Towards automated threat-based risk assessment for cyber security in smarthomes
Journal article, Peer reviewed
MetadataVis full innførsel
OriginalversjonProceedings of the ... European conference on information warfare and security. 2019, 2019-July 839-844.
Cyber security is a concern of each citizen, especially when it comes to novel technologies surrounding us in our daily lives. Fighting a cyber battle while enjoying your cup of coffee and observing gentle lights dimming when you move from the kitchen to the sitting room to review your today’s running training, is no longer science fiction. A multitude of the cyber security solutions are currently under development to satisfy the increasing demand on threats and vulnerabilities identification and private data leakage detection tools. Within this domain, ubiquitous decision making to facilitate the life of the regular end-users is a key feature here. In this paper we present a Risk Assessment Model (RAM), originating from Negative to Positive approach, to automate the threat-based Risk Assessment (RA) process, tailored specifically to the smart home environments. The calculation model application is demonstrated on derived threat-triggered evaluation scenarios, which were established from analysing the historical evidence of data communication within the smarthome context. The main features of the proposed RAM are identification of the existing risks, estimation of the consequences on possible positive and negative actions and embedding of the mitigation strategies. The application of this modelling approach for automation of RA would lead to a deep understanding on the extent to which decision making could be automated while tracking and controlling the cyber risks within the end-user’s accepted risk level. Through the proposed RAM, common factors and variables are extracted and integrated into a quantified risk model before being embedded in the automated decision making process. This research falls within the GHOST (Safe-Guarding Home IoT Environments with Personalised Real-time Risk Control) project, aiming to provide a cyber security solution targeted at the regular citizens.