ABSTRACT
This chapter focuses on dynamic risk management and its ability to accurately drive decisions to minimize an organization's exposure to threats. Starting from the framework presented by NIST, a brief explanation is provided on the risk management process. Regarding the risk assessment, risk factors are explained and their integration in the risk assessment process. This chapter provides an introduction in the use of probabilistic graphical security models into a risk management framework. Furthermore, to set up the environment for graphical models, the use of scoring systems is explained. Incorporating attack graphs in the dynamic risk assessment process, the risk is interpreted as a probability metric and according to the network topology, Bayesian inference is conducted to address the need for dynamic risk assessment. However, this procedure is scaling exponentially for larger graphs and thus, a solution is given by introducing factor graphs and the Belief Propagation (BP) algorithm. The algorithm's use is limited to trees. This situation leads to the use of other implementations of the BP called Loopy BP, estimating the risk approximately. Finally, the rest of the chapter is focused on the mitigation strategies by categorizing proactive mitigation actions.
