Table 1.
SWOT analysis of related works
| SWOT | Strengths | Weaknesses | Opportunities | Threats (Risks) |
|---|---|---|---|---|
| Proposal | ||||
| OCTAVE |
Generic; investigates recovery impact areas Simplicity; based on a questionnaire |
Qualitative; no risk quantification | Applicability; applicable to small companies with limited resources | Complexity; difficult to understand |
| TARA | Predictive framework | Qualitative; no risk quantification | Complimentary; may be combined with other approaches | Non-exhaustive; targeting only most critical exposures |
| CVSS | Numerical; translation of experts opinions to vulnerability severity scores | Scoring; only 3 color-coded levels | Scalability; may increase the number of its color-coding system | Truthfulness; relies on a simple mathematical formalism |
| Exostar | Contextual; supply chain risk assessment | Completeness; ignore standalone risk assessment | Complimentary; may be combined with other approaches | Correctness; depends on a questionnaire that may lead to incorrect results |
| CMMI | Contextual; enterprise risk and risk in product development lifecycle | Objectivity; detection without correction guidance |
Complimentary; complimenting Exostar Updates; related to ISO 9001 |
Completeness; difficulty to correct identified weaknesses |
| ISO | Standardization; covers risk assessment and risk management | Compliance; consensus may not be reached or may be non- compliant |
Extension; cyber risk assessment |
Fairness/Completeness; depends on voluntary compliance and consensus |
| NIST |
Standardization; Extensively; large size and extensive scope |
Automation; lack of automation tools and support | Tool supporting; | Complexity; documenting / updates are time-consuming |
| FAIR | Quantitative; impact assessment that recommends acceptable levels of exposure | Cost; no free tool support | Standardization; without voluntary compliance and consensus | Usefulness; promotes a commercial software |
| RiskLens | Quantitative; quantitative assessment tool promoted by FAIR |
Validation; black box to be trusted without understanding its assessment process |
Proof; peer-reviewed process |
Confidence; no peer-review validation |
| CyVaR | Quantitative; quantitative assessment tool promoted by FAIR | Standardization; standard deviation | Extension; different cyber risk assessment | Complexity; difficult to understand |
| (Radanliev et al. 2018-a) [43] | Quantitative; economic impact assessment of IoT cyber risk |
Construction; derived CyVaR and MicroMort weaknesses Automation; no tool support |
Standardization; |
Complexity; Proof; |
| (Nurse et al. 2017) [44] | Analysis; discuss the application of existent approaches in IoT context | Completeness; Guidelines | Comprehensive study; | - |
| (Radanliev et al. 2018-b) [45] | Guidelines; recommendations for IoT cyber risk assessment and understanding its economic impact |
Construction; derived CyVaR and MicroMort weaknesses Automation; no tools and support; |
Modeling; Implementation; |
Complexity; Proof; |
| (Malik & Singh 2019) [46] | Contextual; vulnerabilities identification and mitigation in IoT context | Basic; based on a smart software vendor |
Generalization; Extension; enhanced vulnerability database |
Limited; basic lists of common vulnerabilities |
| (Akinrolabu et al. 2019) [48] | Contextual; cloud supply chain cyber risk assessment |
Correlation-free; End-to-end risk; |
Extension; different cyber risk assessment |
Complexity; Proof; |
| (Jaidi & Labbene 2015) [62] |
Dynamism; dynamic assessment Mixed; quantitative and qualitative assessment |
Correlation-free; Contextual; database security policies |
Standardization | - |
| (Jaidi et al. 2018) [63] |
Dynamism; dynamic assessment Mixed; quantitative and qualitative assessment |
Correlation-free; End-to-end risk; |
Standardization | - |
| (Cao et al. 2020) [66] | Fine-grained; use of topology attributes |
Correlation-free; End-to-end risk; |
Standardization | Proof; to be validate in future works |