probabilísticas para Quantificação de Riscos e Impactos de Ciberataques Utilizando Relatórios Estatísticos
Resumo
A evolução das tecnologias e a crescente dependência em dispositivos digitais aumentam os riscos cibernéticos e os ciberataques, tornando essencial para a compreensão dos riscos e de seus potenciais impactos a partir de uma perspectiva técnica e econômica. Neste contexto, este artigo propõe o SIM-Ciber, uma solução para simulação de riscos e impactos técnicos e financeiros em empresas. O SIM-Ciber se baseia em relatórios e estatísticas de cibersegurança de empresas reputadas (e.g., consultorias e provedores de serviços) e aplica técnicas de simulação (e.g., Monte Carlo e Teorema de Bayes) para compreender os riscos e impactos de ciberataques em empresas de diferentes tamanhos, regiões e setores. A viabilidade do SIM-Ciber é demonstrada para ataques de Malware, Phishing e DDoS em diferentes setores da indústria, mostrando alta precisão para determinar impactos financeiros com base em estatísticas reais.Referências
Ahmed, M., Panda, S., Xenakis, C., and Panaousis, E. (2022). MITRE ATTCK-Driven Cyber Risk Assessment. In 17th International Conference on Availability, Reliability and Security (ARES), New York, NY, USA. Association for Computing Machinery.
Alawida, M., Omolara, A. E., Abiodun, O. I., and Al-Rajab, M. (2022). A deeper look into cybersecurity issues in the wake of covid-19: A survey. Journal of King Saud University-Computer and Information Sciences, 34(10):8176–8206.
Berger, C. E., de Boer, H. H., and van Wijk, M. (2020). Use of Bayes’ Theorem in Data Analysis and Interpretation. In Statistics and probability in forensic anthropology, pages 125–135. Elsevier.
Chockalingam, S., Pieters, W., Teixeira, A., and van Gelder, P. (2017). Bayesian Network Models in Cyber Security: A Systematic Review. In 22nd Nordic Conference, pages 105–122, Tartu, Estonia. Springer.
Engström, V. and Lagerström, R. (2022). Two Decades of Cyberattack Simulations: A Systematic Literature Review. Computers Security, 116:102681.
Ferreira, L., Silva, D. C., and Itzazelaia, M. U. (2023). Recommender Systems in Cybersecurity. Knowledge and Information Systems, 65(12):5523–5559.
Fortinet (2021). Retail Cybersecurity Statistics Not To Be Ignored. Fortinet, [link].
Franco, M. F., Granville, L. Z., and Stiller, B. (2023a). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Künzler, F., von der Assen, J., Feng, C., and Stiller, B. (2024). RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports. Computers & Security, page 103737.
Franco, M. F., Lacerda, F. M., and Stiller, B. (2022a). A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises. Revista de Gestão e Projetos, 13(3):1–25.
Franco, M. F., Omlin, C., Kamer, O., Scheid, E. J., and Stiller, B. (2023b). SECAdvisor: a Tool for Cybersecurity Planning using Economic Models.
Franco, M. F., Sula, E., Huertas, A., Scheid, E. J., Granville, L. Z., and Stiller, B. (2022b). SecRiskAI: A Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses. In 2022 IEEE 24th Conference on Business Informatics (CBI), volume 1, pages 1–10, Amsterdam, Netherlands. IEEE.
Gordon, L. A., Loeb, M. P., and Zhou, L. (2021). Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12:115–136.
Gore, R., Padilla, J., and Diallo, S. (2017). Markov chain modeling of cyber threats. The Journal of Defense Modeling and Simulation, 14(3):233–244.
Havakhor, T., Rahman, M. S., and Zhang, T. (2020). Cybersecurity investments and the cost of capital. SSRN Electronic Journal, pages 1–48.
Huang, K., Wang, X., Wei, W., and Madnick, S. (2023). The Devastating Business Impacts of a Cyber Breach. [link].
IBM (2023). Cost of a Data Breach Report 2023. [link].
Jacobs, J., Romanosky, S., Suciu, O., Edwards, B., and Sarabi, A. (2023). Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW 2023), pages 194–206, Delft, Netherlands. IEEE.
Jawad, A. and Jaskolka, J. (2021). Modeling and Simulation Approaches for Cybersecurity Impact Analysis: State-of-the-Art. In Annual Modeling and Simulation Conference (ANNSIM), pages 1–12, Fairfax, USA.
Kavak, H., Padilla, J. J., Vernon-Bido, D., Diallo, S. Y., Gore, R., and Shetty, S. (2021). Simulation for Cybersecurity: State of the Art and Future Directions. Journal of Cybersecurity, 7(1):tyab005.
Kia, A. N., Murphy, F., Sheehan, B., and Shannon, D. (2024). A cyber risk prediction model using common vulnerabilities and exposures. Expert Systems with Applications, 237:121599.
Kianpour, M., Kowalski, S. J., and Øverby, H. (2021). Systematically Understanding Cybersecurity Economics: A Survey. Sustainability, 13(24):13677.
Microsoft (2022). DDoS Attack Trends and Insights. [link].
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., and Basto-Fernandes, V. (2017). A Comparison of Cybersecurity Risk Analysis Tools. Procedia Computer Science, 121:568–575.
Snider, K. L., Shandler, R., Zandani, S., and Canetti, D. (2021). Cyberattacks, Cyber Threats, and Attitudes Toward Cybersecurity Policies. Journal of Cybersecurity, 7(1):tyab019.
SonicWall (2023). 2023 SonicWall Cyber Threat Report. [link].
Sophos (2021). The State of Ransomware 2021. [link].
Sophos (2023). The State of Ransomware in Financial Services 2023. [link].
Subroto, A. and Apriyana, A. (2019). Cyber risk prediction through social media big data analytics and statistical machine learning. Journal of Big Data, 6(50):1–19.
Verizon (2023). 2023 Data Breach Investigations Report. [link].
Yamin, M. M. and Katt, B. (2022). Modeling and Executing Cyber Security Exercise Scenarios in Cyber Ranges. Computers Security, 116:102635.
Zimperium (2023). 2023 Global Mobile Threat Report. [link].
Alawida, M., Omolara, A. E., Abiodun, O. I., and Al-Rajab, M. (2022). A deeper look into cybersecurity issues in the wake of covid-19: A survey. Journal of King Saud University-Computer and Information Sciences, 34(10):8176–8206.
Berger, C. E., de Boer, H. H., and van Wijk, M. (2020). Use of Bayes’ Theorem in Data Analysis and Interpretation. In Statistics and probability in forensic anthropology, pages 125–135. Elsevier.
Chockalingam, S., Pieters, W., Teixeira, A., and van Gelder, P. (2017). Bayesian Network Models in Cyber Security: A Systematic Review. In 22nd Nordic Conference, pages 105–122, Tartu, Estonia. Springer.
Engström, V. and Lagerström, R. (2022). Two Decades of Cyberattack Simulations: A Systematic Literature Review. Computers Security, 116:102681.
Ferreira, L., Silva, D. C., and Itzazelaia, M. U. (2023). Recommender Systems in Cybersecurity. Knowledge and Information Systems, 65(12):5523–5559.
Fortinet (2021). Retail Cybersecurity Statistics Not To Be Ignored. Fortinet, [link].
Franco, M. F., Granville, L. Z., and Stiller, B. (2023a). CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. In 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), pages 1–6, Miami, USA.
Franco, M. F., Künzler, F., von der Assen, J., Feng, C., and Stiller, B. (2024). RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports. Computers & Security, page 103737.
Franco, M. F., Lacerda, F. M., and Stiller, B. (2022a). A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises. Revista de Gestão e Projetos, 13(3):1–25.
Franco, M. F., Omlin, C., Kamer, O., Scheid, E. J., and Stiller, B. (2023b). SECAdvisor: a Tool for Cybersecurity Planning using Economic Models.
Franco, M. F., Sula, E., Huertas, A., Scheid, E. J., Granville, L. Z., and Stiller, B. (2022b). SecRiskAI: A Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses. In 2022 IEEE 24th Conference on Business Informatics (CBI), volume 1, pages 1–10, Amsterdam, Netherlands. IEEE.
Gordon, L. A., Loeb, M. P., and Zhou, L. (2021). Information Segmentation and Investing in Cybersecurity. Journal of Information Security, 12:115–136.
Gore, R., Padilla, J., and Diallo, S. (2017). Markov chain modeling of cyber threats. The Journal of Defense Modeling and Simulation, 14(3):233–244.
Havakhor, T., Rahman, M. S., and Zhang, T. (2020). Cybersecurity investments and the cost of capital. SSRN Electronic Journal, pages 1–48.
Huang, K., Wang, X., Wei, W., and Madnick, S. (2023). The Devastating Business Impacts of a Cyber Breach. [link].
IBM (2023). Cost of a Data Breach Report 2023. [link].
Jacobs, J., Romanosky, S., Suciu, O., Edwards, B., and Sarabi, A. (2023). Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW 2023), pages 194–206, Delft, Netherlands. IEEE.
Jawad, A. and Jaskolka, J. (2021). Modeling and Simulation Approaches for Cybersecurity Impact Analysis: State-of-the-Art. In Annual Modeling and Simulation Conference (ANNSIM), pages 1–12, Fairfax, USA.
Kavak, H., Padilla, J. J., Vernon-Bido, D., Diallo, S. Y., Gore, R., and Shetty, S. (2021). Simulation for Cybersecurity: State of the Art and Future Directions. Journal of Cybersecurity, 7(1):tyab005.
Kia, A. N., Murphy, F., Sheehan, B., and Shannon, D. (2024). A cyber risk prediction model using common vulnerabilities and exposures. Expert Systems with Applications, 237:121599.
Kianpour, M., Kowalski, S. J., and Øverby, H. (2021). Systematically Understanding Cybersecurity Economics: A Survey. Sustainability, 13(24):13677.
Microsoft (2022). DDoS Attack Trends and Insights. [link].
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., and Basto-Fernandes, V. (2017). A Comparison of Cybersecurity Risk Analysis Tools. Procedia Computer Science, 121:568–575.
Snider, K. L., Shandler, R., Zandani, S., and Canetti, D. (2021). Cyberattacks, Cyber Threats, and Attitudes Toward Cybersecurity Policies. Journal of Cybersecurity, 7(1):tyab019.
SonicWall (2023). 2023 SonicWall Cyber Threat Report. [link].
Sophos (2021). The State of Ransomware 2021. [link].
Sophos (2023). The State of Ransomware in Financial Services 2023. [link].
Subroto, A. and Apriyana, A. (2019). Cyber risk prediction through social media big data analytics and statistical machine learning. Journal of Big Data, 6(50):1–19.
Verizon (2023). 2023 Data Breach Investigations Report. [link].
Yamin, M. M. and Katt, B. (2022). Modeling and Executing Cyber Security Exercise Scenarios in Cyber Ranges. Computers Security, 116:102635.
Zimperium (2023). 2023 Global Mobile Threat Report. [link].
Publicado
16/09/2024
Como Citar
NUNES, João; FRANCO, Muriel; SCHEID, Eder; KOZENIESKI, Geancarlo; LINDEMANN, Henrique; SOARES, Laura; NOBRE, Jéferson; GRANVILLE, Lisandro.
SIM-Ciber: Uma Solução Baseada em Simulações Probabilísticas para Quantificação de Riscos e Impactos de Ciberataques Utilizando Relatórios Estatísticos. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 570-585.
DOI: https://doi.org/10.5753/sbseg.2024.241682.