No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Security Self-Assessment Guide for Information Technology Systems
... In general, the security managers need to answer an often long collection of questions built on established standards (e.g. Swanson 2001, ISO/IEC 27019, IEC 62443). For instance, the NIST security self-assessment contains more than 200 questions (Swanson 2001). ...
... Swanson 2001, ISO/IEC 27019, IEC 62443). For instance, the NIST security self-assessment contains more than 200 questions (Swanson 2001). Self-assessments offer advantages over external security audits: they are less expensive, they can be implemented in local organisational routines, and they allow more control on critical information about an organisations' IT infrastructure. ...
... Saunders and Mann 2005, andwith regard to information securitye.g. Swanson 2001). But this was never done in combination with online support for knowledge communities. ...
A web-based platform was developed to support the inter-organisational collaboration between small and medium-sized energy providers. Since critical infrastructures are subject to new security regulations in Germany, the platform particularly serves for the exchange of experience and for mutual support in information security. The focus of this work is the security self-assessment component. In order to ease the burden of going through a long questionnaire we have implemented small, motivating modules that are spread across the platform. The data entered is used for an individual risk assessment but also for a fine granular inter-organisational security benchmarking which builds a common added value for the entire community on the platform and strengthens the community building process. We implemented a prototype of the platform and evaluated the it in a focus group.
... 3. Specify the Checklist: The audit checklist was then finalized for our kiosk by adapting parts of the OCR audit checklist, a checklist developed by Watzlaf et al., and a Security Self-Assessment Guide for Information Technology Systems that was developed by the National Institute of Standards and Technology (Christiansen, 2013;Swanson, 2001;Watzlaf, Moeini, & Firouzan, 2010;Watzlaf, Moeini, Matusow, & Firouzan, 2011). ...
... The protocol below provides a guideline that can be used to assess whether a multi-user health kiosk is meeting privacy and security (P&S) regulations such as HIPAA and HITECH. It has been adapted from the OCR audit protocol and the checklists developed by Watzlaf et al. (2010;2012), Peterson and Watzlaf (2014), Swanson (2001), and Watzlaf et al. (2010). o If yes, is there a well-defined procedure for requesting copies of PHI and other information? ...
... CONFIDENTIALITY §164.522 (Swanson, 2001) 3. Request of Information Is there a policy for disclosure of e-PHI or identifiable information? SECURITY §164.308 ...
Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) has gotten stricter and penalties have become more severe in response to a significant increase in computer-related information breaches in recent years. With health information said to be worth twice as much as other forms of information on the underground market, making preservation of privacy and security an integral part of health technology development, rather than an afterthought, not only mitigates risks but also helps to ensure HIPAA and HITECH compliance. This paper provides a guide, based on the Office for Civil Rights (OCR) audit protocol, for creating and maintaining an audit checklist for multi-user health kiosks. Implementation of selected audit elements for a multi-user health kiosk designed for use by community-residing older adults illustrates how the guide can be applied.
... NIST's guide provides an extensive questionnaire containing specific control objectives and techniques. Topic areas include management controls, which consists of risk management, review of security controls, life cycle, authorize processing, and system security plan, operational controls, which consists of personnel security, physical security, production controls, input/output controls, contingency planning, hardware and systems software maintenance, data integrity, documentation, security awareness/training/education, incident response capability, and technical controls, which consists of identification and authentication, logical access controls, and audit trails [3]. The System Security Engineering Capability Maturity Model is a compilation of the best-known security engineering practices. ...
... The Kim's framework which consists of shareholder & management, media & customer, employee & supplier, and government provides a bird-eye view of general security governance [9, 10]. This paper provides the security level model which has five levels of information security based on [3, 4, 5] and describes the impacts on governance participants based on the general perspectives of security governance [9, 10]. The proposed model is summarized in table 2. This paper proposes the four classification criteria for IT infrastructures. ...
... • Availability -ensuring that authorized users have access to information and associated assets when required (ISO 17799, 2005) The DOD and the Committee on National Security Systems follow suit with NIST and ISO in their view, but say that information assurance also includes "providing for restoration of information systems by incorporating protection, detection, and reaction capabilities" (Committee on National Security Systems, 2005;Swanson, 2001;U.S. Department of Defense, 2002). ...
... Combining aspects of those models, we come up with something that looks like the Table 2 for the goals of information security. Hong, 2003;Soo Hoo, 2000;Seddigh et al., 2004;Committee on National Security Systems, 2005;Swanson, 2001;(ISC) 2 , 2006;ISO 17799, 2005;NIST 800-12, 1995) To summarize, the problem of information security is to prevent negative events from happening that would compromise the confidentiality, integrity, and availability of information, data, information resources, or operational procedures. This is the essence of risk management. ...
... • NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems (Swanson, 2001): We used the Security Self-Assessment Guide from NIST to develop assessment questions focusing on vulnerabilities and organizational compliance with controls aimed at mitigating the identified threats. • NCA Cybersecurity Controls (National Cybersecurity Authority, 2024): We referenced Essential Cybersecurity Controls (ECC-1:2018), Cloud Cybersecurity Controls (CCC-1:2020) and Data Cybersecurity Controls (DCC-1:2022) provided by the NCA. ...
Purpose
This study proposes a guided tool for cybersecurity risk assessment tailored for nongovernmental organizations (NGOs), enabling them to comply with cybersecurity policies despite limitations in security awareness, funding and expertise.
Design/methodology/approach
A digital transformation is indispensable for ensuring the sustainable operation of NGOs. Embracing a digital manifesto necessitates an awareness of cybersecurity risks, highlighting the critical need for a robust cybersecurity risk assessment methodology. Initial research phases revealed significant shortages in security awareness, funding and expertise. Consequently, this study introduces an intuitive approach tailored specifically for NGOs, supported by a customized tool designed to address their unique requirements. The NIST cybersecurity risk assessment framework and National Cyber-security Authority (NCA) were adopted to define the risk assessment approach. The efficacy of this approach is evaluated qualitatively through a case study involving three NGOs in Saudi Arabia, aimed at assessing their capability to utilize the tool effectively. Following the implementation, a Likert-scale survey gauged satisfaction among NGOs regarding the tool’s utility.
Findings
Results from the case study indicate high satisfaction, affirming its alignment with their operational needs and enhancement of compliance with NCA controls. Furthermore, the use of the tool enhances the awareness of NCA’s cybercity requirements and controls.
Originality/value
Based on theoretical and empirical grounds, this research proposes a novel design of security assessment framework tailored for NGO requirements and supported by initiative tool enabling complying with cybersecurity policies and enhances the awareness of cybersecurity controls.
... The National Institute of Standards and Technology (NIST) has done a lot of research on security metrics, and has proposed nine security metrics for three different aspects: (1) implementation, (2) effectiveness/efficiency, and (3) impact [11]. NIST presents its security metrics taxonomy in [12] and [13]. The taxonomy is comprehensive, presenting three security categories, (1) management, (2) technical, and (3) operational; however these metrics address security at the organization level, and do not apply to ES. ...
Embedded Systems (ES) development has been historically focused on functionality rather than security, and today it still applies in many sectors and applications. However, there is an increasing number of security threats over ES, and a successful attack could have economical, physical or even human consequences, since many of them are used to control critical applications. A standardized and general accepted security testing framework is needed to provide guidance, common reporting forms, and the possibility to compare the results along the time. This can be achieved by introducing security metrics into the evaluation or assessment process. If carefully designed and chosen, metrics could provide a quantitative, repeatable and reproducible value that would reflect the level of security protection of the ES. This paper analyzes the features that a good security metric should exhibit, introduces a taxonomy for classifying them, and finally, it carries out a literature survey on security metrics for the security evaluation of ES. In this review, more than 500 metrics were collected and analyzed. Then, they were reduced to 169 metrics that have the potential to be applied to ES security evaluation. As expected, the 77.5 % of them is related exclusively to software, and only the 0.6 % of them addresses exclusively hardware security. This work aims to lay the foundations for constructing a security evaluation methodology that uses metrics to quantify the security level of an ES.
... Similar technology protection guidelines have also been established in countries such as the United States, Hong Kong, and Australia by the National Institute of Standards and Technology, the Office of the Government Chief Information Officer, and the Australian Cyber Security Center, respectively. These guidelines are a security self-assessment guide for information technology systems (SP800-26-the United States), a practice guide for security risk assessment and audit (ISPG-SM01-Hong Kong), and the Australian government's information security manual (ISM-Australia) [18][19][20]. Table 2 shows the technology protection framework of South Korea and other countries. The South Korean guidelines related to technology protection can be largely divided into four areas-administrative, physical, technical, and personnel security measures. ...
Given the importance of technologies to organizations, technology leakages can cause considerable financial losses and threaten the survival of firms. Although organizations use technology protection diagnostic models to prevent such leakages, most diagnostic models focus on cybersecurity, and the evaluation system is complex, making it difficult for SMEs to use it. This makes them unsuitable for the general technology protection diagnosis of companies. Hence, this study proposes a diagnostic model that assesses these technology protection capabilities of organizations from personnel and administrative perspectives. Drawing upon the individual elements of the 7S model—shared values, strategy, structure, systems, staff, style, and skills—our model analyzes the influence of the elements on the technology protection capabilities of organizations. To determine this influence, the study conducts a questionnaire survey among 435 employees from large, larger medium-sized, and small and medium enterprises. Using the partial least squares and the artificial neural network methods, the study determines the ranking of the relative importance of the 7s elements. The results show that the shared values element most significantly influences these capabilities. The remaining elements influence the technology protection capabilities in the following order from the greatest to the least effect: staff, strategy, structure, systems, style, and skills. These findings highlight the significance of developing an awareness of the necessity of technology protection among all the members of an organization.
... The first Intrusion Detection System (IDS) for the identification of anomalous behaviours in network systems was proposed by Anderson [1] in 1980. Anomaly detection methods such as signature-based approaches are usually used to monitor network activities using pre-identified cyber-security attack indicators to specify the security threats that may affect systems' Confidentiality, Integrity or Availability (CIA) [2]. These systems, however, have fatal limitations when it comes to zero-day attacks or encrypted traffic generated by attackers [3]. ...
Malicious attack detection is one of the critical cyber-security challenges in the peer-to-peer smart grid platforms due to the fact that attackers’ behaviours change continuously over time. In this paper, we evaluate twelve Machine Learning (ML) algorithms in terms of their ability to detect anomalous behaviours over the networking practice. The evaluation is performed on three publicly available datasets: CICIDS-2017, UNSW-NB15 and the Industrial Control System (ICS) cyber-attack datasets. The experimental work is performed through the ALICE high-performance computing facility at the University of Leicester. Based on these experiments, a comprehensive analysis of the ML algorithms is presented. The evaluation results verify that the Random Forest (RF) algorithm achieves the best performance in terms of accuracy, precision, Recall, F1-Score and Receiver Operating Characteristic (ROC) curves on all these datasets. It is worth pointing out that other algorithms perform closely to RF and that the decision regarding which ML algorithm to select depends on the data produced by the application system.
... The first Intrusion Detection System (IDS) for the identification of anomalous behaviours in network systems was proposed by Anderson [1] in 1980. Anomaly detection methods such as signature-based approaches are usually used to monitor network activities using pre-identified cyber-security attack indicators to specify the security threats that may affect systems' Confidentiality, Integrity or Availability (CIA) [2]. These systems, however, have fatal limitations when it comes to zero-day attacks or encrypted traffic generated by attackers [3]. ...
Malicious attack detection is one of the critical cyber-security challenges in the peer-to-peer smart grid platforms due to the fact that attackers' behaviours change continuously over time. In this paper, we evaluate twelve Machine Learning (ML) algorithms in terms of their ability to detect anomalous behaviours over the networking practice. The evaluation is performed on three publicly available datasets: CICIDS-2017, UNSW-NB15 and the Industrial Control System (ICS) cyber-attack datasets. The experimental work is performed through the ALICE high-performance computing facility at the University of Leicester. Based on these experiments, a comprehensive analysis of the ML algorithms is presented. The evaluation results verify that the Random Forest (RF) algorithm achieves the best performance in terms of accuracy, precision, Recall, F1-Score and Receiver Operating Characteristic (ROC) curves on all these datasets. It is worth pointing out that other algorithms perform closely to RF and that the decision regarding which ML algorithm to select depends on the data produced by the application system.
... WiMAX equipment exists in two basic forms base stations, installed by service providers to deploy the technology in a coverage area, and receivers, installed in clients. It is also known as the IEEE 802.16 wireless metropolitan area network, along with the development of mobile communication and broadband technology and it has become a hot spot for global telecom operators and manufacturers [1], [5]. WiMAX is gaining popularity as a technology which delivers carrier-class, high speed wireless broadband at a much lower cost while covering large distance than Wi-Fi [7] Li-Fi (Light Fidelity) as coined by Prof. Harald Haas during his TED Global talk is bidirectional, high speed and fully networked wireless communications, like Wi-Fi, using visible light [6]. ...
Modern life becomes easier and wireless communications play an important role to do so. In computer networking, wireless technology is a modern alternative to networks that use cables. Li-Fi is a wireless communication system in which light is used as a carrier signal instead of traditional radio frequency as in Wi-Fi. Li-Fi is a technology that uses light emitting diodes to transmit data wirelessly. Li-Fi is a form of Visible Light Communication (VLC). VLC uses rapid pulses of light to transmit information wirelessly that cannot be detected by the human eye. In modern age everyone wants to use wireless data but capacity is drying up. Wireless radio frequencies are getting higher, complexities are increasing and RF interferences continue to grow. In order to overcome this problem in future, light-fidelity (Li-Fi) become a better technology. This new wireless technology can save a large amount of electricity by transmitting data through the light bulbs. Li-Fi is a better alternative to Wi-Fi and WiMAX in wireless communication. Li-Fi has thousand times greater speed than Wi-Fi and provides security as the visible light is unable to penetrate through the walls, which propose a new era of wireless communication. Such technology has brought not only greener but safer and cheaper future of communication. Despite of numerous advantages of Li-Fi technology, there exist some drawbacks also. Line of sight propagation problem is one of them. So we proposed a new method that not only reduces this problem buy also increase the performance of this technology.
... It is also defined as the process of making sure that data assets remain secret and confidential, and that they cannot be viewed by unauthorised users, b) Integrity To ensure that information assets cannot be modified by any other party without authorisation. Integrity could also be described as the process that ensures that data assets are the same as they were when they were originally created, without any change over time, and c) Availability To ensure that information assets are available when requested, It could also be described as a situation in which data assets should be accessible for legitimate users when needed [92]. ...
Currently governments and research communities are concentrating on insider threat matters more than ever, the main reason for this is that the effect of a malicious insider threat is greater than before. Moreover, leaks and the selling of the mass data have become easier, with the use of the dark web. Malicious insiders can leak confidential data while remaining anonymous. Our approach describes the information gained by looking into insider security threats from the multiple perspective concepts that is based on an integrated three-dimensional approach. The three dimensions are human issue, technology factor, and organisation aspect that forms one risk prediction solution.
In the first part of this thesis, we give an overview of the various basic characteristics of insider cyber-security threats. We also consider current approaches and controls of mitigating the level of such threats by broadly classifying them in two categories: a) technical mitigation approaches, and b) non-technical mitigation approaches. We review case studies of insider crimes to understand how authorised users could harm their organisations by dividing these cases into seven groups based on insider threat categories as follows: a) insider IT sabotage, b) insider IT fraud, c) insider theft of intellectual property, d) insider social engineering, e) unintentional insider threat incident, f) insider in cloud computing, and g) insider national security.
In the second part of this thesis, we present a novel approach to predict malicious insider threats before the breach takes place. A prediction model was first developed based on the outcomes of the research literature which highlighted main prediction factors with the insider indicator variables. Then Bayesian network statistical methods were used to implement and test the proposed model by using dummy data. A survey was conducted to collect real data from a single organisation. Then a risk level and prediction for each authorised user within the organisation were analysed and measured.
Dynamic Bayesian network model was also proposed in this thesis to predict insider threats for a period of time, based on data collected and analysed on different time scales by adding time series factors to the previous model.
Results of the verification test comparing the output of 61 cases from the education sector prediction model show a good consistence. The correlation was generally around which indicates an acceptable fit in this area of research.
From the result we expected that the approach will be a useful tool for security experts. It provides organisations with an insider threat risk assessment to each authorised user and also organisations can discover their weakness area that needs attention in dealing with insider threat. Moreover, we expect the model to be useful to the researcher's community as the basis for understanding and future research.
... Furthermore, the International Society of Automation (ISA) has published the ISA99 (ANSI/ISA-62443) standards, recommended practices, and technical reports for implementing manufacturing and control systems securely. Several other reports exist in literature which provide the appropriate measures to meet smart grid security challenges [89][90][91][92][93]. ...
Smart grids include a variety of microprocessor-based embedded systems, interconnected with communication technologies. In this interaction, hardware is the lower level of abstraction. Insecure and unprotected hardware design of smart grid devices enable system operation compromise, eventually leading to undesirable and often severe consequences. In this paper, we discuss how the hardware of grid equipment can be used to collect intelligence utilized towards beneficial or malicious purposes. We consider different access scenarios and attacker capabilities as well as equipment location in the grid. The outcome of “hardware hacking” is examined in both device and grid operation levels. Finally, we present hardware hardening techniques, aiming to make components attack-resistant and reduce their vulnerability surface.
... The KRG process consists of the same steps as RG, but additionally requires identification of knowledge assets that can be damaged based on the KS risks presented in Table 2. Identification of knowledge assets affected by knowledge risks is required for visibility of these assets, which is a necessary precondition for the identification of knowledge risks (Bayer and Maier, 2007;Di Gangi et al., 2012). To identify the knowledge risks different sources can be used, such as review of contracts, policies and their compliance, penetration tests for IT systems or analysis of dependencies on knowledge assets (Swanson, 2001;Di Gangi et al., 2012;Jacobson, 2011). ...
Recent developments in Knowledge Sharing (KS) have heightened the need for security. However, there has been little discussion about ‘how to’ integrate security into KS models effectively. This research addresses this gap by proposing a KS Risk Governance (KSRG) framework and research model based on the framework to integrate security into KS through Knowledge Risk Governance (KRG). The role of KRG in the model is identified as a moderator which would influence on the risks of KS. The potential constructs for the model are identified through literature review. Social Exchange Theory (SET) is selected as theoretical framework to describe the KS behaviour and identify the formative constructs of KRG. The results of this study indicate that (1) SET factors are positively associated with KS behaviour, (2) KRG moderated the relationship between the SET factors and KS behaviour and (3) KS via KRG as a moderating construct will reduce the risks of KS. Therefore, KSRG framework provides a helpful guideline for senior managers auditing their organization's current KS strategy and requirements for reduction of KS risks.
... The metric in [15] is focused on the discovery of zero-day vulner- abilities. [16,17,18,19] review alternative security metrics. [20] is similar to the security stress as it considers the amount of work to attack a system. ...
CyVar extends the Value-At-Risk statistics to ICT systems under attack by intelligent, goal oriented agents. CyVar is related to the time it takes an agent to acquire some access privileges and to the one it owns these privileges. To evaluate the former time, we use the security stress, a synthetic measure of the robustness of an ICT system. We approximate this measure through the Haruspex suite, an integrated set of tools that supports ICT risk assessment and management. After defining CyVar, we show how it supports the evaluation of three versions of an industrial control system.
... Information Security can be defined as the process by which digital information assets are protected in order to ensure the main security goals. These are : a) Confidentiality -to ensure that information assets are not disclosed to individuals or systems that are not authorised to receive them [7]. It is also defined as the process of making sure that data assets remain secret and confidential, and that they cannot be viewed by unauthorised users, b) Integrity -To ensure that information assets cannot be modified by any other party without authorisation. ...
The main concern of most security experts in
the last years is the need to mitigate insider threats.
However, leaking and selling data these days is easier than
before; with the use of the invisible web, insiders can leak
confidential data while remaining anonymous. In this paper,
we give an overview of the various basic characteristics of
insider threats. We also consider current approaches and
controls to mitigating the level of such threats by broadly
classifying them into two categories.
... Management, Operational, and Technical (Swanson, 2001;Savola, 2007). ...
... Some of these taxonomies have been developed for practitioners. Therefore they do not cover the whole spectrum of existing security metrics as they are industry oriented and try to fulfill the requirements of the market [22], [21]. Others [19] present a high level taxonomy containing metrics for both organizational information security management and product development. ...
As the Internet of Things (IoT) pervasively extends to all facets of life, the "Things" are increasingly extend-ing to include the interconnection of the Internet to Critical Infrastructures (CI) such as telecommunication, power grid, transportation, e-commerce systems, etc. The objective of this paper is twofold: (i) addressing IoT from a CI protection (CIP) and connectivity viewpoint, and (ii) highlighting the need for security quantification to improve the quality of protection (QoP) of CI's. Using a financial infrastructure as an example, a CIP and trust quantification perspective is built up in the EC CoMiFin project [5]. To this end, we are developing a novel security metrics-based approach to assess and thereon enhance the CIP. We focus on the communication level of the CI where IoT is playing an increasingly important role with respect to sensing and communication across CI elements. CI monitoring and notification get a special consideration in our approach. Determining the security and dependability level of the communication over the CI constitutes a basic precondition for assessing the QoP of the whole CI, which is needed for any efforts to improve this QoP. Furthermore, the parameters defining the required level of the QoP determined in terms of Service Level Agreements (SLA) need to be taken into consideration. Thus, monitoring and measuring quantitatively the dependability and security using appropriate metrics is essential for realizing the target-performance comparison of the QoP. As metrics play a central role for such quantification, this paper develops their QoP usage from an IoT perspective.
... Furthermore, we explore the Security Evaluation Testing Mechanism from overseas information technology and take Public Key Infrastructure (PKI) for example so as to propose the established plan of Information Technology (IT) security evaluation testing laboratory which conforms to international paradigms. According to some of international information technology security evaluation standards [4][5][6][7][8][9][10], this paper, in Section 2 and 3, took PKI for instance and investigated the differences which information security product certification and validation mechanisms in our country should do and actually do to achieve the aforementioned prospect. In Section 4, we proposed the draft of information technology security certification systems in our country conforming to international paradigms and made a conclusion. ...
On February 5, 2001, the Executive Yuan of the Republic of China (R.O.C) passed and sent out the "National Information and Communication Infrastructure Security Mechanism Plan" to each of its subordinate authorities, requesting active cooperation. That's how a brand new era of information security began in Taiwan, R.O.C. The "Information Security Evaluation Testing Laboratory" serves as the foundation for the "information and communication network resources can be fully used in an obstacle free and secure environment by year 2008" - the vision stated in the "Challenge 2008 - National Development Plan". Based on Information Assurance, this paper investigates the Information Security Evaluation Testing Laboratory concerning the security evaluation of Component in Information product/system, Package, and Target of Evaluation (TOE) respectively. We also proposed a draft scheme of information system security certification mechanism conforming to international standards and came up with a conclusion.
... This provided an initial basis around which to organize taxonomy of security metrics [6]. The U. S. National Institute of Information Standards and Technology (NIST) presents security metrics taxonomies in NIST Special Publication 800-26 [7] and 800-55 [8], that suggest useful metrics in different areas and applications. ...
With technology advances in recent years, security problems become more important. Security measurement and monitoring helps system developers to design and assure secure systems. Today security metrics are used in variety of fields as software development process. Secure software cannot intentionally force to fail and remains correct and predictable in spite of intentional efforts. Determining software security metrics during its development phases assures its quality and security. Good metrics should be specified, measurable, repeatable and time dependant. The method of this paper proposes some security metrics in different software development phases and validates them based on some standardized criteria. Different phases have different metrics that are defined based on their results and products. By using proposed security metrics during software development cycle, the final product will be secure and qualified.
... Swanson suggests a self-assessment questionnaire to assess organizational security [112]. Several controls are inspected (management, operational, and technical controls): for each of them, a set of questions needs to be answered according to a five-level scale. ...
This volume explores IoT architectures, their configuration, and operability in wireless sensor networks.
The topics are spread across nine structured chapters covering fundamental and applied knowledge about wireless sensor networks using IoT devices. The book starts with an introduction to the subject, giving readers a quick overview of IoT enabled networks and bio-inspired approaches towards network design. This is followed by chapters explaining optimized routing protocols for accident detection, efficiency and performance analysis. The book concludes with four chapters dedicated to security applications of wireless networks, for homes, urban areas and businesses. Overall, the volume gives a balance of theoretical and practical information for readers.
The book is intended as a resource for graduate and postgraduate students for understanding network design for home and embedded applications, specifically using single board computing devices. It also serves as a guide for networking courses and assessments.
This deliverable (D3.6) is part of Task 3.6 to validate the technologies used for anomaly detection on the DOMINOES platform. First of all, we introduce five use cases that usually come to the attention of cyber security systems. Afterwards, we explain twelve machine learning methods that can be used for anomaly detection on the DOMINOES plat- form. Experiments show that the performance of these machine learning algorithm are data dependent and there is no method that consistently performs better than the others in this study. This is followed by the introduction and evaluation of an integrated cyber security framework for anomaly detection. Five use cases are further investigated using the proposed cyber security framework. Results have shown that KNN outperforms the other machine learning algorithms for easier binary classification tasks while other algorithms perform better on harder multiple classification tasks. In summary, this deliverable reports the validation tests carried out on part of the DOMINOES platform to detect any abnormal event that may affect its clients.
In this chapter, the authors collected and defined different types of case studies based on cyber forensics. They tried to gather the latest as well as the oldest case studies. This chapter will help those who want to study different categories of cyber care and their forensics studies. The following scenarios are specific examples of the problems that have been faced by various organizations in the past. For reasons of client confidentiality and legal sensitivity, actual names have been changed.
Book with the selected papers of the CRITIS 2018 conference in Kaunas, Lithuania
The identification of Critical Information Infrastructure (CII) services has become a top priority for governments and organizations, and is a crucial component of a sound cyber security policy. As the interconnectivity of essential services spreads, the probability of disruptions increases as does the vulnerability of all Critical Infrastructure (CI) sectors. The impact of an undue interruption of essential services may initiate a devastating cascading effect and the collapse of a country's infrastructures system. The purpose of this work is to propose a framework for countries that are in the process of defining CII or that wish to reassess their definitions to enhance security measures. This paper proposes a methodology that supports the escalated identification of CII services on the basis of two analytical components: the identification of main stakeholders; and, an illustrative framework called the 360-DEGREE-FEEDBACK that seeks to apply a comprehensive and beneficial framework for security and analyses. This study combines qualitative and quantitative methods, benchmarking theoretical contributions, and relying mainly on documentary analysis and secondary statistical data from official sources.
State of information system security is described with the large number of features and indicators for different areas of information security. Depending on the area of a business in the company and the security objectives, for the effective security management it is necessary to select appropriate indicators and establish a process of their monitoring and measurement. Systematic application of such indicators is usually defined as a metric of standardized measures and methods of measurement and interpretation of results. Although in the literature we can found examples of such indicators and specific suggestions about how they collect and measure them, the whole area of the information security measurement is yet unexplored. The focus of this paper is to recapitulate past experience and results in the systematization and structuring of security indicators which is not completely clarified. The aim is to identify existing experiences concerning the application of security metrics as an instrument of evaluation and assessment of information system security.
With the development of information technology, the network connection of industrial control system (ICS) and information technology (IT) is becoming more and more closely. What's more, the security issues of traditional IT systems in industrial control system are also more prominent. Early industrial control system mainly uses physical isolation approach to protect security. In this paper, we review the characteristics and reference models of industrial control system and analyze the current security status of industrial control system. Moreover, we propose a defense-in-depth system, security policies of active protection and passive monitoring for these security issues. Besides, we also discuss the key technologies and summarize the full text.
It is an open challenge for virtualization technology architects to provide security to Virtual Machine (VM), in the presence of an infected hypervisor, without much compromise on performance. A few hardware modifications have been introduced by manufactures like Intel and AMD to provide a secure VM environment with low performance degradation. These solutions are unable to provide VM isolation in the presence of an infected hypervisor. In this paper we propose a novel memory architecture model, that can achieve a secure physical memory region to each VM without performance degradation.
Our life is moving to the digital world. The changing landscapes of life are forcing us to change the way we deal with things. Living in an always on and always connected world makes our life easier and more convenient. Smart homes automatically adapt to the environmental conditions with respect to heating and cooling; smart cars adapt to traffic conditions and situations (e.g., accident or congestion); smart health systems monitor our health condition and smart entertainment adapts to our mood. A lot of “smart things” make our lives more convenient. Social networks, online banking, e-health, e-marketplaces are other examples of the networked society.
The security stress is a synthetic evaluation of how an ICT infrastructure resists to attacks. We define the security stress and show how it is approximated through the Haruspex suite. Then, we show how it supports the comparison of three versions of an industrial control system. Haruspex is a suite of tools that apply a Monte Carlo method and support a scenario-based assessment where in each scenario intelligent agents compose attacks to reach some predefined goals.
Every sector in the global economy, from energy, through transportation, finance and banking, telecommunications, public health, emergency services, water, chemical, defense, right down to the industrial, and agriculture sectors, is totally dependent on the reliable functioning of its IT assets. Thus anything that threatens these effectively poses a threat to our way of life. And accordingly, almost any effort expended to protect them is both justifiable and necessary. So the obvious question is What is the current state of affairs?
Security is most effective if it is planned and managed throughout an organizations Systems Development Life Cycle (SDLC). Many security risks, analyses, and events occur during a systems or applications lifetime and these issues should be dealt with from the initial planning stages and continue through all phases of the SDLC. Many systems today must also address Certification and Accreditation (C&A) before going operational. C&A facilitates including security as an element of the SDLC assuring that a clear set of Security Requirements is developed and implemented, residual risk is minimized and clearly understood, and all security controls developed and deployed in the final operational system are documented in a System Security Plan. This paper examines the role of security engineering and their activities throughout the SDLC and the C&A process, the guidance that helps define the Security Requirements, and the roles of the people involved to provide a basic understanding of security engineering as it applies to C&A throughout the SDLC. One of the objectives of this paper is to help Program Manager's understand and take into account the C&A process into program plans and schedules.
Today, many organizations quote intent for ISO/IEC 27001:2005 certification. Also, some organizations are en route to certification or already certified. Certification process requires performing a risk analysis in the specified scope. Risk analysis is a challenging process especially when the topic is information security. Today, a number of methods and tools are available for information security risk analysis. The hard task is to use the best fit for the certification. In this work we have proposed a process based risk analysis method which is suitable for ISO/IEC 27001:2005 certifications. Our risk analysis method allows the participation of staff to the determination of the scope and provides a good fit for the certification process. The proposed method has been conducted for an organization and the results of the applications are shared with the audience. The proposed collaborative risk analysis method allows for the participation of staff and managers while still being manageable in a timely manner to uncover crucial information security risks.
The security of information system is like a chain. Its strength is affected by the weakest knot. Since we can achieve 100% Information Security Management System (ISMS) security, we must cautiously fulfill the certification and accreditation of information security. In this paper, we analyzed, studied the evaluation knowledge and skills required for auditing the certification procedures for the three aspects of ISMS—asset, threat, and vulnerability.
The purpose of the present study is to empirically examine factors that affect the information security awareness and perceived information security risk of employees of port companies. In particular, in order to identify factors that affect the perceived information security risks, we investigated the relation of assets, threats, and vulnerabilities to it, using the risk analysis methodology. With A total of 252 valid questionnaires, we also performed the structural equation modeling analysis using AMOS. It was found that first, there was no meaningful relationship between the information assets and the perceived information security risk in the case of employees of port companies. Second, threats and vulnerabilities turned out to have positive influences on the perceived information security risk. Finally, there was a positive relationship not only between the information security awareness and the information security education, but also between the information security awareness and the intention of information security. However, there was no meaningful relationship between the information security concern and the information security awareness.
It need estimation model who is efficient and estimate correctly organization's information security level to achieve effectively organization's information security target. Also, estimate class information security level for this and need reformable estimation indicator or standard and estimation methodology of information security systems that application is possible should be studied in our country. Therefore many research centers including ISO are preparing the measuring and evaluating method for network duality. This study will represent an evaluating model for network security based on checklist. In addition, we propose ah measuring and evaluating method for network performance. The purpose of two studies is to present the evaluating procedure and method for measuring security of network on set workwill be identified and a measuring method and procedure will be proposed.
To adapt to the firm's environmental changes continuously, the customer relationship management system is a key which monitors external changes and adapts internal cultures and processes in response to external challenges. Increasing use of customer relationship management systems in competitive business environments has given rise to various kinds of security problems. This paper reviews previous studies on customer relationship management systems, protection of customer information, and evaluation of information security systems. Finally, considering the characteristics of customer relationship management systems and security evaluation methodology, this paper suggests the assessment criteria for security risks of customer relationship management systems.
In order for agencies and companies at the IT service industry to check as well as to upgrade the current status of their information security programs, this paper suggests the assessment method for information security levels. The study developed 12 assessment fields and 54 assessment items derived from domestic and foreign cases including SP800-26, SP800-53, ISMS, and ISO27001. It categorized 54 assessment items into 5 levels for determining information security levels. Also, the study presents 7 strategies for performing their efficient evaluations. The proposed method and process in this paper can be useful guidelines for improving the national information security level.
In this paper we present an example of a senior/graduate level course focused on standards and processes in Information Assurance. Our claim is that this course design can be used as a model for a capstone course in Information Assurance. The premise is that Standards represent a knowledgebase enabling a comprehensive treatment of Assurance Processes at the system level, and that, consequently, a standards based approach is appropriate for a capstone concentrated on using lessons learned. Our capstone course intent is the education of Information Systems Security Officers (ISSO) in compliance with NSA training standard requirements CNSS 4014, and a standards-based course fits that requirement.
The cyber security modeling language (CySeMoL) is a modeling language for enterprise-level system architectures coupled to a probabilistic inference engine. If the computer systems of an enterprise are modeled with CySeMoL, this inference engine can assess the probability that attacks on the systems will succeed. The theory used for the attack-probability calculations in CySeMoL is a compilation of research results on a number of security domains and covers a range of attacks and countermeasures. The theory has previously been validated on a component level. In this paper, the theory is also validated on a system level. A test indicates that the reasonableness and correctness of CySeMoL assessments compare with the reasonableness and correctness of the assessments of a security professional. CySeMoL's utility has been tested in case studies.
In the previous edition of Network Security, I explored the history of vulnerability management, and concluded that conventional approaches to fighting attack were destined for failure in the light of dynamic and aggressive threat evolution in the modern blackhat community. The bottom line is that vulnerability scanning tools are gradually losing the battle against an attacker community that is becoming faster and more adept at developing zero-day exploits. This second and final part of the article will provide a brief description of how we might reinvent the vulnerability management process.
Like all business disciplines, IT systems and security policies develop and mature over time. As threat levels increase and the need for corporate compliance in this area grows, IT systems and security become vital to a company's overall business strategy. Current corporate-level interest in IT security is demonstrated by the fact that senior management and board level executives are increasingly being made responsible for implementing and managing key IT security systems and policies.
Policies and Data Collection on Federal Web Sites
Office of Management and Budget, Memorandum 00-13, Policies and Data Collection on
Federal Web Sites, June 22, 2000.
Paperwork Reduction Act of 1995, 35 U.S. Code 44, January 4, 1995.
Appendix D
References
D -2
Draft -Rev. A NIST Special Publication 800-XX
- Gary Stoneburner
Stoneburner, Gary, Draft -Rev. A NIST Special Publication 800-XX, Risk Management
Guide, February 16, 2001.
Marianne and Federal Computer Security Program Managers' Forum Working Group, NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
- Swanson
Swanson, Marianne and Federal Computer Security Program Managers' Forum Working
Group, NIST Special Publication 800-18, Guide for Developing Security Plans for
Information Technology Systems, Gaithersburg, MD, National Institute of Standards and
Technology, December 1998.