Loading...
Paper Type
Complete
Description
Vulnerable information systems inside an organization make it prone to cyber-attacks, leading to loss of reputation, financial loss, customer churn, and loss of future prospects. In our study, we assess, quantify, and mitigate the cyber-attack risk generated due to the vulnerable information technology assets using our proposed Vulnerability-based Cyber-Risk Management Model (VCRMM). We leverage Protection Motivation Theory and cyber-kill chain to assess the cyber risk based on specific characteristics of vulnerabilities. We perform text mining using the topic modelling technique, Latent Dirichlet Allocation, find a correlation between the topics, and then classify the severity rating of vulnerabilities. The higher the severity rating of any vulnerability, the greater the probability of cyber-attack (p) any organization faces. Next, we quantify the cyber-attack risk in terms of expected losses. Finally, based on Rational Choice Theory and NIST-guided Vulnerability Management Process, we propose mitigation strategies to reduce, accept, or transfer the cyber-attack risk.
Paper Number
1500
Recommended Citation
Jain, Swati and Mukhopadhyay, Arunabha, "Vulnerability-based Cyber-Risk Management: A Text-mining Approach" (2023). AMCIS 2023 Proceedings. 17.
https://aisel.aisnet.org/amcis2023/sig_sec/sig_sec/17
Vulnerability-based Cyber-Risk Management: A Text-mining Approach
Vulnerable information systems inside an organization make it prone to cyber-attacks, leading to loss of reputation, financial loss, customer churn, and loss of future prospects. In our study, we assess, quantify, and mitigate the cyber-attack risk generated due to the vulnerable information technology assets using our proposed Vulnerability-based Cyber-Risk Management Model (VCRMM). We leverage Protection Motivation Theory and cyber-kill chain to assess the cyber risk based on specific characteristics of vulnerabilities. We perform text mining using the topic modelling technique, Latent Dirichlet Allocation, find a correlation between the topics, and then classify the severity rating of vulnerabilities. The higher the severity rating of any vulnerability, the greater the probability of cyber-attack (p) any organization faces. Next, we quantify the cyber-attack risk in terms of expected losses. Finally, based on Rational Choice Theory and NIST-guided Vulnerability Management Process, we propose mitigation strategies to reduce, accept, or transfer the cyber-attack risk.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
SIG SEC