Introduction of a Novel Risk based Approach in the Multimodal Transport Cyber Security Ecosystem
The first blog article prepared by STAM (September 2021) introduced the problem related to the cybersecurity and the need to have efficient means for assessing the level of protection of the organizations. In the framework of the CitySCAPE project, STAM has collaborated with several partners to the development of FIMCA (Financial impact and cost-benefit assessment). The tool aims to assess the potential financial impact associated with cyber threats on both tangible and intangible assets. The first are those assets that can be associated with physical objects and assets that the organisation owns and that are used to generate a service, while the others are related to brand reputation, data, intellectual property, etc.
After one year from STAM first article, FIMCA has been released by STAM and ENG and it has been demonstrated during the Tallinn Pilot (August 2022) and it is used now for the execution of Genoa Pilot.
CitySCAPE Financial impact and cost-benefit assessment
As our readers may already know, the CitySCAPE platform is consisting of different modules aimed assess the cybersecurity levels of the public transport organizations. FIMCA is part of this platform and aims to assess the financial impact generated by the risk in cybersecurity. When the word ‘risk’ comes into play, RITA (Risk Analysis and Impact Assessment tool) and FIMCA work closely together to assess the organisation’s risk and financial impact. In fact, the latter uses the results of RITA to assess financial impacts. From the user experience point of view, after performing a risk assessment, the user can decide to perform a financial impact assessment and a cost-benefit analysis comparing different configurations of the organisation. A configuration is characterised by different sets of security measures in order to assess which is the optimal solution for the organisation. Therefore, each countermeasure has a different effect (efficiency) and, of course, also different investment costs for the application that determine the weights to be placed on the scales when comparing costs and benefits.
The FIMCA tool guides the user in the selection of countermeasures by applying CIS controls[1]. These controls are part of a computer defence guide and include more than 150 security measures divided into 18 groups. Moving from the first to the last group, the complexity of the countermeasures increases. In fact, we go from the first groups with more elementary countermeasures to the last with more advanced solutions, which are usually suggested for companies that have high cyber security requirements.
Therefore, what does the user in practice in FIMCA?
Whenever a user decides to perform a financial impact assessment, he or she lands from RITA to the FIMCA homepage. The homepage first shows a summary of the results of the risk assessment and allows the user to manage their organisation’s configurations. In each configuration, the user must provide general information about the organisation he or she represents, in particular: company size, revenue, average hourly cost of employees and contractors, economic value of company assets and services. After that, he or she must select the countermeasures he or she wishes to evaluate in the cost-benefit analysis. In fact, it is precisely the countermeasures that distinguish the different configurations from each other, and once you have at least two configurations to compare (usually the original and a new customised one), you can perform the cost-benefit analysis for tangible and intangible assets.
Figure 1 Fimca Homepage
The calculation engine implemented in FIMCA was developed specifically for CitySCAPE. In fact, the assessment of economic impacts exploits the data structure created in RITA and the results of its risk assessments. Impacts are then translated into economic terms considering the following cost items:
- The economic losses due to the disruption of a service.
- The physical damage on the assets (i.e., repair and replacement costs).
- The impact on the brand, reputation and human capital.
- The security measures adopted.
Through FIMCA, the user can then actively evaluate the different strategies, assessing the sustainability of the investments as the economic impacts change. In fact, the indicator used to provide the user with an insight into the quality of the work performed, and thus of the configurations created, is the ROSI (Return on Sustainability Investment) index. This index compares the economic impacts of the two configurations based on the results of the risk assessment and adds to this balance the cost of the investment required to implement the new countermeasures. This is then compared again with the investment and a percentage indicator is obtained. When the ROSI obtained is negative, the new configuration created is worse than the baseline. When it is positive, the new configuration can be said to be better and more secure.
STAM and ENG worked closely together in the realisation of FIMCA. However, it is important to mention that the result obtained is also the result of a very strong cooperation with ED and UPRC who, although involved in RITA, actively participated in the development of FIMCA and the implemented methodology.