Article
Automated Cyber and Privacy Risk Management Toolkit
Gustavo Gonzalez-Granadillo
1,
* , Sofia Anna Menesidou
2
, Dimitrios Papamartzivanos
2
, Ramon Romeu
3
,
Diana Navarro-Llobet
3
, Caxton Okoh
4
, Sokratis Nifakos
5
, Christos Xenakis
6
and Emmanouil Panaousis
4
Citation: Gonzalez-Granadillo, G.;
Menesidou, S.A.; Papamartzivanos, D.;
Romeu, R.; Navarro-Llobet, D.;
Okoh, C.; Nifakos, S.; Xenakis, C.;
Panaousis, E. Automated Cyber and
Privacy Risk Management Toolkit.
Sensors 2021, 21, 5493. https://
doi.org/10.3390/s21165493
Academic Editors: Alexios Mylonas
and Nikolaos Pitropakis
Received: 5 July 2021
Accepted: 12 August 2021
Published: 15 August 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
1
ATOS Spain, Atos Research & Innovation, Cybersecurity Unit, 08020 Barcelona, Spain
2
UBITECH Ltd., Thessalias 8 & Etolias 10, 152 31 Chalandri, Greece; smenesidou@ubitech.eu (S.A.M.);
dpapamartz@ubitech.eu (D.P.)
3
Fundació Privada Hospital Asil de Granollers, 08402 Granollers, Spain; rromeu@fhag.es (R.R.);
diananavarro@fphag.org (D.N.-L.)
4
School of Computing and Mathematical Sciences, University of Greenwich, London SE10 9LS, UK;
c.okoh@greenwich.ac.uk (C.O.); e.panaousis@greenwich.ac.uk (E.P.)
5
Karolinska Institutet Department of Learning, Informatics, Management and Ethics, Tomtebodavägen 18b,
171 65 Solna, Sweden; sokratis.nifakos@ki.se
6
Department of Digital Systems, University of Piraeus, Karaoli ke Dimitriou 80, 185 34 Pireas, Greece;
xenakis@unipi.gr
* Correspondence: gustavo.gonzalez@atos.net
Abstract:
Addressing cyber and privacy risks has never been more critical for organisations. While a
number of risk assessment methodologies and software tools are available, it is most often the case
that one must, at least, integrate them into a holistic approach that combines several appropriate risk
sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates
cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated
infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which
aims to detect privacy-specific threats and assess the degree of compliance with data protection
legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner
during the design phase of a system, combining processing activities and their inter-dependencies
with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may
occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk
management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit)
that addresses the above challenges by implementing and integrating three distinct software tools.
AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it
also offers decision-support capabilities, to recommend optimal safeguards using the well-known
repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT
is the first toolkit in the academic literature that brings together the aforementioned capabilities.
To demonstrate its use, we have created a case scenario based on information about cyber attacks
we have received from a healthcare organisation, as a reference sector that faces critical cyber and
privacy threats.
Keywords: toolkit; cybersecurity; privacy; risk assessment; risk control; healthcare
1. Introduction
Cyber Risk Management has traditionally been a fundamental challenge of every or-
ganisation that seeks ways to protect its assets against cyber threats [
1
]. This is about using
cybersecurity countermeasures (technical, operational, and physical) to prevent, detect,
and respond to cyber attacks prohibiting the exploitation of the organisation. Technical
controls can be anything from “Inventory and Control of Hardware Assets” to “ Penetra-
tion Tests and Red Team Exercises”, according to the Center for Internet Security (CIS)
Controls [
2
]. Operational controls refer to standards, policies, and frameworks adopted
Sensors 2021, 21, 5493. https://doi.org/10.3390/s21165493 https://www.mdpi.com/journal/sensors
