Towards the Definition of a Dynamic/Systemic Assessment for Cyber Security Risks Through a Systems Thinking approach
Keywords:cyber security, system dynamics, risk assessment
Nowadays our society is increasingly becoming economic and social dependent on the cyberspace, which comprehends the set of networks and information systems that are used by government agencies, enterprises, critical infrastructure providers and public administration to provide several essential services.
However, the cyberspace and its core components are exposed to numerous risks, and since these complex systems are rapidly evolving, there is a constant threat of exploitable vulnerabilities. One or several of these vulnerabilities can be exploited by attackers to hack into the computer systems of an organization, thus allowing them to read, steal, disclose or delete critical information up to take full control of physical assets. These numerous vulnerabilities, coupled with the fact that awareness of this situation is not yet well established at all levels of society, meaning that the cyber threats can become an extremely important issue for organizations, which could lead to financial and reputational impacts.
The current work adopts the Italian National Cyber Security Framework for assessing cyber security risks, which has interoperability with industry standards, guidelines, and practices, it inherits its capacity of communication that permits to broaden the discussion of cyber security matters across the organization, from the executive level to the implementation/operations level. Secondly, by joining the risks categories into a causal mapping of a general process-structure of a medium-large private organization, which is also described in causal terms, this work proposes a common ground for discussions concerning the corporate adoption of a systemic perspective as a good practice in cyber security.
Due to its compatibility with NIST’s security profiles, the Italian National Cyber Security Framework can favor the communication of its security levels to known standards (for example the ISO standards), but in a cheaper way. The Italian Framework provides a full coverage of the information and system security life cycle (from its conception, development, operation, and maintenance), by maintaining an abstraction degree that ensures companies the freedom in the implementation and contextualization of controls.