Cobra`s Risk Dynamic and Near-Real-Time Cyber-Physical Security Risk Assessment and Management Framework compliant to ISO/IEC 27001
Despite the advancement of risk assessment methodologies for Critical Information Infrastructures most risk assessment frameworks do not adequately address the various cascading effects that are associated with security incidents occurring from interacting entities. This gap is very critical, given that Critical Information Infrastructures are characterized by significant inter-dependencies at multiple levels (infrastructural, national/intra-sectorial), taking under consideration the extremely high degree of dynamicity.
Thus, the main goal of the cobra:risk solution is the alleviation of the above-mentioned gap, through the introduction, specification and validation of a set of multi-dependency approaches to risk assessment, introducing a new paradigm in the area of cyber and physical security of Critical Information Infrastructures, through the production and sharing of the knowledge associated with the identification and assessment of cascading effects in the global supply chain, with a view to predicting potential problems, as well as minimizing the consequences of diverge security incidents.
Cobra Risk Management Strategy constitutes a framework and software platform that has been design to assist organizations of any size and type to perform dynamically, continuously and near-real-time cyber-physical security risk assessment in compliance to the ISO/IEC 27001 standard on information security management, addressing the various possible cascading effects that are associated with security incidents occurring from interacting entities and assets.
As risk assessment is a complex and data-rich process, cobra:risk enables the organizations to define, graphically represent and document all cyber-physical assets of them within the scope of the security risk assessment process, as well as to specify the dependencies among several assets and link each asset with (multiple) predefined threats and vulnerabilities, denoting their likelihood and resulting impacts, together with details of the assets ownership and their confidentiality classification.
Having the outlined the organization’s assets structure accompanied with their threats and vulnerabilities, a continuous risk assessment process initiates highlighting the cyber-physical risks of the organization’s infrastructure and proposing countermeasures though the instantiation of predefined security policies (derived from widely adopted international standards, such as the ISO 27001) to mitigate the identified risks – taking into consideration (near-real-time continuous risk assessment) any changes on the organization’s assets structure and any updates on the threats’ cascading models and effects, which the organization may dynamically introduce in the security risk assessment process (dynamic asset management).