Abstract
The increasing number of cyberattacks and their potential disruptive impacts cause significant concerns for companies, governments, and society. A successful cyberattack can, for example, cause financial losses due to business disruption, affect the privacy of people due to data leakages, and make critical resources completely inaccessible for interested stakeholders. This puts cybersecurity at the center of a digital society and as one of the anchors to all technologies and industries that support a connected and automated society. Therefore, it is essential to look at cybersecurity not only as a technical problem, but also from the economic, societal, and legal perspectives. Today, companies still neglect planning and investments in cybersecurity due to different factors. First, they face budget constraints and do not see cybersecurity investments as a priority. Secondly, the high amount of information and planning complexities makes implementing a cybersecurity strategy cumbersome for companies that do not have in-house expertise. Finally, companies, especially Small and Medium-sized Enterprises (SME), do not see themselves as the target of a potential cyberattack. This utterly wrong view makes SMEs one of the main targets of cyberattacks worldwide, since the likelihood of successful cyberattacks is higher than companies with a well-defined cyber- security strategy. Therefore, there is still a need for approaches that support companies, especially SMEs, during the cybersecurity planning and investment phases. These phases include supporting the understanding and definition of cybersecurity requirements, the definition of the budget and investment path to achieve a proper level of cybersecurity, and the selection of protections with a positive return on investment, while also satisfying specific business demands. This PhD thesis addresses these gaps in cybersecurity planning and investments by proposing the CyberTEA approach. This approach is composed of a five-phase methodology, a framework, and a set of solutions for cybersecurity planning and investment, considering the technical requirements of cybersecurity and its economic dimensions, such as the potential economic impacts of cyberattacks and the cost-benefit of protections available on the market to protect against specific threats. The methodology describes the key phases to consider during the cybersecurity planning and in- vestment, while the framework maps and implements the components needed to be considered to support the tasks required in each phase. A set of new solutions are also designed and implemented to (i) simplify the risk assessment of companies, (ii) analyze and classify cyberattacks, (iii) calculate the optimal investment in cybersecurity, and (iv) recommend protections based on businesses profile. Furthermore, supplementary solutions for cybersecurity planning are placed to contribute to additional aspects and challenges faced by the cybersecurity market, such as information sharing, cyber insurance, and marketplaces for protection. Quantitative and qualitative evaluations were conducted to analyze different aspects that give evidence of the feasibility, accuracy, and performance of the proposed solutions. These experiments were adapted for each solution according to its dimensions and features under evaluation. The results highlight (a) the potential of simplified risk assessment in companies using selected attributes, (b) the feasibility and benefits of visualizations to understand and investigate cyberattacks traffic, (c) the capacity of ML-based techniques to classify cyberattacks and predicts risks correctly, (d) the role of conversational agents as an ally for cybersecurity awareness and risk management, (e) the benefits of solutions that integrate cybersecurity metrics during the decision process, and (f) the feasibility of protection recommender systems. Finally, an end-to-end case study is conducted to show the ap- plication of the proposed methodology in a company, supported by the information obtained with each one of the solutions implemented as part of this PhD thesis. All of these evaluations and contributions show evidence of scientific advances in cybersecurity planning while highlighting and paving the path for stakeholders (e.g., decision-makers, developers, researchers, and companies) to implement more cost-effective solutions and strategies related to cybersecurity. This also contributes to understanding the relationship and dimensions of economic and technical aspects of cybersecurity, thus, providing directions for further advances in the field and its multidisciplinary facets.