AI capabilities in cyber risk assessment: selected evidence
| Second-order themes | Selected quotes on first-order categories |
|---|---|
| Reasoning for threats' impact evaluation | Detect false positive |
| “The threat comes, it identifies it, figures out what it is, does the trace, rules out if it's a false positive, and follows a predefined playbook.” – Vendor D | |
| Determine threat severity | |
| “I perform an EDR analysis, assess the situation, and in the end determine that yes, this is indeed an attack that needs to be addressed immediately. For instance, if the incident involves the CEO's computer, it becomes a top-priority case.” – Vendor B | |
| Reasoning for vulnerability assessment | Prioritize the areas of vulnerabilities |
| “In the field of vulnerability management and penetration testing, AI can be leveraged to help prioritize which systems should be targeted for vulnerability assessments and penetration tests.” – Consultancy B | |
| Learning for likelihood evaluation | Learn from past data to evaluate the risk level |
| “We use a lot of machine learning because there is a theme of behavior analysis. If I make a legitimate access tomorrow morning from Florence, the system might say medium risk, she is always around Italy, it this access is legitimate to investigate. If tomorrow morning I make the legitimate access from Timbuktu, the alert is very serious. She is out of the business of Vendor B, It is not her.” – Vendor B | |
| Learn from past data for false positive probability estimation | |
| “We go to identify a confidence score from 0 to 100, which allows you to say if it's 100, dear operator, it's a secure threat, so that event you have to handle it as a priority. Conversely, if it is, for example, 30%, we have less confidence that it is an actual cyber incident, as we know it.” – System Integrator B | |
| Perception for third party risk assessment | Document analysis for third-party risk assessment |
| “At the pre-assessment stage, indeed, it will definitely be supportive. To understand what are the clauses, what are the security measures implemented by the vendor and from there the match and mismatch can definitely allow you to speed up the supplier assessment process.” – Consultancy C | |
| Dark web analysis for third-party risk assessment | |
| “A company asked us to carry out a threat intelligence activity, providing us with the names of some of their suppliers. We then verified whether any of them had been compromised, for instance, by checking if their credentials were present on the dark web.” – Consultancy E | |
| Creativity for vulnerability assessments | Text generation for phishing attack simulation |
| “In attack simulations, we use ChatGPT to write a phishing email in a language that is not our own. We have a client in France, we need to do a phishing email, now we've seen that ChatGPT does some good stuff.” – Consultancy D | |
| Voice generation for vishing attack simulation | |
| “We did some experiments on the topic of voice formulation, so being able to also use someone else's voice to create vishing, and this could be doing an initial call where you record a person's voice and then from there try to use it to create a different message.” – Consultancy D |
| Second-order themes | Selected quotes on first-order categories |
|---|---|
| Reasoning for threats' | |
| “The threat comes, it identifies it, figures out what it is, does the trace, rules out if it's a false positive, and follows a predefined playbook.” – | |
| “I perform an | |
| Reasoning for vulnerability | |
| “In the field of vulnerability management and penetration testing, | |
| Learning for | |
| “We use a lot of machine learning because there is a theme of behavior analysis. If I make a legitimate access tomorrow morning from Florence, the system might say medium risk, she is always around Italy, it this access is legitimate to investigate. If tomorrow morning I make the legitimate access from Timbuktu, the alert is very serious. She is out of the business of Vendor B, It is not her.” – Vendor B | |
| “We go to identify a confidence score from 0 to 100, which allows you to say if it's 100, dear operator, it's a secure threat, so that event you have to handle it as a priority. Conversely, if it is, for example, 30%, we have less confidence that it is an actual cyber incident, as we know it.” – System Integrator B | |
| Perception for third | |
| “At the pre-assessment stage, indeed, it will definitely be supportive. To understand what are the clauses, what are the security measures implemented by the vendor and from there the match and mismatch can definitely allow you to speed up the supplier assessment process.” – Consultancy C | |
| “A company asked us to carry out a threat intelligence activity, providing us with the names of some of their suppliers. We then verified whether any of them had been compromised, for instance, by checking if their credentials were present on the dark web.” – Consultancy E | |
| Creativity for | |
| “In attack simulations, we use ChatGPT to write a phishing email in a language that is not our own. We have a client in France, we need to do a phishing email, now we've seen that ChatGPT does some good stuff.” – Consultancy D | |
| “We did some experiments on the topic of voice formulation, so being able to also use someone else's voice to create vishing, and this could be doing an initial call where you record a person's voice and then from there try to use it to create a different message.” – Consultancy D |