Scope and Field of Application
|
Industry sectors have addressed the assessment of cyber risks, particularly as regards software, in a largely silo manner. On the other hand, recently introduced – and even upcoming – legislation mandates a horizontal treatment of cyber risks that spans multiple industry sectors. And where such legislation holds for the placement of products and services in the EU Single Market, stringent requirements apply. Given that risk assessment is predominantly informed by the context in which products and services operate, the (re)use of sectorial risk assessments (e.g. consumer, industrial, medical, etc.) in the development of technical standards supportive to such horizontal legislations has been a complex and arduous exercise. Particularly so when it comes to subjective factors – inherent in any risk assessment – that should be kept under control. Currently, this is largely an open issue for the industry. Hence there is a need for an “adapter” concept (e.g. an approach, method, guidance, practice, or other suitable formalism) that facilitates reuse of the investment made by different industry sectors in the assessment of risk, while providing a uniform “interface” fit for the conformance assessment requirements and other legal concerns of such horizontal legislations. Such a unified “adapter” is currently lacking. This WI shall address this gap and analyse the areas where subjective factors play a role (and thus should be handled diligently) in this context. Moreover, it shall introduce the challenges that accompany the assessment of software-related risks in the context of market placement and present essential principles to inform the risk assessment of products based on their properties. Finally, a method to constrain and control subjectivity based on these principles and developed to address the challenges of said risk assessments shall be presented.
|