Dynamic Risk Management – The Path Less Trodden…
Traditionally, our approach to managing
That’s not to say that the approach can’t (or indeed shouldn’t) be iterative, with re-assessments being performed as necessary throughout the life of a solution. However, it’s fair to say that this approach is still a far cry from ‘dynamic’ – in the sense of ensuring appropriate risk treatment in real-time, during the actual operation of a solution.
Now you might well be asking why this would be needed – certainly for a well-defined solution deployed into a well-known, closed system – I would consider a static approach to be quite sufficient. If the environment doesn’t change, why should the risk?
Enter the world of Connected and Autonomous Vehicles (
In this world, it is safe to say that the risks facing a CAV are constantly changing both in likelihood and potential impact, and so it seems imperative to handle treatment of said risk in a fully dynamic, real-time fashion.
This concept of dynamically managing risk is not new, certainly not within the Smart Car arena. However, the methods used are not well known and no initiative has yet been taken to standardise an approach. This is the task our consortium partner Warwick Manufacturing Group (WMG) Cyber Security Centre, University of Warwick, have taken on as part of the CAPRI research – and the framework they are proposing provides a novel solution to this problem. The remainder of this article discusses the current state of this framework – version “1.0” if you like,
Now, at the core of its
The WMG framework addresses all these issues by utilising the fundamental concept of profiles – with each profile aligned to specific consumer objectives, and which filter out significant portions of the data available.
The WMG framework is visualised in figure 1 and contains two key phases – design and operation.
In the design phase, risk profiles are designed for each type of consumer – with each profile tuned to provide appropriate security and safety feedback for that consumer. In this way, a profile can be thought of as a kind of IoT threat data filter. Once profiles have been defined, an initial database of IoT threat data is used to train the risk assessment models for each profile.
In the operation phase – based on the profile selected, the risk assessment model is constantly fed with real-time IoT threat data (i.e. from the ITS, CAV sensors etc) and provides dynamic risk treatment feedback (i.e. by selecting proportionate security controls) for the consumer. During system
If you are still with me at this point – pat yourself on the back, you’ve done well. Risk assessment in general – and dynamic risk assessment in particular – is not a simple topic as you have probably observed! I will stop here for now and leave other aspects of dynamic risk assessment such as the building of automated risk assessment models using Bayesian networks or Machine Learning to another blog article.
I hope however that this discussion has provided a useful, practical insight into the world of dynamic risk management – a starting point for those wishing to explore the topic further. In the meantime, give your brain a rest and go get another cup of tea!
Learn more about CyberShield Secure, Nexor’s cybersecurity solution.
Author Bio - Iain Townsend
Iain Townsend works as a Technical Consultant at Nexor delivering cyber security solutions to governments, defence and critical national infrastructure organisations. He is a member of the British Computing Society (MBCS), a Certified Information Systems Security Professional (CISSP) and an NCSC certified Information Assurance Architect (CCP IA Architect).
Be the first to know about developments in secure information exchange