Available online at www.sciencedirect.

com
Available online at www.sciencedirect.com

ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com

Procedia Manufacturing 00 (2019) 000–000

ScienceDirect
Procedia Manufacturing 00 (2019) 000–000
www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
Procedia Manufacturing 44 (2020) 655–662

1st
1st International
International Conference
Conference on
on Optimization-Driven
Optimization-Driven Architectural
Architectural Design
Design (OPTARCH
(OPTARCH 2019)
2019)

Risk
Risk based
based approach
approach in
in scope
scope of
of cybersecurity
cybersecurity threats
threats and
and
requirements
requirements
a, a a a
Romuald
Romuald Hoffmann
Hoffmann a,*,
*, Jarosław
Jarosław Napiórkowski
Napiórkowskia,, Tomasz
Tomasz Protasowicki
Protasowickia,, Jerzy
Jerzy Stanik
Stanika
a
a Institute of Computer and Information, Systems, Faculty of Cybernetics, Military University of Technology, ul. gen. Sylwestra Kaliskiego 2,
Institute of Computer and Information, Systems, Faculty of Cybernetics, Military University of Technology, ul. gen. Sylwestra Kaliskiego 2,
00-908 Warsaw 46, Poland
00-908 Warsaw 46, Poland

Abstract
Abstract
Paper is focused on theoretical and practical considerations related to risk management and cyber security based on the cyber kill
Paper is focused on theoretical and practical considerations related to risk management and cyber security based on the cyber kill
chain concept introduced by Lockheed Martin. Proposed approach of cyber risk management embedded on the cyber kill chain is
chain concept introduced by Lockheed Martin. Proposed approach of cyber risk management embedded on the cyber kill chain is
new and not reflected in the available literature. Proposed risk management process of identifying, analyzing, evaluating,
new and not reflected in the available literature. Proposed risk management process of identifying, analyzing, evaluating,
assessing and ultimately responding to cyber threats and monitoring risks in each stage of the cyber kill chain is the heart of
assessing and ultimately responding to cyber threats and monitoring risks in each stage of the cyber kill chain is the heart of
proposed approach. The approach may be used in organizations which are going to implement security mechanisms to align with
proposed approach. The approach may be used in organizations which are going to implement security mechanisms to align with
the in-force requirements or to reduce cyber risks to accepted level. The process of the risk assessment introduced by the authors
the in-force requirements or to reduce cyber risks to accepted level. The process of the risk assessment introduced by the authors
follows with the description of the example risk evaluation method based on a continuous-time Markov chain as a model of the
follows with the description of the example risk evaluation method based on a continuous-time Markov chain as a model of the
cyber kill chain.
cyber kill chain.
©
© 2019 The Authors.
2020 The Authors. Published by
by Elsevier B.V.
B.V.
© 2019 The Authors. Published
Published by Elsevier
Elsevier B.V.
This
This is
is an
an open
open access
access article
article under
under the
the CC
CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the scientific
scientific committee
committee ofof the 1st
1st International Conference
Conference on Optimization-Driven
Optimization-Driven
Peer-review under responsibility of the scientific committee of the
Peer-review under responsibility the 1st International
International Conference on
on Optimization-Driven
ArchitecturalDesign
Architectural Design
Architectural Design
Keywords: Cyber risk management; Cyber Kill Chain; Cybersecurity; Continuous-time Markov chain
Keywords: Cyber risk management; Cyber Kill Chain; Cybersecurity; Continuous-time Markov chain

1.
1. Introduction
Introduction
Like
Like never
never before
before our
our world
world is
is being
being changed
changed very
very rapidly
rapidly by
by modern
modern information
information and
and communication
communication
technologies
technologies (ICT). Modern ICT
(ICT). Modern ICT has
has allowed
allowed almost
almost unlimited
unlimited business opportunities.
business opportunities. This
This is
is mainly
mainly due
due to
to the
the

* Corresponding author. Tel.: +48-261-839-504; fax: +48-261-837-858.

* Corresponding author. Tel.: +48-261-839-504; fax: +48-261-837-858.
E-mail address: romuald.hoffmann@wat.edu.pl
E-mail address: romuald.hoffmann@wat.edu.pl

2351-9789 © 2019 The Authors. Published by Elsevier B.V.

2351-9789 © 2019 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the scientific committee of the 1st International Conference on Optimization-Driven Architectural Design
Peer-review under responsibility of the scientific committee of the 1st International Conference on Optimization-Driven Architectural Design

2351-9789 © 2020 The Authors. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the scientific committee of the 1st International Conference on Optimization-Driven Architectural Design
10.1016/j.promfg.2020.02.243
656 Romuald Hoffmann et al. / Procedia Manufacturing 44 (2020) 655–662
2 R. Hoffmann et al. / Procedia Manufacturing 00 (2019) 000–000

universal access to information, the rapidly growing number of connections and interdependencies between
organizations and their ICT systems, as well as the popularization of mobile technologies. One can observe that the
technical boundaries between organizations and their clients are blurring quickly. Despite the many business
advantages of this state of affairs, this is also a weakness from the point of view of cyber security – it is the main
“vulnerability exploited” by cyber-criminals. Both the scale and the nature of the observed cyber-attacks show that
attackers consciously and reasonably use the huge interdependence between organizations and the availability of
new technologies, as well as the lack of effective control over their access.
The reality of information and data exchange is subject to profound changes that occur almost imperceptibly, but
constantly. These changes mean that we will have to look at issues such as privacy, data protection and security in a
completely new, fresh way and adapt our activities to the new cyber reality. The dynamics of changes in the
environment of organizations means that in order to maintain business continuity, the organizations need a different
perspective on the issue of business risk in the cyberspace. Therefore, assuming that every organization was, is or
will be attacked by cyber adversaries (e.g. criminals, terrorists, hacktivists) we propose the idea of approach to cyber
risk management based on the cyber kill chain concept introduced by Lockheed Martin and published in [1], [2]. The
approach to cyber risk analysis presented in this article has not yet been published in the literature.

2. Information security and definition of cybersecurity

In today's networked world, information/data can be sent, shared and stored in many forms, both digital and
physical. Therefore, information security includes the protection of such information and technical methods of
transmission, sharing and storage. In most cases, information security focuses mainly on the triad of confidentiality,
integrity and availability (CIA) of data and information. The confidentiality refers to the situation in which
information/data is viewed only by parties with the appropriate authorization and is considered in relation to the
concept of the least privilege, in which each person has only the absolutely required permissions. The integrity
means that the data is protected against false changes or damage during transmission and storage. Finally, the
availability is a guarantee that the data is available to users with reasonable permission whenever they are needed,
i.e. without service disruptions and unnecessary downtime. This triad CIA focuses on the security of the data itself
and the IT systems involved in data processing.
Based on the CIA triad, modern cyber security uses a variety of technical tools, best practice approaches, risk
management principles and concepts to protect information (data), ICT systems and their users against all forms of
digital and physical damage, and consequently financial losses caused by data breach at any means. This is reflected
in the following definitions of cybersecurity most often cited in the literature.
The International Organization for Standardization, in the document ISO/IEC 27032:2012 titled "Information
technology - Security techniques - Guidelines for cybersecurity", defines "cybersecurity" or "cyberspace security" as
"the preservation of confidentiality, integrity and availability of information in the Cyberspace". And “the
cyberspace” is defined as “the complex environment resulting from the interaction of people, software and services
on the Internet by means of technology devices and networks connected to it, which does not exist in any physical
form” [3]. The National Institute of Standards and Technology (NIST) defines cybersecurity as "the process of
protecting information by preventing, detecting, and responding to attacks" or "the prevention of damage to,
unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications
systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of
these systems" [4]. The Committee on National Security Systems (CNSSI 4009 - 2015) defines cybersecurity as
"prevention of damage to, protection of, and restoration of computers, electronic communications systems,
electronic communications services, wire communication, and electronic communication, including information
contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation" [5].
Thus, we can conclude from the above definitions that the main requirements of cyber security are
confidentiality, integrity and availability of information and data.
 Romuald Hoffmann et al. / Procedia Manufacturing 44 (2020) 655–662 657
R. Hoffmann et al. / Procedia Manufacturing 00 (2019) 000–000 3

3. Cyber risk management process and cyber actors - threats – vulnerabilities - consequences

The cyber risk management process is an ongoing process, which should take the form of an ordered sequence of
subsequent events, activities, decisions that result in the organization's cybersecurity [6]. Therefore, identifying
potential cyber risk is a key task to avoid surprise, such as a cyber crisis. We should be aware of the fact that in
order to successfully deal with risk analysis, it is crucial to know cyber actors, threats, vulnerabilities and to
understand the nature of cyber-attack processes and define this risk as precisely as possible, by identifying its
causes, scope, limits and the type of potential threats that may affect achieving the goals set by the entity. The
overall relationship between the various categories of cyber actors, threats, vulnerabilities, and their impact on
information and data, with further consequences is shown in Fig. 1. Until now, the catalog of cyber threats contains
at least: malware, web-based attacks, web application attacks, phishing, denial of service, spam, botnets, data
breaches, insider threat, physical manipulation, information damage/theft/loss, information leakage, identity theft,
crypto jacking, ransomware, cyber espionage, backdoors, information leakage, exploit kits [7].

Government Malware,
Web-Based Attacks,
Legislation
driven
Web Application
Attacks, Phishing, National
Terrorism Denial of Service, People Security
Spam, Botnets, Confidentiality
Data Breaches,
Corporate Insider Threat, Environment
Organizational
esponage Physical Structures
Manipulation, Integrity
Information Damage/ Life & Health
Criminal Theft/Loss,
Processes
Information Leakage,
Availability
Identity Theft, Economy
Crypto Jacking,
Hactivist Ransomware, Technical
Cyber Espionage, Reputation
Backdoors,
Information Leakage,
Nature Phisical Assests
Exploit Kits

Fig. 1. Threats and vulnerabilities affect cybersecurity.

Fig. 2. Model of the risk management process in an organization [6].

658 Romuald Hoffmann et al. / Procedia Manufacturing 44 (2020) 655–662
4 R. Hoffmann et al. / Procedia Manufacturing 00 (2019) 000–000

As shown in Fig. 2 [6], we perceive the risk management process referring to the cyber security of an
organization as being iterative. The iterative approach to the cyber risk assessment process may be in the form of
increasing the level of details of each iteration or stopping the process - after each stage, there are decision points
(continue, end, return). We should realize that the risk assessment, including the risk analysis, is a fundamental
element of the risk management system in the organization, since during the risk assessment process we obtain the
information indispensable to make right decisions concerning the strategy of handling the risk, efficient choice of
the risk reduction measures, assessment of the transfer validity, acceptance or avoidance of the risk [6]. Once the
risk has been identified, estimated and assessed, the management of the organization is expected undertake the right
strategies to mitigate the risks. The strategies should include activities relating to the risks as follows: reducing,
transferring, accepting, and avoiding the cyber-attacks.

4. Cyber kill chain

Despite the fact how often people talk and write about cyber-attacks, even today many organizations and people
perceive a cyber-attack as an event that can hardly be resisted. However, in reality, a cyber-attack does not last a
short while, but is a process, i.e. a set of activities that must be performed in the right order and which have their
duration and place. These activities are combined into logical groups and are executed in stages, thus creating a
cyber-attack process which has usually a finite duration. The cyber-attack processes which are divided into phases
can be named cyber kill chains [2] or cyber-attack life cycles [8]. In other words, cyberattacks life cycles are
practical models to describe cyberattacks that consist of different intrusion stages related to network security and
information system security. In research literature cyber-attack life cycles and their phases are variously named,
defined and described. For instance, according to [9] the cycle consists of five stages: reconnaissance, scanning,
system access, malicious activity and exploitation. In [2] the cyber-attack process is named as the intrusion kill
chain and defined as the sequence of seven stages: reconnaissance, weaponization, delivery, exploitation,
installation, command and control (C2), actions on objectives. This chain is also described by many researchers, e.g.
in [10], [11]. Other researchers [12] point out six stages: reconnaissance, weaponization, delivery, exploitation,
installation, C2, objective achievement. These authors indicate that an attack on critical infrastructure should be
considered as a sequence of six phases: reconnaissance, weaponization, delivery, cyber execution, control
perturbation, physical objective realization. In cyber security papers, the cyber kill chain proposed in [1], [2] is a
very popular conceptual model usually describing cyber-attack processes, e.g. [7]. In this paper cyber kill chain is
understood as in [2], [8].

5. Risk management process based on cyber kill chain – proposition

It is publicly known that modern cyber-attacks are becoming more frequent and more sophisticated [13] than in
the past, and their broad range of impact on business force us to reflect that none of nowadays organizations can
afford a casual approach to cyber risk management. The approach to protecting key resources, which has been used
for years, based on the detection and neutralization of cyber threats during or after their occurrence, and on the
improvement of security processes based on the conclusions of the threat analysis, ceased to be effective. The scale
of potential losses in organizations strongly dependent on information technologies can be so significant that they
will not have a chance to learn from their mistakes - they will not exist anymore as a result of an effective cyber-
attack. Cyber criminals and cyberterrorists know it very well. In this context one can notice that most dangerous
cyber-attacks have multi-stage nature with many attack vectors, and together with technological progress become
more and more complex, cover various elements and levels of the attacked organizations. Contrary to the general
outlook, such cyber-attacks are not short-lived processes at all. The recognition of advanced cyber-attacks and
intrusions are multistage, and occurs over periods of months, or even years. Therefore, the risk management process
should be based ("be woven") on a cyber-attack life cycle. To illustrate our approach, we have chosen the cyber kill
chain model developed initially by Lockheed Martin [1].
 Romuald Hoffmann et al. / Procedia Manufacturing 44 (2020) 655–662 659
R. Hoffmann et al. / Procedia Manufacturing 00 (2019) 000–000 5

Command &
Actions on
Reconnaissance Weaponization Delivery Exploitation Installation Control
(C2)
Objectives

Establishing
External External External & internal Internal External & internal External & internal External & internal
the Context

Asset, Asset, Asset, Asset,

Risk Asset, Asset,
Threat Threat, Threat, Threat, Threat,
Identification Threat Threat
Vulnerability Vulnerability Vulnerability Vulnerability

Risk Threat scenario, Threat scenario, Threat scenario, Threat scenario,

Consequence &
Threat scenario Threat scenario Consequence & Consequence & Consequence & Consequence &
Estimation Likelihood analysis
Likelihood analysis Likelihood analysis Likelihood analysis Likelihood analysis

Risk selection, Risk selection, Risk selection, Risk selection, Risk selection,
Risk Risk selection, Risk ranging, Risk ranging, Risk ranging, Risk ranging, Risk ranging,
Risk ranging
Assessment Risk ranging Risk level Risk level Risk level Risk level Risk level
determination determination determination determination determination

Defense Defense Attack/Defense, Attack/Defense, Attack/Defense,

Risk Mitigation action, if Mitigation action, Mitigation action, Mitigation action, Mitigation action, Mitigation action,
Treatment Mitigation action
it is possible Implementation Implementation Implementation Implementation Implementation
strategies strategies strategies strategies strategies

Action, Monitoring 24/7 Action, 24/7 Action, 24/7 Action, 24/7 Action, 24/7 Action,
Monitoring & Monitoring if it is
& Review Monitoring & Monitoring & Monitoring & Monitoring & Monitoring &
Review possible
Review Review Review Review Review

Fig. 3. Risk management process built on the Lockheed Martin cyber kill chain.

Observing the scale and rate of the change of cyber threats [13], [14], [15] it can be assumed that every
organization has been, is and will be attacked. In this paper, based on reports of ENISA [7], we assume that each
cyber-attack can be described by the cyber kill chain. In our approach, the risk management process should
continuously apply for each stage of the cyber kill chain as it is described in Fig. 3.
Proposed cyber risk management process of identifying, analyzing, evaluating, assessing and ultimately
responding to cyber threats and monitoring risks in each stage of the cyber kill chain is the heart of our approach.
Appling the risk analysis on the kill chain across an entire organization, looking at both upside and downside risk,
and considering risk in the context of strategy is what differentiates from traditional cyber risk management used so
far, e.g. in [16]. The risk assessment steps (context, identification, evaluation, assessment) finally form the basis for
decision-making about priorities of the risks, the appropriate responses which should be taken, and the allocation of
organization’s resources to manage the risks in order to support the organization’s strategy in best way. The cyber
risk treatment involves deciding on and planning for the best way to react on cyber threats and implementing a
defense plan. Monitoring and reviewing of the status of cyber risks and their management, and communication and
consultation with stakeholders take place throughout the risk management process in order to take the best action at
right moment against the cyber risks.
Traditional risk assessment quantifies risk as the product of the probability of an undesirable event leading to
specific consequences and a measure of the negative impact on the organization due to this undesirable event
(probabilistic risk assessment) [17] or as a triplet of threat, vulnerability, and consequences [18]. In this article we
use probabilistic risk assessment to quantify cyber risks. To do this, we should first calculate the probability of each
phase of the cyber kill chain, which can be determined using following Markov model of the cyber kill chain with
iterations proposed in [8].

6. Probabilistic risk assessment based on the Markov model of cyber kill chain - illustration

In mathematical terms, the process describing the dynamics of cyber-attack behavior can be modeled as a
continuous time Markov chain (CTMC) ሼܺሺ‫ݐ‬ሻǡ ‫ ݐ‬൒ Ͳሽ with discrete state space ࡿ ൌ ሼܵଵ ǡ ǥ ǡ ܵ଻ ሽ [8]. The basic states
of the stochastic process ሼܺሺ‫ݐ‬ሻǡ ‫ ݐ‬൒ Ͳሽ are relevant stages of considered cyber kill chain (see Fig. 4). We assume that
behavior of the cyber kill chain fulfils Markov property, and the stages of the cyber kill chain are understood as in
[2], [8]. We assume that transition rates between the states are unchanging over the time, and the transition rate
660 Romuald Hoffmann et al. / Procedia Manufacturing 44 (2020) 655–662
6 R. Hoffmann et al. / Procedia Manufacturing 00 (2019) 000–000

matrix Q are known. Thus, basis on the above assumptions, the cyber kill chain can be modelled with using
homogeneous CTMC. The Markov chain can be analyzed by forming and solving Kolmogorov differential
equations:

�
���� � ���� � � (1)
dt

with the generating matrix Q and the initial condition ��0� � ��� �0�� � � �� �0��, where ���� � ��� ���� � � �� ����,
�� ��� � ������ � �� � � � 0� (�� � ��� � � �).
The generating matrix Q has entries that are the rates at which the process ���� jumps from state to state. These
�����������|�������
entries are defined by ��� � ������� for all � � �, and ��� � � ∑���� ��� .
��
���

λ13
λ12 λ23 λ34 λ45 λ56 λ67
Command & Actions on
Reconnaissance Weaponization Delivery Exploitation Installation
Control (C2) Objectives
S1 S2 S3 S4 S5 S6 S7
λ31
λ41
λ51
λ61
λ71

Fig. 4. State transition diagram for the cyber kill chain [8].

As we mentioned earlier, we can calculate “risk” traditionally as a product of likelihood of threats and their
impacts on the assets of an organizations. To illustrate our approach simply let’s assume that � � ��� � � � �� � is a
vector of monetary values of the organization’s assets calculated at each stage of the cyber kill chain. Then, “risk
score” represented as ���� can be calculated using the following equation:

���� � ���� � �� (2)

In the introduction to this article we state that organizations were, are and will be attacked by cyber adversaries.
It means the cycle of attacks are repeated over the time. So, let’s assume, like in [8], that cyber-attacks pass
sequentially through the stages from “reconnaissance” to “action on objectives” with a possibility of skipping only
one stage: “weaponization”. Let’s assume additionally that the cyber-attack phases may be stopped, abandoned or
ended during any stage from “delivery” to “action on objectives” at any time. This situation is illustrated in Fig. 4 by
the direct graph with the state transitions of the given matrix Q for the Markov process ���� modelling the cyber kill
chain with permanent cyber-attacks. The case of stopping, abandoning or ending an iteration of the cyber-attack
corresponds to the transitions from S3, S4, …, or S7 to S1. Thus, the matrix Q is as follows:

���� ��� ��� 0 0 0 0

� �
0 ���� ��� 0 0 0 0
� �
�
� �� 0 ���� ��� 0 0 0 �
� � � ��� 0 0 ���� ��� 0 0 � (3)
� ��� 0 0 0 ���� ��� 0 �
� ��� 0 0 0 0 ���� ��� �
� ��� 0 0 0 0 0 ���� �

For the process ������ � � 0� with given matrix (3) we can calculate steady state probabilities. Let � � ��� � � � �� �
 R.Romuald Hoffmann
Hoffmann et al. / Procedia
et al. / Procedia Manufacturing
Manufacturing 44000–000
00 (2019) (2020) 655–662 6617

�
be a stationary probability distribution where ∑���� �� � �� Thus, if lim��� �� ��� � �� then lim��� �� ��� � �.
��
The system of Kolmogorov differential equations (1) with the matrix (3) for � � �� takes the form of the system of
linear equations due to �� . The steady state probabilities �� , � � �, � ,� can be obtained by solving the set of seven
equations given by six of the seven equations from � � � � � and with the seventh equation ∑���� �� � ��
It is important to notice that we obtain vector of steady state probabilities �� as numbers which can help us to
calculate the risk score ���� ���� � given by equation (2) as follows
����

� � � � �� (4)

Let consider two examples of calculation of �� �� � �, � � � ,�� [8]. Firstly, we assume for simplicity that all non-zero
transition rates are equal to given �, i.e. ��� � ��, ���,��� � �����,� and ���� � �����,� . Thus, we obtain steady
� � � � � � � �� �� �� �� �� �� ��
state probabilities as the vector of numbers � � � , , , , , , �. Then � � � � � � � .
� � � � �� �� �� � � � � �� �� ��

The second example. If the transition rates are ��� � ��� � �, ��� � � ��� � ��� � � ��� � � ��� � �, ��� � � � �,
� � � � � � �
��� � � � �, ��� � � � �, ��� � � � �, ���� � � � �� then � � � , , , , , , �. Thus risk score � is as
�� �� �� �� �� �� ��
� � � � � � �
follows: � � � �� � � �� � � �� � � �� � � �� � � �� � � �� .
�� �� �� �� �� �� ��

In order to calculate risks at each stage of the cyber kill chain the stochastic model has to be parameterized.
Choosing the λij’s, i.e. the expected time to succeed with cyber-attack stage given they are pursued, remains a
challenge. The most popular and straight-forward solution is to ask experts in cyber security domain assess the rates
λij and to base on their opinion, or to analyze existed empirical data, or a combination of both. The best way to
assess Markov transition rates would be on empirical findings from research of real network behaviors and activities
of ICT system users and threat actors, including e.g. browsing, downloads, installations, etc. Unfortunately, little
data are publicly available which can be used to estimate the likelihood of specific cyber threats [19]. It should be
mentioned that the process of assessing the rates λij is crucial, but it is not the primary focus of this article.

7. Conclusion

The leaders of cybersecurity will be those organizations which will not only be able to proactively respond to
cyber threats but will be able to anticipate and prevent them by using the principles of cyber risk management based
on above proposed approach. We believe that our proposal allows various organizations:

 applying the principles of traditional risk-based approach, which is well known among business organizations,
and cybersecurity based on cyber kill chain approach,
 good understanding of cyber risk appetite and cyber threat profile,
 effectively preparing the organization for quick response to cyber incidents,
 allowing the organization to survive the inevitable cyber-attack,
 adjusting coherently the operating strategy in the cyberspace to the organization's business goals,
 continuous education, exercises and improvement to build the readiness of the organization to manage the
upcoming attacks,
 strengthen cooperation with business partners and government and non-government institutions (e.g ENISA),
facilitating the acquisition of information and learning from the experience of others.

In our opinion, an important aspect of proposed approach is the application of principles of a risk-based approach
with cyber kill chain concept, continuous monitoring [20] [21] and acquisition of information both around the world
- that is, on the market and geopolitical arena, and locally - that is, within an organization and its infrastructure. The
risk assessment will be complete only if, on the one hand, it focuses on the details, and on the other hand, it is put in
the context of other collected information. Although assessing cyber risk applied as the product of the likelihood of
an adverse event at each stage of the cyber kill chain and the negative impacts may seem challenging, it can be
662 Romuald Hoffmann et al. / Procedia Manufacturing 44 (2020) 655–662
8 R. Hoffmann et al. / Procedia Manufacturing 00 (2019) 000–000

practically done by combining the knowledge of cyber security experts with analysis of existing data collected in the
organization.
In the authors‘ opinion the proposed risk-based approach taking together with the cyber kill chain is a forward-
looking concept that will combine various laws, standards, regulations and good practices regarding information
processing, information exchange and data protection, including personal data.

References

[1] M. Cloppert, Security Intelligence: Attacking the Kill Chain, http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-

attacking-the-kill-chain/ (2009)
[2] E. M. Hutchins, M. J. Cloppert, R. M. Amin, Intelligence-driven computer network defense informed by analysis of adversary campaigns and
intrusion kill chains, Leading Issues in Information Warfare and Security Research, 1, Academic Publishing International Ltd, Reading, UK
(2011) 78-104.
[3] http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44375 (access November 2019)
[4] https://csrc.nist.gov/glossary/term/cybersecurity (access November 2019).
[5] CNSSI 4009: Committee on National Security Systems (CNSS) Glossary, http://www.cnss.gov/cnss/issuances/Instructions.cfm (2015)
(access November 2019).
[6] R. Hoffmann, M. Kiedrowicz, J. Stanik, Risk management system as the basic paradigm of the information security management system in an
organization, https://doi.org/10.1051/matecconf/20167604010, MATEC Web of Conferences 76, 04010 (2016).
[7] ENISA, ENISA Threat Landscape Report 2018, https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018 (2019) (access
November 2019).
[8] R. Hoffmann, Markov Models of Cyber Kill Chains with Iterations, DOI: 10.1109/ICMCIS.2019.8842810, 2019 International Conference on
Military Communications and Information Systems (ICMCIS) (2019).
[9] K. G. J. Coleman, Aggression in Cyberspace, Conflict and Cooperation in the Global Commons: A Comprehensive Approach for
International Security, Georgetown University Press, Washington DC, (2012) 105-119.
[10] M. S. Khan, S. Siddiqui, K. Ferens, A Cognitive and Concurrent Cyber Kill Chain Model, Computer and Network Security Essentials,
Springer, Cham, Switzerland (2018) 585-602.
[11] Khan M. S., Siddiqui S., and Ferens K.: A Cognitive and Concurrent Cyber Kill Chain Model. In: Daimi K., (ed.) Computer and Network
Security Essentials, pp. 585-602. Springer, Cham, Switzerland (2018).
[12] A. Hahn, R.K. Thomas, I. Lozano, A. Cardenas, A multi-layered and kill-chain based security analysis framework for cyber-physical
systems, International Journal of Critical Infrastructure Protection, 11, (2015) 39-50.
[13] McAfee, McAfee Labs Threats Report. August 2019, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-
2019.pdf (2019) (access November 2019).
[14] https://www.fireeye.com/cyber-map/threat-map.html (access November 2019).
[15] https://threatmap.checkpoint.com (access November 2019).
[16] A. Refsdal, B. Solhaug, K. Stølen, Cyber-Risk Management, Springer Briefs in Computer Science, Springer (2015).
[17] W. Keller, M. Modarres, A historical overview of probabilistic risk assessment development and its use in the nuclear power industry: A
tribute to the late Professor Norman Carl Rasmussen, Reliability Engineering & System Safety, 89(3) (2005), 271–285.
[18] S. Kaplan, B. J. Garrick, On the quantitative definition of risk, Risk Analysis, 1(1) (1981), 11–27
[19] Z.A. Collier, D. DiMase, S. Walters, M. M, Tehranipoor, J.H. Lambert, I. Linkov, Cybersecurity standards: Managing risk and creating
resilience. Computer, 47(9) (2014) 70–76.
[20] T. Yadav, A. M. Rao, Technical Aspects of Cyber Kill Chain, International Symposium on Security in Computing and Communication
SSCC 2015, CCIS 536 (2015) 438-452.
[21] E. Jonsson, L. Pirzadeh, A framework for security metrics based on operational system attributes, Proceedings 3rd International Workshop
on Security Measurements and Metrics (Metrisec 2011), (2011) 58–65.