Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

• Risk management. Risks are treated by selecting and implementing appropriate countermeasures (Figure 4). The appropriate selection of controls requires a cost benefit analysis, to determine the risks the manufacturer is willing to accept and compare the costs of those risks against the benefits.

Figure 4: Phases of security management based on NIST

The major focus lies on enterprises and the identification, analysis and evaluation of threats and vulnerabilities, along with the estimation of risk levels to the respective enterprise assets. The outcome of a risk analysis is a list of threats to all assets of the enterprise ICT system, together with the corresponding risk levels of these threats to all assets . Since its creation, ENISA has worked on RM and has produced several methodologies and best practices (see Table 1) that can be used to conduct RM and can be used by AI stakeholders to secure the ICT infrastructure that host their AI systems.

Table 1: ENISA publications on risk assessment

Publication name ENISA, Methodology for Sectoral Cybersecurity Assessments , 2021, https://www.enisa.europa.eu/publications/methodology-for-a-sectoral-cybersecurity assessment ENISA, National-level Risk Assessments: An analysis report , 2013, https://www.enisa.europa.eu/publications/nlra-analysis-report ENISA, Consumerization of IT: Final report on risk mitigation strategies and good practices , 2012,

9