Abstract
As connectivity constantly increases, business processes are vulnerable to external cyberattacks, which may hamper their continuity. As the frequency and derived impacts of these attacks increase, there is a need to prioritize and mitigate risks, considering their impact on business processes, in order of importance to the business. Addressing this need arises several challenges, starting with how to quantify the cyber-security risk over the infrastructure abstract level, map it to the business abstract level, and then propagate it across all process dependencies, and ending with how to prioritize issues to be addressed first. We identified that a holistic approach to answer these challenges in a process-aware manner is still missing. Therefore, the research aims to develop the following framework. First, we will form a processaware attack-graph that stands for the potential behavior of an attacker within an industrial infrastructure and its impact over the business processes. Second, we will develop a risk inferencing method to quantify the risk over the infrastructure level, map it to the business level and propagate it across different process dependencies. Finally, we will develop a method to identify the risk root causes and recommend for risk mitigation steps. The framework will be evaluated based on real-life event logs and simulated settings of a smart manufacturing factory. The resulted artifacts will be evaluated by a panel of subject matter experts from the areas of cyber-security and business process management.
Original language | English |
---|---|
Pages (from-to) | 11-18 |
Number of pages | 8 |
Journal | CEUR Workshop Proceedings |
Volume | 3139 |
State | Published - 2022 |
Event | Doctoral Consortium Papers Presented at the 34th International Conference on Advanced Information Systems Engineering, CAiSE-DC 2022 - Leuven, Belgium Duration: 6 Jun 2022 → 10 Jun 2022 |
Bibliographical note
Publisher Copyright:© 2022 Copyright for this paper by its authors.
Keywords
- Attack-Graph
- Process-Mining
- Risk management
ASJC Scopus subject areas
- General Computer Science