Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

https://www.enisa.europa.eu/publications/COIT_Mitigation_Strategies_Final_Repo rt ENISA, ‘Inventory of Risk Management / Risk Assessment Methods and Tools’, n.d., https://www.enisa.europa.eu/topics/risk-management/current-risk/risk management-inventory/inventory-of-risk-management-risk-assessment-methods and-tools?v2=1&tab=details ENISA, Risk Assessment – Guidelines for trust service providers, part 2 , 2013, https://www.enisa.europa.eu/publications/tsp2-risk ENISA, Cloud Computing – Benefits, risks and recommendations for information security , 2009, https://www.enisa.europa.eu/publications/cloud-computing-risk assessment ENISA, Methodology for Sectoral Cybersecurity Assessments , 2021, https://www.enisa.europa.eu/publications/methodology-for-a-sectoral cybersecurity-assessment

The mitigation of risks found in an ICT infrastructure requires a selection of countermeasures (soft measures, e.g. procedures or processes and hard measures, e.g. technical controls). The AI stakeholders can use ISO 27002 15 for the implementation and management of technical controls and also technical controls proposed by international organisations (e.g. SANS Top 20 16 , UCI 17 , CIS Critical Security Controls 18 ). Apart from these guidelines, a number of EU research projects related to RM, where innovative security management tools have been developed, can be useful to AI stakeholders 19 . Threat agents and attackers’ profiles in AI ecosystems AI stakeholders need to be aware of their adversaries in the operational environment. Three key components characterise potential adversaries: means, motive and opportunity. An attack occurs if the attacker has the means to execute it, the opportunity to do so and exploit a vulnerability, and a motive to target the victim in question.

AI stakeholders and operators need to analyse potential attackers in order to estimate their risk levels more realistically and accurately and to undertake appropriate countermeasures 20 .

15 https://www.iso.org/standard/54533.html 16 https://www.sans.org/critical-security-controls/

17 https://security.uci.edu/security-plan/plan-controls.html 18 https://www.cisecurity.org/controls/cis-controls-list/ 19 For a list of relevant EU projects, see the CORDIS website: https://cordis.europa.eu

20 Kioskli, K., Polemi, N., ‘Estimating attackers’ profiles results in more realistic vulnerability severity scores’, in Ahram, T. and Karwowski, W. (eds), Human Factors in Cybersecurity, AHFE (2022) International Conference, AHFE Open Access, Vol. 53, AHFE International, 2022, http://doi.org/10.54941/ahfe1002211

10