Irish researchers create new tool to assess cyber risks

15 Jun 2021

Image: © Song_about_summer/

As cyberattacks rise, Lero researchers have developed a framework that provides a risk score and pinpoints steps that can be taken to improve security measures.

A new tool aims to enable large organisations to identify, assess and mitigate cyber risks, and help insurance companies design appropriate products.

It was developed by researchers at Lero, the Science Foundation Ireland research centre for software, working in the emerging risk group at University of Limerick (UL).

The tool combines risk matrix and bow-tie models to produce a rating based on the likelihood of a cyber threat occurring and the potential severity of a resulting incident.

Researchers said that this approach, which was tested at a hospital in mainland Europe, can offer a risk score and also pinpoint steps that can be taken to improve security measures.

Cyberattacks have been on the rise over the past year and global losses from cybercrime were estimated to be just under $1trn in 2020.

“Cyberattacks pose a growing threat to global commerce that is increasingly reliant on digital technology to conduct business,” said Dr Barry Sheehan of UL, who led the research team.

“Traditional risk assessment and underwriting practices face serious shortcomings when encountered with cyber threats.”

The team’s cyber risk classification and assessment framework, QBowtie, is outlined in an article in the Journal of Risk Research. It is designed to demonstrate the significance of proactive and reactive barriers in reducing companies’ exposure to cyber risks, as well as quantify those risks.

“While we studied the exposure of a hospital, healthcare settings would be infrequent targets for cyberattacks. Although, as we have seen in Ireland, there are exceptions,” Sheehan added, referencing the recent HSE ransomware incident.

“This tool would not have prevented such an attack,” he explained.

“Instead, it would provide a more robust methodology for cyber risk assessment, which will allow insurance companies, for example, to more accurately assess risk, supporting more granular pricing. This means that the premiums of companies purchasing cyber insurance products will more accurately reflect their cyber risk.”

Lero is an industry-focused research centre that brings together software teams from universities and institutes of technologies across Ireland.

The centre is hosted by UL and academic partners include Dublin City University, Trinity College Dublin, University College Dublin, Maynooth University, NUI Galway, University College Cork, Dundalk Institute of Technology, Munster Technological University, Waterford Institute of Technology, Limerick Institute of Technology and the recently added Galway-Mayo Institute of Technology.

Sarah Harford was sub-editor of Silicon Republic