ODU researchers at the Critical Infrastructure Resilience Institute, a Department of Homeland Security Center of Excellence, have developed a new software tool that will provide a security risk assessment of a company’s cyber infrastructure. The Cyber Risk Scoring and Mitigation (CRISM) tool measures the security capabilities of the software and hardware that comprise a company’s cyber infrastructure.
CRISM could be applied to many fields, but it may particularly benefit the ballooning $2.75 billion cyberinsurance market, which currently lacks a technological approach to analyzing risk and pricing policies accordingly. The tool measures the security capabilities of the software that serves as the underpinning of online retail networks. As a result, cyberinsurers will be able to better analyze the risk of retailers, and ultimately create insurance policies tailored to cover cyber losses.
With cyber crimes expected to cost companies $2.1 trillion globally each year, according to a recent Forbes article, the tool could play a critical role in helping companies manage risk associated with stolen data. There is a real lack of sophisticated risk assessment tools and analytical techniques designed to assess risk and incentivize higher investments in cyber security, while imposing stiffer pricing on companies with riskier profiles Right now there’s not much analysis of how vulnerable a company’s IT systems actually are.
By deploying this tool, insurers will be able to improve risk assessment and create individualized insurance policies tailored to cover cyber losses. The tool would provide a technologically grounded approach aimed at improving underwriting cyberinsurance policies than is used today. Insurers currently determine policy pricing using written questionnaires and interviews with the company seeking cyber insurance, an approach that does not include a hand-on evaluation of the company’s specific IT systems.
The project was funded through a grant awarded to Dr. Sachin Shetty, Associate Professor, Virginia Modeling, Analysis and Simulation Center (VMASC) from the Critical Infrastructure Resilience Institute (CIRI), A Department of Homeland Security Center of Excellence (ciri.illinois.edu). CIRI is a $20 million institute founded in 2015 and conducts research and education to enhance the resilience of the Nation’s critical infrastructure and its owners and operators. CIRI is designed to explore organizational, policy, business and technical aspects of critical infrastructure’s dependence on cyber assets. CIRI will examine how computer hardware and software both contribute to and threaten resilience and how industry makes decisions about cyber assets which contribute to resilience. The Institute is led by University of Illinois and ODU is one of the 10 partnering institutes. The project started in July 2016.
CRISM is built on a platform optimized for vulnerability detection, attack graph analysis, and risk assessment. The platform can be adapted for diverse network configurations and dynamic scaling cloud environments. The tool also provides options to choose among several risk assessment models for generating, analyzing, and evaluating attack paths based on security requirements and cloud service configuration. In addition, it leverages risk scores from vulnerability databases and intelligence feeds, network vulnerability tests, automatic attack graph generation, and attack graph modeling techniques.
CRISM will provide insight into how an attacker could compromise one of the services and what is propensity of the attack propagation. The tool provides quantitative risk assessment and categorizes attack paths based on the impact to cloud services. It also illustrates the security risk scores via different visual metaphors that allow practitioners to process information at several levels of granularity.
A commercial license for Cyber Risk Scoring and Mitigation (CRISM) tool is available.
The Virginia Modeling, Analysis and Simulation Center (VMASC) at Old Dominion University is a multi-disciplinary research center dedicated to solving real world problems through the application of modeling and simulation techniques and to developing new approaches to representing physical, social, and human systems in simulation. We are one of the world's leading research centers for computer modeling, simulation, and visualization.
Get the latest information about CRISM.