Method and electronic device for evaluating at least one cybersecurity function of a computer system, associated computer program
The method and device provide a detailed evaluation of cybersecurity functions by measuring and scoring reactions to cyberattacks, identifying over- or under-performance, and issuing alerts to enhance system defenses.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Applications
- Current Assignee / Owner
- NAVAL GRP
- Filing Date
- 2024-12-23
- Publication Date
- 2026-06-26
AI Technical Summary
Existing methods for evaluating cybersecurity functions of a computer system, such as those based on the MITRE ATT&CK framework, do not provide a sufficiently in-depth analysis of attacker tactics, postures, or targeted systems, leading to inadequate detection and protection performance assessments.
A method and electronic device for evaluating cybersecurity functions that measure reaction levels to cyberattack stimuli, calculate unit evaluation scores by comparing measured and expected reaction levels, and implement actions based on these scores to identify over- or under-performance, using a measurement, determination, and implementation module.
Enables precise evaluation of cybersecurity functions, allowing for the detection of inappropriate reactions and providing actionable alerts to improve system defenses.
Smart Images

Figure 00000000_0000_ABST
Abstract
Description
Title of the invention: Electronic method and device for evaluating at least one cybersecurity function of a computer system, associated computer program
[0001] The present invention relates to a method for evaluating at least one cybersecurity function of a computer system, the method being implemented by an electronic evaluation device.
[0002] The invention also relates to a computer program, comprising software instructions which, when executed by a computer, implement such an evaluation method.
[0003] The invention also relates to such an electronic evaluation device.
[0004] The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a reference framework (V-framework) developed by the American organization MITRE to describe the tactics, techniques, and procedures (TTPs) used by cybersecurity attackers. It is widely used to analyze, understand, and defend computer systems against cyberattacks.
[0005] Tactics are the possible steps by which an attacker progresses along the attack path to achieve their final objective, such as initial access, execution, persistence, privilege escalation, evasion of defenses, access to credentials, discovery, lateral movement, collection, exfiltration, and impact. Each tactic includes specific techniques used to achieve these objectives, and these techniques may have more detailed sub-techniques.
[0006] The MITRE ATT&CK then provides a detailed map of attack behaviors, enabling better anticipation and countering of cyber threats. It is used to simulate cyberattacks, create security policies, select and configure security technologies, and share information on cyber threats.
[0007] It is also known to evaluate the performance of a cybersecurity function of a computer system, such as a detection function, also called a detection chain, or such as a protection function, also called a protection chain, by executing different cyberattack stimuli, then measuring the level of a response generated by the evaluated function, and then comparing said measured level with an expected level.
[0008] However, such an evaluation does not allow for a sufficiently in-depth analysis with regard to MITRE ATT&CK tactics, postures and levels of attackers, or even targeted computer systems.
[0009] The aim of the invention is then to propose a method and an electronic device for evaluating one or more cybersecurity functions of a computer system, allowing for a more precise evaluation of the performance of each cybersecurity function.
[0010] To this end, the invention relates to a method for evaluating at least one cybersecurity function of a computer system, the method being implemented by an electronic evaluation device and comprising the following steps:
[0011] - measurement of a reaction level of a reaction generated by a cyber- function respective security, in response to the execution of at least one cyberattack stimulus against the computer system;
[0012] - determination of an evaluation score for the respective cybersecurity function, from one or more unit evaluation score(s), each unit evaluation score being calculated for at least one executed cyberattack stimulus, by comparing the measured reaction level with a predefined expected reaction level, associated with said at least one executed cyberattack stimulus and the respective cybersecurity function; the unit evaluation score calculated when the measured reaction level is equal to the expected reaction level being different from the unit evaluation score calculated when the measured reaction level is greater than the expected reaction level;
[0013] - implementation of at least one action associated with the determined evaluation score and chosen from the group including: displaying the evaluation score on a display device; recording the evaluation score for later analysis; issuing an alert signal based on the evaluation score; and generating a command instruction based on the evaluation score.
[0014] With the evaluation method according to the invention, the resulting unit score differs, in particular, depending on whether the measured reaction level is equal to the expected reaction level and whether the measured reaction level is higher than the expected reaction level. In other words, this makes it possible to identify a potential situation of over-quality with regard to the reaction generated by the evaluated cybersecurity function, compared to the expected reaction.
[0015] The invention then makes it possible to better detect an inappropriate reaction of the evaluated cyber-security function, then to display information relating to this detection and / or to issue an associated alert, with a view to correcting this cyber-security function.
[0016] According to other advantageous aspects of the invention, the evaluation method comprises one or more of the following features, taken individually or in all technically possible combinations:
[0017] - the unit evaluation score depends on a difference between the reaction level measured and the expected level of reaction, the unit evaluation score being lower the greater the difference;
[0018] - the evaluation score for the respective cybersecurity function depends on a average of the unit evaluation scores for said cybersecurity function;
[0019] - the one or each cybersecurity function is chosen from a detection function cyberattack(s) and a function to protect against cyberattack(s);
[0020] - during the determination stage, a first evaluation score is determined for the detection function and a second evaluation score is determined for the protection function;
[0021] - during the implementation stage, the first and second evaluation scores are displayed in a two-dimensional manner, with a first dimension associated with the first evaluation score and a second dimension associated with the second evaluation score;
[0022] - during the measurement step, a response time is measured between an instant execution of at least one cyberattack stimulus and one reaction generation time; and
[0023] - during the determination step, the calculated unit evaluation score depends on in addition to said response time.
[0024] The invention also relates to a computer program comprising software instructions which, when executed by a computer, implement an evaluation method, as defined above.
[0025] The invention also relates to an electronic device for evaluating at least one cybersecurity function of a computer system, the device comprising:
[0026] - a measuring module configured to measure a reaction level of a reaction generated by a respective cybersecurity function, in response to the execution of at least one cyberattack stimulus against the computer system;
[0027] - a determination module configured to determine an evaluation score for the respective cybersecurity function, based on one or more unit evaluation scores, each unit evaluation score being calculated for at least one executed cyberattack stimulus, by comparing the measured response level with a predefined expected response level associated with said at least one executed cyberattack stimulus and the respective cybersecurity function; the unit evaluation score calculated when the measured response level is equal to the expected response level being different from the unit evaluation score calculated when the measured response level is greater than the expected response level; and
[0028] - an implementation module configured to implement at least one action associated with the determined evaluation score and chosen from the group comprising: displaying the evaluation score on a display device; recording the evaluation score for later analysis; issuing an alert signal based on the evaluation score; and generating a command instruction based on the evaluation score.
[0029] The invention will become clearer upon reading the following description, given solely by way of non-limiting example, and made with reference to the drawings in which:
[0030] [Fig-1] [Fig.1] is a schematic representation of an electronic installation comprising a computer system including at least one cybersecurity function, and an electronic device, according to the invention, for evaluating at least one cybersecurity function of the computer system;
[0031] [Fig.2] [Fig.2] is a view illustrating a two-function evaluation diagram of cybersecurity of the computer system, namely a detection function and a protection function; and
[0032] [Fig.3] [Fig.3] is a flowchart of a method, according to the invention, for evaluation of at least one cybersecurity function of the computer system, the evaluation process being implemented by the electronic evaluation device of the [Fig.1].
[0033] In [Fig. 1], an electronic installation 10 comprises a computer system 15 having at least one cybersecurity function. In the example of [Fig. 1], the computer system 15 has two distinct cybersecurity functions, namely a function D for detecting one or more cyberattacks and a function P for protecting against one or more cyberattacks.
[0034] The detection function D is known per se and is configured to detect at least one cyberattack and then generate a response to that cyberattack. The generated response is typically chosen from the group consisting of: no action, logging, alarm, incident, cyber crisis, these responses being ranked in ascending order of level.
[0035] The protection function P is also known in itself, and is configured to check for the presence, if necessary, of at least one block for the execution of a stimulus.
[0036] The electronic installation 10 further comprises an electronic device 20 evaluation of at least one cybersecurity function D, P of the computer system 15.
[0037] The electronic installation 10 is for example included in a ship, or in a command system.
[0038] The computer system 15 is also called an information system. The computer system 15 is, for example, a set of one or more electronic devices that are susceptible to cyberattacks.
[0039] The electronic evaluation device 20, hereinafter referred to as the evaluation device 20, is configured to evaluate each cybersecurity function D, P of the computer system 15. The evaluation device 20 comprises a measurement module 22, a determination module 24 and an implementation module 26.
[0040] In the example of [Fig.1], the evaluation device 20 includes an information processing unit 30 typically formed of a memory 32 and a processor 34 associated with the memory 32.
[0041] According to this example, the measurement module 22, the determination module 24, and the implementation module 26 are each implemented as a software program, or a software component, executable by the processor 34. The memory 32 of the evaluation device 20 is then capable of storing measurement software, determination software, and implementation software. The processor 34 of the evaluation device 20 is then capable of executing each of the following software programs: measurement software, determination software, and implementation software.
[0042] In an alternative not shown, the measurement module 22, the determination module 24 and the implementation module 26 are each implemented as a programmable logic component, such as an FPGA (Field Programmable Gate Array), or as an integrated circuit, such as an ASIC (Application Specified Integrated Circuit).
[0043] When the evaluation device 20 is implemented in the form of one or more software programs, i.e., in the form of a computer program, also called a computer program product, it is further capable of being stored on a computer-readable medium, not shown. A computer-readable medium is, for example, a medium capable of storing electronic instructions and being connected to a bus of a computer system. By way of example, a readable medium is an optical disc, a magneto-optical disc, a ROM, a RAM, any type of non-volatile memory (e.g., EPROM, EEPROM, FLASH, NVRAM), a magnetic card, or an optical card. A computer program comprising software instructions is then stored on the readable medium.
[0044] The measurement module 22 is configured to measure a level of reaction, among several predefined levels, of a reaction generated by a respective cybersecurity function D, P, in response to the execution of at least one cyberattack stimulus against the computer system 15.
[0045] Each cyberattack stimulus is a unitary action, such as plugging a USB device into a user's workstation, or copying a file onto a USB key, or connecting equipment to the network, etc.
[0046] Each stimulus is predefined, typically by a set of characterizing information. This characterization includes, for example, the attack tactic such as as defined by MITRE ATT&CK, the corresponding MITRE ATT&CK technique identifier number, the attacker's posture, the targeted equipment, and the simulated attacker's level.
[0047] As an optional addition, the definition of a stimulus contains information relating to the execution process and / or the verification of detection elements: for example, prerequisites to be provided by the IT system manager 15 (a legitimate machine, a user account, network access, etc.), verification to be made to ensure that the stimulus has run successfully (even if blocked), actions to be taken to clean up if necessary (removal of the deposited virus), command pattern of the attack to be executed, if applicable, exact command executed, context (network connection, MAC and IP addresses, account used, time of execution, etc.).
[0048] In addition, several stimuli executed over a short period, such as from a few seconds to a few days, from the same equipment and sharing the same system account, are considered a chain of actions that follow one another, capable of leading to higher-level escalations of reactions, such as an incident instead of several alarms. According to this addition, a multiple stimulus, corresponding to several stimuli in succession, i.e., to this chain of stimuli, is defined to trace and measure the associated reaction.
[0049] The predefined reaction levels typically depend on the evaluated cybersecurity function D, P.
[0050] For the detection function D, the predefined reaction levels are for example: no action, logging, alarm, incident, and finally cyber crisis, these levels being ranked in ascending order.
[0051] For the protection function P, the predefined response levels are, for example: allowed and blocked, these levels being ranked in ascending order. As their names indicate, the "allowed" level corresponds to an allowed execution of the stimulus, and the "blocked" level corresponds to a blocked execution of the stimulus, i.e., the blocking of the stimulus execution by the protection function P.
[0052] As an optional complement, the measurement module 22 is configured to measure a response time between an execution time of at least one cyberattack stimulus and a generation time of the reaction.
[0053] The determination module 24 is configured to determine an evaluation score for the respective cybersecurity function D, P, from one or more unit evaluation scores.
[0054] Each unit evaluation score is calculated for at least one executed cyberattack stimulus, by comparing the measured reaction level with a predefined expected reaction level, associated with said at least one executed cyberattack stimulus and with the respective cybersecurity function D, P.
[0055] The unit evaluation score calculated when the measured reaction level is equal to the expected reaction level is advantageously different from the unit evaluation score calculated when the measured reaction level is greater than the expected reaction level.
[0056] The determination module 24 is configured for example to calculate the unit evaluation score as being equal to the value "Failed" if the measured reaction level is lower, i.e. strictly lower, than the expected reaction level; equal to the value "Optimal" if the measured reaction level is equal to the expected reaction level; and equal to the value "Over-quality" if the measured reaction level is higher, i.e. strictly higher, than the expected reaction level.
[0057] For the detection function D, the determination module 24 is then configured for example to calculate the unit evaluation score according to Table 1 below, where the calculated unit score is shown in italics.
[0058] [Tables 1] Expected reaction level: None. Logging. Alarm. Incident. Cyber crisis. Measured reaction level: None. Optimal. Failed. Failed. Failed. Logging. Over-quality. Optimal. Failed. Failed. Failed. Alarm. Over-quality. Over-quality. Optimal. Failed. Failed. Incident. Over-quality. Over-quality. Over-quality. Optimal. Failed. Cyber crisis. Over-quality. Over-quality. Over-quality. Optimal.
[0059] For the protection function P, the determination module 24 is similarly configured, for example, to calculate the unit evaluation score according to Table 2 below; the calculated unit score is also shown in italics.
[0060] [Tables2 Expected reaction level: Allowed, Blocked. Reaction level: Allowed, Optimal, Failed, Blocked, Over-quality, Optimal.
[0061] As an optional addition, the unit evaluation score depends on a difference between the measured reaction level and the expected reaction level, the unit evaluation score being lower the greater the difference.
[0062] According to this optional complement, for the detection function D, the determination module 24 is then configured for example to calculate the unit evaluation score according to Table 3 below, where the calculated unit score is indicated in italics.
[0063] [Tables3] Expected Response Level: None Logging Alarm Incident Cyber Crisis Measured Response Level: None 5 1 1 1 Logging 4 5 2 2 2 Alarm 3 4 5 3 3 Incident 2 3 4 5 4 Cyber Crisis 1 2 3 4 5
[0064] According to this optional supplement, for the protection function P, the determination module 24 is similarly configured, for example, to calculate the unit evaluation score according to Table 4 below; the calculated unit score is also shown in italics.
[0065] [Tables4 Expected reaction level Allowed Blocked Mean reaction level Allowed 5 1 Blocked 2.5 5
[0066] According to this optional complement, an optimal reaction offers the maximum unit score, the evaluation unit score is decremented with each action of the over-quality category exceeded, and the evaluation unit score continues to decrement as it continues to move away into the failure category, the failure category corresponding to the case(s) where the measured reaction level is lower than the expected reaction level.
[0067] When optionally the measurement module 22 is configured to also measure the response time, the determination module 24 is advantageously configured to calculate the unit evaluation score as a function of said response time.
[0068] According to this optional supplement, when the measured response time is greater than a predefined expected response time, then the unit evaluation score is decreased, for example by 0.5 in the examples in Tables 3 and 4 above.
[0069] After calculation of the unit evaluation score(s), the determination module 24 is configured to determine the evaluation score for the respective cybersecurity function D, P, from said calculated unit score(s).
[0070] The evaluation score for the respective cybersecurity function D, P depends on an average of the unit evaluation scores calculated for said cybersecurity function D, P. The average is, for example, an arithmetic mean.
[0071] In addition, the determination module 24 is also configured to determine, for each cybersecurity function D, P, a standard deviation of the unit evaluation scores calculated for said cybersecurity function D, P.
[0072] In addition, a first evaluation score is determined for the detection function D, and a second evaluation score is determined for the protection function P, as in the example of [Fig.2].
[0073] The implementation module 26 is configured to implement at least one action associated with the evaluation score determined by the determination module 24.
[0074] At least one action implemented by the implementation module 26 is typically chosen from the group consisting of: displaying the evaluation score on a display device; recording the evaluation score for later analysis; issuing an alert signal based on the evaluation score; and generating a command instruction based on the evaluation score.
[0075] The warning signal is, for example, an audible signal, a visual signal, or a combination of both. The warning signal is intended, in particular, to alert a user of the assessment device 20 according to the invention, specifically regarding corrective action to be taken, said corrective action depending on the assessment score.
[0076] Advantageously, the warning signal has one level among several predefined levels, the level of the warning signal depending on the evaluation score determined.
[0077] A control instruction is an instruction to control a piece of equipment, particularly electronic equipment, such as equipment that is to undergo corrective action depending on the determined evaluation score. The generated control instruction is then received by said equipment, for example, to implement said corrective action.
[0078] When the optional complement, the determination module 24, is configured to determine both the first evaluation score for the detection function D and the second evaluation score for the protection function P, the implementation module 26 is advantageously configured to display the first and second scores. evaluation in a two-dimensional way, with a first dimension associated with the first evaluation score and a second dimension associated with the second evaluation score.
[0079] In the example of [Fig.2], the first evaluation score is then indicated on the abscissa, with the letter D corresponding to the detection function being associated with the x-axis; and the second evaluation score is indicated on the ordinate with the letter P corresponding to the protection function associated with the y-axis.
[0080] On [Fig.2], an evaluation diagram 50 of two cybersecurity functions D, P of the computer system 15 is displayed, with a first zone 52 corresponding to the evaluation scores in the failure category, the first zone 52 being graphically filled with negative signs, i.e. symbol a second intermediate zone 54, and a third zone 56 corresponding to the best evaluation scores, the third zone 56 being graphically filled with positive signs, i.e. symbol '+'.
[0081] In [Fig. 2], the first and second evaluation scores are then represented as a point 60 whose abscissa is equal to the first evaluation score and whose ordinate is equal to the second evaluation score. Advantageously, the point 60 is surrounded by an ellipse 62 allowing the standard deviations associated with the first and second evaluation scores to be represented, that is to say, the standard deviations associated with the means of the unit evaluation scores calculated for the detection function D, and respectively for the protection function P.
[0082] Ellipse 62 then shows the accuracy of the first and second evaluation scores determined, and the larger the area of this ellipse 62, the more dispersed the calculated unit evaluation scores are. In other words, ellipse 62 represents the uncertainty of the calculated unit evaluation scores. The area of ellipse 62 thus provides an indication of the performance homogeneity within each of the cyber detection and protection chains.
[0083] The person skilled in the art will observe that the first and second scores shown in [Fig.2] were determined from unit scores according to Tables 3 and 4 above.
[0084] According to the aforementioned advantageous aspect where the warning signal has a respective level among several predefined levels, in the example of [Fig.2], the level of the warning signal is for example equal to a minimum level corresponding to no warning if point 60 is in the third zone 56, to an intermediate level corresponding to an intermediate warning if point 60 is in the second zone 54, and to a high level corresponding to a high warning if point 60 is in the first zone 52.
[0085] As an optional addition, the calculated unit evaluation scores are displayed grouped according to different subsets of stimuli, for example following the following groups: attacker level (script kiddies, cyber criminals); attacker posture (external, guest, internal, privileged), attacker group based on known MITRE ATT&CK technique numbers, etc.
[0086] The operation of the evaluation device 20 according to the invention will now be explained, in particular with the help of [Fig.3] representing an organizational chart of the method, according to the invention, for evaluating at least one cybersecurity function D, P of the computer system 15, the evaluation method being implemented by the evaluation device 20.
[0087] During an initial step 100, the evaluation device 20 measures, via its measurement module 22, the level of reaction of the reaction generated by the evaluated cybersecurity function D, P, in response to the execution of a cyberattack stimulus against the computer system 15. The level of reaction is typically measured among several predefined levels.
[0088] As an optional addition, during measurement step 100, the measurement module 22 also measures the response time between the moment of execution of the cyberattack stimulus and the moment of generation of the associated reaction.
[0089] At the end of measurement step 100, the evaluation device 20 determines, via its determination module 24 and during a subsequent determination step 110, the evaluation score for the respective cybersecurity function D, P.
[0090] During this determination step 110, each evaluation score is determined from one or more unit evaluation scores, each unit evaluation score being calculated for a respective executed cyberattack stimulus, by comparing the measured reaction level with the predefined expected reaction level.
[0091] According to the invention, the unit evaluation score calculated when the measured reaction level is equal to the expected reaction level differs from the unit evaluation score calculated when the measured reaction level is greater than the expected reaction level. In other words, the calculated unit evaluation score differs depending on whether the measured reaction level is equal to or greater than the expected reaction level.
[0092] With prior art assessment methods, the calculated unit assessment score is the same, generally with the value "Covered", whether the measured reaction level is equal to or greater than the expected reaction level.
[0093] Advantageously, during the determination step 110, the unit evaluation score depends on the difference between the measured reaction level and the expected reaction level, and the greater said difference, the lower the unit evaluation score.
[0094] The evaluation score for the respective cybersecurity function D, P is then, for example, equal to the average of the unit evaluation scores for said cybersecurity function D, P.
[0095] As an optional addition, when the response time has also been measured during the measurement step 100, the unit evaluation score is advantageously calculated on the basis of said response time in addition during the determination step 110. The determination module 24 then typically reduces the unit evaluation score when the measured response time is greater than the predefined expected response time.
[0096] As an optional additional step, during the determination step 110, the determination module 24 determines both the first evaluation score for the detection function D and the second evaluation score for the protection function P.
[0097] Next, the evaluation device 20 moves to the next implementation step 120, during which its implementation module 26 implements at least one action associated with the evaluation score determined during the determination step 110.
[0098] During implementation step 120, the implementation module 26 displays, on a display device (not shown), the evaluation score determined during determination step 110; and / or stores in a respective memory, such as memory 32, said determined evaluation score; and / or issues an alert relating to said determined evaluation score, typically for the purpose of a subsequent correction of the associated cybersecurity function; and / or generates a control instruction based on said determined evaluation score.
[0099] When the first and second evaluation scores have been determined during the determination step 110, and the implementation step includes the display of the determined evaluation scores, the first and second evaluation scores are advantageously displayed in a two-dimensional manner, as in the example in [Fig.2].
[0100] It is thus understood that the evaluation device 20 and the evaluation method according to the invention make it possible to offer a more precise evaluation of the performance of each cybersecurity function D, P, in particular of the detection function D and / or the protection function P.
Claims
Demands
1. A method for evaluating at least one cybersecurity function (D, P) of a computer system (15), the method being implemented by an electronic evaluation device and comprising the following steps: - measuring (100) a level of response generated by a respective cybersecurity function (D, P), in response to the execution of at least one cyberattack stimulus against the computer system (15); - determining (110) an evaluation score for the respective cybersecurity function (D, P), from one or more unit evaluation score(s), each unit evaluation score being calculated for the at least one executed cyberattack stimulus, by comparing the measured level of response with a predefined level of expected response, associated with said at least one executed cyberattack stimulus and the respective cybersecurity function (D, P);the unit evaluation score calculated when the measured reaction level is equal to the expected reaction level being different from the unit evaluation score calculated when the measured reaction level is greater than the expected reaction level; - implementation (120) of at least one action associated with the determined evaluation score and chosen from the group including: displaying the evaluation score on a display device; recording the evaluation score for later analysis; issuing an alert signal based on the evaluation score; and generating a command instruction based on the evaluation score.
2. A method according to claim 1, wherein the unit evaluation score depends on a difference between the measured reaction level and the expected reaction level, the unit evaluation score being lower the greater the difference.
3. A method according to claim 1 or 2, wherein the evaluation score for the respective cybersecurity function (D, P) depends on an average of the unit evaluation scores for said cybersecurity function (D, P).
4. A method according to any one of the preceding claims, wherein the cybersecurity function or functions (D, P) is chosen between a function (D) for detecting cyberattack(s) and a function (P) for protecting against cyberattack(s).
5. A method according to claim 4, wherein, during the determination step (110), a first evaluation score is determined for the detection function (D) and a second evaluation score is determined for the protection function (P).
6. A method according to claim 5, wherein, during the implementation step (120), the first and second evaluation scores are displayed in a two-dimensional manner, a first dimension being associated with the first evaluation score and a second dimension being associated with the second evaluation score.
7. A method according to any one of the preceding claims, wherein, during the measurement step (100), a response time is measured between an execution time of at least one cyberattack stimulus and a generation time of the reaction.
8. A method according to claim 7, wherein, during the determination step (110), the calculated unit evaluation score further depends on said response time.
9. Computer program, comprising software instructions which, when executed by a computer, implement a method according to any one of the preceding claims.
10. An electronic device (20) for evaluating at least one cybersecurity function (D, P) of a computer system (15), the device (20) comprising: - a measurement module (22) configured to measure a level of reaction generated by a respective cybersecurity function (D, P), in response to the execution of at least one cyberattack stimulus against the computer system (15); - a determination module (24) configured to determine an evaluation score for the respective cybersecurity function (D, P), from one or more unit evaluation score(s), each unit evaluation score being calculated for the at least one executed cyberattack stimulus, by comparing the measured level of reaction with a predefined level of expected reaction, associated with said at least one executed cyberattack stimulus and the respective cybersecurity function (D, P);the unit evaluation score calculated when the measured reaction level is equal to the expected reaction level is different from the unit evaluation score calculated when; the measured reaction level is higher than the expected reaction level; and - an implementation module (26) configured to implement at least one action associated with the determined evaluation score and chosen from the group including: displaying the evaluation score on a display device; recording the evaluation score for later analysis; issuing an alert signal based on the evaluation score; and generating a command instruction based on the evaluation score.