It is a risk assessment tool that enables risk analysts to perform a risk evaluation in a multi-stakeholder manner for a given system. The tool has a two-fold purpose, (i) Evaluate and quantify risk levels for all involved stakeholders, and (ii) Solving the risk minimization problem, which is a multi-objective optimization problem. This tool works with JSON files, all inputs and outputs. Before using the tool, we invite you to read the documentation files (see Documents Section) in order to have a clear view of how this tool works. The documents are the research papers that define the Multi-Stakeholder Risk Minimization Problem and solve instances of this problem.
-Java 8 or higher
-Scala SDK V.2.13.2
-JavaFx SDK V.11.0.2 (for plotting the result)
-Gson library V.2.8.6
1. Clone the project
2. Import project into your desire IDE (our recommendation is IntelliJ IDEA)
3. Define or import the needed input files (i.e., adding the required JSON files, such as Threats, Goals, etc.)
The tool is divide into two main phases, 1) Risk evaluation 2) Optimization.
For the first phase, you need to define three JSON files (Threats
, Goals
, Stakeholder
) as input artifacts and three other JSON files as can be considered association actions (Threat_Impact
, Threat_Controls
, Threat_Affected
) , and for the second, you need one additional JSON file which is Threat_Existence
.
You can either create the input JSON files manually, according to the existing example in the clone project (jsonFiles folder) and its files structures, or through providing data from the console by calling the specific classes. For manually way, you just need knowledge about JSON file structure which you can follow the sample files in the jsonFiles folder. For the second method, you need to follow the following preliminary steps:
Note: All the classes have mentioned below are defined in the action folder.
-
Define Threats: In order to define the list of threats in your system you can run
ThreatDetermining.java
class then define number of threats and their name through the console. The resuult stores in theThreats
JSON file. -
Define Stakeholders and their impact Criteria: The involved stakeholders in the analysis and their impact criteria can be determined through
StakeholderDetermining.java
class and then the result stores in theStakeholder
JSON file. For example, a stakeholder can be Data subject, and Social situation, Individual freedom, Health condition and Financial situation are its impact criteria. Notice that this version of the tool only applicable to defining two stakeholders. -
Define Protection Goals: The protection goals can be specified through
GoalDetermining.java
class and then the result stores in theGoals
JSON file, for example, confidentiality, integrity, and availability. -
Determine Controls: In this step, you can determine for each threat the potential controls. Through
ControlDetermining.java
class you can determine the controls for each threat, and then result stored in theThreat_Controls
JSON file. -
Determine Threat-Protection Goal Association : Through this association, you can specify the relation between threats and goals in other word, each threat affect which protection goals. For example, Unauthorized access threat affects confidentiality and integrity protection goals. Through
ThreatGoalAssociation.java
class you can specify this association, and the result stores in theThreat_Affected
JSON file. -
Associate Threat Impacts: According to their impact criteria, the impact level of each threat for all involved stakeholders determines in
Threat_Impact
JSON file. In fact, in this action, the risk analyst assigns an integer value to the aversion level that each stakeholder is considered to have against each threat, according to his/her criteria. ThroughPreferenceImpacting.java
class you can determine the impact levels.
1) Risk Calculation
To calculate risk exposure levels, you need to run FinalRiskExposure.java
class from action folder, and the result will be stored in the Risk_Exposure_Result
JSON file. This file contains the risk levels in terms of protection goals for all involved stakeholders.
2) Optimization
For optimization, apart from the input artifacts defined in the preliminary steps, the tool needs one additional input, the Threat_Existence
JSON file. This JSON file needs to perform optimization where you must define all possible threat existence values for each threat. Hence, you need to define this input within the jsonFile folder. You can follow the sample in this folder to create the required input file.
In order to perform optimization and plot the result, you just need to Run RunOptimization.java
class from the optimization folder. Notice that plotting will take time which depends on the size of the threat list. After plotting, you will be asked to specify the minimum risk level for each stakeholder to see the Pareto optimal points, which you need to insert a Double Value from (0,1) interval.
This tool is part of following research papers:
- Multi-Stakeholder Cybersecurity Risk Assessment for Data Protection SECRYPT 2020.
- Identifying and Quantifying Trade-offs in Multi-Stakeholder Risk Evaluation with Applications to the Data Protection Impact Assessment of the GDPR [Underwriting]