Assessing and Managing ICT Risk with Partial Information

Haruspex is a suite of tools to assess and manage in a probabilistic way the risk posed by an information and communication technology system. The suite is build around the application of a Monte Carlo method to a scenario where some intelligent threat agents sequentially select and compose attacks to reach their goals. Some tools of the suites build a description of a scenario with the agents, the target system, its vulnerabilities and the attacks they enable. Starting from this description, another tool applies a Monte Carlo method to simulate step by step the attacks of each agent and populate a database with samples on the attacks the agents implement, the goal they reach and the time this takes. Further tools use this database to produce statistics to assess the risk and to select countermeasures to be deployed. Since several tools of the suite require information on both the agents and the target system, we discuss how to conduct a robust assessment even when only a partial information is available. To exemplify the proposed approach, we describe the assessment of an industrial control system.