by Florian Skopik (AIT)
Cross-organizational cyber risk assessments are the cornerstone of an effective implementation of national cyber security strategies. Only those nation states who know the overall key risks to critical infrastructures and main weaknesses of providers of essential services, can anticipate future cyber security problems and appropriately plan for counter measures. Therefore, the aim of the project CRISCROSS [L1] is to come up with a design and proof-of-concept prototype that enables efficient distributed risk assessments within critical organizations, the timely reporting of findings via an intuitive web platform to the authorities, and the harmonization, aggregation and interpretation of received data at the national level.
The CRISCROSS concept foresees that stakeholders from various organizational levels of critical infrastructure providers are periodically surveyed. As depicted in Figure 1, from technicians to CISOs at the tactical and operational layer up to CEOs at the strategic level, people are asked to rate the relevance of key risks (e.g., lack of business continuity management). For relevant risks, they need to rate how much a risk applies in their opinion to their own organization and whether mitigating actions have been performed (e.g., SLAs, monitoring techniques, third-party assessments etc.). Survey feedback from these different levels of critical organizations across all domains are then collected in a centralized portal. An essential part of the project is the research question on how the surveys are being evaluated, answers weighted and aggregated, and how a big picture can help to create cyber situational awareness  within security authorities.
Figure 1: Each organization assesses its risks at three levels and communicates findings to the authorities to create a large-scale situational awareness picture for decision makers.
This is an essential step to implement national security strategies and specifically to support NIS authorities in their daily work, since the national supervision of critical sectors is explicitly required by the directive . Thus, authorities have a clear need to anticipate potential consequences if an organization gets hit by a cyber attack. Vital questions, such as if an organization is mature enough to deal with a larger incident on its own, or whether such an incident could affect other organizations need to be answered. Information about risks and the level of preparedness of individual organizations is of paramount importance for national decision making and CRISCROSS clearly provides a substantial contribution to this task.
CRISCROSS is designed to provide answers to three current research questions of nation-wide cyber risk management and in the overall interest of the whole nation state and its authorities:
- First, an objectification of risk analysis approaches should be achieved. Therefore, the CRISCROSS project aims to come up with a method that reduces the dependency on only a few, typically high-level, expert opinions at the national layer, but rather collects detailed information directly from the system operators and providers, and aggregates distributed opinions in a sound manner. This is meant to facilitate an objective risk management approach at the national level.
- Furthermore, CRISCROSS works towards an approach to determine adequate indicators to measure the risks in critical sectors, as well as approaches for their measurement and quantification. The aim is to better understand the current and the realistically achievable (compared to desirable) security standards in various dimensions and reliable identify and measure the gap in between. For this purpose, a suitable number of indicators and sources that deliver relevant data in the cyber-security and cyber-risk-related context must be found . Based on this data, a mapping of determined indicators to a functional and technical model that allows to identify the (inter-)dependencies of the investigated companies, is key to a better understanding of the current risk situation across a nation state. In order to create an accurate picture of the current situation with respect to cyber-security and immanent risks, measurements and KPIs in numerous dimensions need to be aggregated.
- Third, CRISCROSS plans to adequately address (near-) real-time demands of a state-wide situational picture. In order to act appropriately upon a current situational picture, decision makers need to have the most accurate data available. Not collecting data on an, e.g., annual basis, but doing it efficiently on a weekly or even daily basis, especially in such a highly volatile area as cyber-security, is a huge challenge on its own and a key aspect of CRISCROSS. Closely related to this is the evaluation of trends and the adequate clustering of risk data across organizations – even if they are of different sizes and situated in different industry sectors.
The Project CRISCROSS and its Consortium
In order to attain these ambitious goals and finally ensure the wide applicability of developed tools and procedures, the project consortium consists of a vital mix of academics with deep knowledge in cyber security (Austrian Institute of Technology, Vienna University of Economics and Business, SBA Research), subject matter experts for the government sector (REPUCO Unternehmensberatung GmbH), practitioners from the software engineering domain (Research Industrial Systems Engineering GmbH) and representatives from the Ministry of the Interior, Ministry of Defence and the Austrian Federal Chancellery. CRISCROSS is an 18-month national research project running from 2017 to 2019 and is funded by the Austrian security-research program KIRAS and by the Austrian Ministry for Transport, Innovation and Technology (BMVIT).
 T. Pahi, M. Leitner, F. Skopik: “Preparation, Modelling and Visualization of Cyber Common Operating Pictures for National Cyber Security Centres”, Journal of Information Warfare, Vol. 16, Issue 4. Peregrinem 2017.
 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union,
 ENISA: National-level Risk Assessments: An Analysis Report, 2013,
Frank Christian Sprengel
REPUCO Unternehmensberatung GmbH, Austria