Evaluation of cyber security and modelling of risk propagation with Petri nets

Abstract

This article presents a new method of risk propagation among associated elements. On the basis of coloured Petri nets, a new class called propagation nets is defined. This class provides a formal model of a risk propagation. The proposed method allows for model relations between nodes forming the network structure. Additionally, it takes into account the bidirectional relations between components as well as relations between isomorphic, symmetrical components in various branches of the network. This method is agnostic in terms of use in various systems and it can be adapted to the propagation model of any systems' characteristics; however, it is intentionally proposed to assess the risk of critical infrastructures. In this paper, as a proof of concept example, we show the formal model of risk propagation proposed within the project Cyberspace Security Threats Evaluation System of the Republic of Poland. In the article, the idea of the method is presented as well as its use case for evaluation of risk for cyber threats. With the adaptation of Petri nets, it is possible to evaluate the risk for the particular node and assess the impact of this risk for all related nodes including hierarchic relations of components as well as isomorphism of elements.