At the ‘Cyber Risk as an Experimental Discipline’ Symposium of the Society for Risk Analysis (SRA) Annual Meeting, one of CyberSec4Europe’s partners, the University of Trento, will present their work on cybersecurity risk assessment using Capture the Flags. Cyber risk is an increasingly hot topic on the international agenda and yet it remains elusive as a quantitative discipline. Almost all industry standards are qualitative, and most research papers make use of observational data to perform risk analysis. However, analysis based on observational data is limited because, in the words of R. Clayton, Cambridge Cyber Crime Center director, “With data exhaust we don’t know if are measuring dim attackers getting caught rather than smart attackers getting through”. The University of Trento’s work proposes generating data using Capture the Flags exercises. Capture the Flags are information security competitions whereby participants exploit and patch security vulnerabilities in a controlled and clean environment. These competitions can provide the experimental data needed to quantitatively estimate the risk of compromise. The University of Trento will present the design principles of this approach and will analyse and discuss its suitability and limitations. For more information on the Society for Risk Analysis (SRA) Annual Meeting, please see here.

Giorgio Di Tizio, University of Trento