Event-Based Cybersecurity Risk Assessment: Identifying Potential Cyber-Attacks in Organisations
DOI:
https://doi.org/10.31436/ijpcc.v11i2.572Abstract
Cybersecurity risk assessment is crucial for organisations since cyber threats are becoming increasingly sophisticated and dynamic. This study investigates how organisations identify potential cyber-attacks within an event-based risk assessment context. Using a qualitative approach, semi-structured interviews were conducted with ten cybersecurity experts from diverse organisations. The experts possess extensive strategic, technical, and advisory expertise in the field. Thematic analysis of the data revealed four key practices: (i)collaborative brainstorming involving diverse stakeholders, (ii)referring to historical data and past incident logs, (iii)staying updated on current cyber-attacks trends, and (iv)using established frameworks such as ISO/IEC 27005 supplemented with dynamic resources. These findings underscore the importance of integrating diverse methods and perspectives into event-based cybersecurity risk assessments to address evolving threats. The study contributes to theory and practice by offering actionable insights for organisations to identify potential cyber-attacks within an event-based cybersecurity risk assessment framework. Limitations are acknowledged, including reliance on self-reported data and a small sample size, with recommendations provided for future research.
References
M. Z. S. Mohd Nasharuddin and A. Abubakar, “Analyzing Threat Level of the Backdoor Attack Method for an Organization’s Operation,” International Journal on Perceptive and Cognitive Computing, vol. 10, no. 2, pp. 51–59, Jul. 2024, doi: 10.31436/ijpcc.v10i2.484.
V. B. Krishtanosov and N. A. Brovko, “Conceptual-Analytical Approaches to Threats in the Digital Economy,” AlterEconomics, vol. 20, no. 1, pp. 216–245, 2023, doi: 10.31063/AlterEconomics/2023.20-1.11.
A. Sukumar, H. A. Mahdiraji, and V. Jafari?Sadeghi, “Cyber risk assessment in small and medium?sized enterprises: A multilevel decision?making approach for small e?tailors,” Risk Analysis, vol. 43, no. 10, pp. 2082–2098, Oct. 2023, doi: 10.1111/risa.14092.
J. Chen, Q. Zhu, and T. Ba?ar, “Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks,” Dyn Games Appl, vol. 11, no. 2, pp. 294–325, Jun. 2021, doi: 10.1007/s13235-020-00363-y.
P. Lau, L. Wang, Z. Liu, W. Wei, and C.-W. Ten, “A Coalitional Cyber-Insurance Design Considering Power System Reliability and Cyber Vulnerability,” IEEE Transactions on Power Systems, vol. 36, no. 6, pp. 5512–5524, Nov. 2021, doi: 10.1109/TPWRS.2021.3078730.
NIST, “NIST SP 800-30: Guide for Conducting Risk Assessments,” U.S. Department of Commerce, 2012, doi: 10.6028/NIST.SP.800-30r1.
ISO/IEC, “ISO/IEC 27005: Information Security, Cybersecurity and Privacy Protection-Guidance on Managing Information Security Risks,” 2022. Accessed: Apr. 14, 2025. [Online]. Available: https://www.iso.org/standard/80585.html
S. Zeadally, E. Adi, Z. Baig, and I. A. Khan, “Harnessing Artificial Intelligence Capabilities to Improve Cybersecurity,” IEEE Access, vol. 8, pp. 23817–23837, 2020, doi: 10.1109/ACCESS.2020.2968045.
Z. Amin, “A practical road map for assessing cyber risk,” J Risk Res, vol. 22, no. 1, pp. 32–43, Dec. 2019, doi: 10.1080/13669877.2017.1351467.
N. N. Abdul Molok, S. Chang, and A. Ahmad, “Disclosure of Organizational Information on Social Media: Perspectives from Security Managers,” Pacific Asia Conference on Information Systems (PACIS), 2013, [Online]. Available: http://aisel.aisnet.org/pacis2013/108
V. Braun and V. Clarke, Thematic Analysis - A practical guide. SAGE publications, 2022.
M. B. Miles, A. M. Huberman, and J. Saldana, Qualitative Data Analysis: A Methods Sourcebook, 4th Edition. SAGE Publications, 2018.
NIST SP 800-37, “NIST 800-37?: Risk management framework for information systems and organizations,” Gaithersburg, MD, Dec. 2018. doi: 10.6028/NIST.SP.800-37r2.
M. E. Whitman and H. J. Mattord, Management Of Information Security, Sixth Edition. 2018.
A. A. Elmarady and K. Rahouma, “Studying Cybersecurity in Civil Aviation, Including Developing and Applying Aviation Cybersecurity Risk Assessment,” 2021, doi: 10.1109/ACCESS.2021.3121230.
D. Fujs, A. Miheli?, and S. L. R. Vrhovec, “The power of interpretation: Qualitative methods in cybersecurity research,” in ACM International Conference Proceeding Series, Association for Computing Machinery, Aug. 2019. doi: 10.1145/3339252.3341479.
J. W. Creswell and C. N. Poth, Qualitative inquiry and research design: Choosing among five approaches., 4th Edition. SAGE Publication, 2016.
S. Döringer, “‘The problem-centred expert interview’. Combining qualitative interviewing approaches for investigating implicit expert knowledge,” Int J Soc Res Methodol, vol. 24, no. 3, pp. 265–278, 2021, doi: 10.1080/13645579.2020.1766777.
K. Malterud, V. D. Siersma, and A. D. Guassora, “Sample Size in Qualitative Interview Studies,” Qual Health Res, vol. 26, no. 13, pp. 1753–1760, Nov. 2016, doi: 10.1177/1049732315617444.
J. W. , Creswell and J. D. Creswell, Research design: Qualitative, quantitative, and mixed methods approaches. . Sage publications., 2017.
S. Nifakos et al., “Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review,” Sensors, vol. 21, no. 15, p. 5119, Jul. 2021, doi: 10.3390/s21155119.
H. M. Melaku, “Context-Based and Adaptive Cybersecurity Risk Management Framework,” Risks, vol. 11, no. 6, Jun. 2023, doi: 10.3390/risks11060101.
Z. R. Pitafi and T. M. Awan, “Perspective Chapter: Cybersecurity and Risk Management—New Frontiers in Corporate Governance,” in Corporate Governance - Evolving Practices and Emerging Challenges [Working Title], IntechOpen, 2024. doi: 10.5772/intechopen.1005153.
S. O. Dawodu, O. Adedolapo, A. Odunayo Josephine, A. Abimbola Oluwatoyin, and E. Sarah Kuzankah, “Cybersecurity Risk Assessment In Banking: Methodologies And Best Practices,” Computer Science & IT Research Journal, vol. 4, no. 3, pp. 220–243, Dec. 2023, doi: 10.51594/csitrj.v4i3.659.
S. Krenn, P. Cheimonidis, and K. Rantos, “Dynamic Risk Assessment in Cybersecurity: A Systematic Literature Review,” 2023, doi: 10.3390/fi15100324.
A. Y. Abohatem, A. A. Al-Khulaidi, and F. M. M. Ba-Alwi, “Suggestion Cybersecurity Framework (CSF) for Reducing Cyber-Attacks on Information Systems,”, vol. 1, no. 3, Sep. 2023, doi: 10.59628/jast.v1i3.248.
F. Cremer et al., “Cyber risk and cybersecurity: a systematic review of data availability,” Geneva Pap Risk Insur Issues Pract, vol. 47, no. 3, pp. 698–736, Jul. 2022, doi: 10.1057/s41288-022-00266-6.
D. J. Ferreira, N. Mateus-Coelho, and H. S. Mamede, “Methodology for Predictive Cyber Security Risk Assessment (PCSRA),” Procedia Comput Sci, vol. 219, pp. 1555–1563, Jan. 2023, doi: 10.1016/J.PROCS.2023.01.447.
A. Bayewu, Y. Patcharaporn, O. S. Folorunsho, and T. P. Ojo, “An In-depth Review of Cybersecurity Controls in Mitigating Legal and Risk-Related Challenges,” Advances in Multidisciplinary and scientific Research Journal Publication, vol. 8, no. 4, pp. 1–10, Dec. 2022, doi: 10.22624/AIMS/SIJ/V8N4P1.
I. Naseer, “Machine Learning Applications in Cyber Threat Intelligence: A Comprehensive Review,” The Asian Bulletin of Big Data Management, vol. 3, no. 2, pp. 190–200, Jan. 2024, doi: 10.62019/abbdm.v3i2.85.
J. Ophoff and A. Berndt, “Exploring the Value of a Cyber Threat Intelligence Function in an Organization,” pp. 96–109, 2020, doi: 10.1007/978-3-030-59291-2_7ï.
A. Georgiadou, S. Mouzakitis, and D. Askounis, “Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework,” Sensors, vol. 21, no. 9, p. 3267, May 2021, doi: 10.3390/s21093267.
G. Stergiopoulos, D. A. Gritzalis, and E. Limnaios, “Cyber-Attacks on the Oil & Gas Sector: A Survey on Incident Assessment and Attack Patterns,” IEEE Access, vol. 8, pp. 128440–128475, 2020, doi: 10.1109/ACCESS.2020.3007960.
H. I. Kure, S. Islam, and H. Mouratidis, “An integrated cyber security risk management framework and risk predication for the critical infrastructure protection,” Neural Comput Appl, vol. 34, no. 18, pp. 15241–15271, Sep. 2022, doi: 10.1007/s00521-022-06959-2.
