Periodic Reporting for period 2 - WISER (Wide-Impact cyber SEcurity Risk framework)
Reporting period: 2016-06-01 to 2017-11-30
Risk management frameworks have been traditionally complex and have demanded amounts of resources unaffordable for many companies. Besides, those risk management processes have been rather manual with a very low degree of automation. The approach is static and iterative, with periodical executions but lack of continuous monitoring. Any problem will be only detected during the next assessment, which may take place several months later.
The demand for automated cyber-risk management systems affordable for everyone is growing exponentially and is such a market opportunity. Definitely, democratizing cyber-security is urgent.
The WISER project faces this challenge. Starting in June 2015 and lasting 30 months, the pursued objectives are:
• The development of a Cyber-Risk Management Framework able to assess risks in real-time, considering the impact of cyber-incidents in the company business.
• This framework must be able to evaluate the risk not only at technical level, but also from the business side, evaluating the economic impact and the societal dimension of cyber-incidents.
• Suggest mitigation measures for given risks and assist the user during the decision-making process to decide the measures to apply.
• Contribute to the state-of-the-art of best practices and develop a universal methodology to assess cyber-risk.
• Demonstrate applicability to different verticals by means of feasibility experiments.
• Finally, a sustainable business model and a sound exploitation plan must be developed to make the most of the project outcomes and guarantee their smooth transferability to industry and good marketability, with an appropriate Return of Investment (RoI).
The team extensively analyzed the state-of-the-art on best practices, including standards and methods for risk management and vulnerabilities and threats detection. To do this, they interacted with WISER External Associate Partners who are a group of entities both public and private, belonging to different verticals. The outcomes are drafted in D6.1 and consolidated in D6.2
The task of solution visioning cooperated with market analysis and exploitation activities. This was done looking for a wide adoption of the WISER concept. The main outcome is the description of the project strategy, drafted in D2.5 and consolidated in D2.6.
10 WISER risk patterns were developed. WISER offers a way to model cyber-risk and its cyber-risk patterns address the most common attack scenarios. These patterns are used as a basis to develop machine-readable risk assessment algorithms, to offer valuable information about the company exposure to cyber-risk. This is described in D3.1. The modelling process to produce representative cyber-risk models is described. Three different languages are used for modelling: CORAS, DEXi and R. D3.2 provides guidelines to produce CORAS diagrams and to derive DEXi and R models, and these tools are documented in D3.3. WISER evaluates the cyber-risk to which the client is exposed in qualitative terms and in economical terms. Also, WISER produces a qualitative assessment of the societal impact of the risk. The final results of the WISER modelling activity, are presented in D3.4.
The portfolio of the WISER services was defined, with three different products, corresponding to three service levels: non-intrusive, basic/intermediate and advanced. The names are, respectively: CyberWISER Light, CyberWISER Essential and CyberWISER Plus.
The non-intrusive one, called CyberWISER Light, is a free service offering a first picture of the user cyber-risk exposure. It targets SMEs, who lack of this information, typically unaffordable for them. CyberWISER Light allows SMEs to get started in cyber-security. Several users, the EAPs among them, have tried CyberWISER Light with good feedback and with the feeling that WISER can help them to develop a cyber-security strategy.
WISER integrates the technological advancements related to the implementation of the assessment, monitoring and mitigation IT platform for cyber-risk management in real-time. WISER offers:
• Provision of cyber-risk assessment and follow-up its evolution by means of a dashboard.
• Monitoring of the cyber-climate, considering event detection, alarms raising and follow-up.
• Vulnerability scanning and follow up.
• Modelling to make the risk evaluation. WISER allows risk models and model rules edition, and provides modelling tools and guidelines for risk modelling.
• Support to the decision-making process by suggesting possible mitigation measures and prioritizing the measures by means of cost-benefit analysis techniques.
The Full Scale Pilots activity rolled out WISER to three different scenarios. Upon selection of the infrastructure elements to which apply WISER and evaluation of the business impact (how they are economically affected by an attack) of the chosen elements, the FSPs deployed collectors to capture the information to be analyzed so as to issue a risk report. The delivery of the framework prototype (D2.4 D4.2 D5.2) triggered the direct interaction of the personnel participating in the pilots with CyberWISER packages. Related to this, the validation methodology was presented in D7.4. The pilot leaders got experienced on using the platform, and carried out the validation of the platform (D7.5). The final pilot deliverables (D6.4 D6.6 and D6.8) cover the activities performed in each pilot and the valuable conclusions extracted by each company piloting the solution, identifying the strenghts and points for improvement of WISER. The experience was assessed as positive, and the pilots believe they can really benefit from using WISER.
D7.6 documents how WISER solutions meet industry specific requirements, assessing portability to 5 verticals other than the 2 of the the project FSPs.
WISER made a difference as for communication and dissemination actions. The activities are documented in D6.9 D6.10 D8.1 D8.2 D8.3 D8.4 D8.5 D8.6.
The exploitation activity has issued deliverables D8.7 (draft) and D8.8 (final), with remarkable results, defining exploitable items, unique selling proposition, developing the business models and individual/joint exploitation plans.
• Increase the trustworthiness of the Internet as cornerstone for running businesses.
• Modernization of risk management processes, shifting away from processes done manually periodically (like ISO 31000) to automatic and continuous risk management, being more efficient, affordable and easier to adopt.
• Multi-level assessment of cyber-risk, taking both the ICT and the business perspective.
• Being affordable and easy to adopt, WISER aims at raising awareness about cyber-security issues with the key involvement of SMEs.