February 2023
·
82 Reads
·
3 Citations
Lecture Notes in Computer Science
Cyber security assessment aims at determining the cybersecurity state of an assessed asset to check how effectively the asset fulfills specific security objectives. We are confronted with a lack of an integrated framework coupling a top-down approach such as a risk-based analysis of information systems, with a bottom-up approach such as MITRE Attack to map and understand the details of the actions taken by the attackers to evaluate a defensive coverage throughout the development life cycle. We depict in this ongoing work the description of a Security Impact Analysis Framework (SAIF) to support cyber analysts, cyber administrators, and developers in their daily tasks of security impact analysis and provide project stakeholders with sufficient security proof and defense gaps. The goal is to avoid the use of a myriad of “tool islands” to automate the security impact assessment process providing sufficient safety evidence throughout the development cycle of a project. A case study of the development of an autonomous shuttle service is used to illustrate some selected assets from the MITRE Attack approach as practical usage of this framework. KeywordsSecurity impact analysisMITRE attackRisk-based analysisCybersecurityInformation systems