The paper presents the analysis of national and foreign literature on the methods of cybersecurity risk assessment including critical infrastructure facilities. It is stated that cybersecurity and risk assessment are an important issue of critical infrastructure facilities. The paper proposes graphical and analytical methods for assessing the total cybersecurity risk of I&C systems including critical infrastructure facilities. These total risk assessment methods are based on determining the maximum values of consequences for each risk. It is shown that the maximum values of cyber threat effects can be determined by expert means, as the maximum losses that can be caused to the company assets. The proposed methods make it possible to determine the total cybersecurity risk of critical infrastructure, the total losses due to multiple cyber threats, the total losses due to a single cyber threat for a certain period of time, the likelihood of maximum losses due to multiple cyber threats. There are the advantages of these methods for assessing total risk. Based on the proposed methods, it is possible to develop a methodology for assessing the cybersecurity risks of I&C systems including critical infrastructure facilities, and build decision support systems for the application of risk reduction measures. The economic feasibility of applying these or other risk treatment measures, both organizational and technical, is defined by evaluating the cost of such measures with the maximum amount of losses due to the total risk.
2. Jain, P., Pasman, H. J., Waldram, S., Pistikopoulos, E. N., Mannan, M. S. (2018). Process Resilience Analysis Framework (PRAF): A systems approach for improved risk and safety management. Journal of Loss Prevention in the Process Industries, No. 53, 61–73.
3. Mokhor, V., Bakalynskyi, O., Bohdanov, O., Tsurkan, V. (2017). Interpretation of the simple risk level dependence of its implementation in the terms of analytic geometry. Information Technology and Security, 5(1), 71–82.
4. Bochkovskyi, A., Gogunskii, V. (2018). Development of the method for the optimal management of occupational risks. Eastern-European Journal of Enterprise Technologies, 3(97), 6–13.
5. Prokopenko, T., Grigor, O. (2018). Development of the comprehensive method to manage risks in projects related to information technologies. Eastern-European Journal of Enterprise Technologies, 2(3), 37–43.
6. Mokhor, V., Honchar S. (2018). The idea of the construction of the algebra of risks on the basis of the theory of complex numbers. Electronic modeling, 40(4), 107–111.
7. Cherdantseva, Yu., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, No. 56, 1–27.
8. Eling, M., Wirfs, J. (2019). What are the actual costs of cyber risk events? European Journal of Operational Research, 272(3), 1109–1119.
9. Young, D., Lopez Jr., J., Rice, M., Ramsey, B., McTasney, R. (2016). A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection, No. 14, 43–57.
10. Alali, M., Almogren, A., Mehedi Hassan, M., Rassan, I., Alam Bhuiyan, Z. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, No. 74, 323–339.
11. Radanlieva, P., De Rourea, Ch., Nicolescub, R., Huthb, M., Mantilla Montalvoc, R., Cannadyc, S., Burnap, P. (2018). Future developments in cyber risk assessment for the internet of things. Computers in Industry, No. 102, 14–22.
12. Shin. J., Son, H., Heo, G. (2017). Cyber security risk evaluation of a nuclear I&C using BN and ET. Nuclear Engineering and Technology, 49(3), 517–524.