Optimal selection of IT security safeguards from an existing knowledge base

Schilling, Andreas; Werners, Brigitte

doi:10.1016/j.ejor.2015.06.048

Cited by 33 publications

(10 citation statements)

References 19 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Systematic methods for selecting security controls for IT systems either view the problem of control selection as an investment problem and apply management tools and financial analysis to optimize the selection [31], or in the context of responding to an intrusion, i.e., when a specific attack has been already detected as taking place [32]. A combinatorial optimization model to efficiently select security controls was proposed in Reference [31]. However, security control selection is still largely performed empirically, particularly for CPSs.…”

Section: Related Workmentioning

confidence: 99%

Managing Cyber Security Risks of the Cyber-Enabled Ship

Kavallieratos

Katsikas

2020

JMSE

View full text Add to dashboard Cite

One aspect of the digital transformation process in the shipping industry, a process often referred to as Shipping 4.0, is the increased digitization of on board systems that goes along with increased automation in and autonomy of the vessel. This is happening by integrating Information Technology with Operation Technology systems that results in Cyber Physical Systems on which the safe operations and sailing of contemporary and future vessels depend. Unavoidably, such highly interconnected and interdependent systems increase the exposure of the vessel’s digital infrastructure to cyber attacks and cyber security risks. In this paper, we leverage the STRIDE and DREAD methodologies to qualitatively and quantitatively assess the cyber risk of Cyber Physical Systems on board digitalized contemporary and future ships. Further, we propose appropriate cyber security baseline controls to mitigate such risks, by applying a systematic approach using a set of criteria that take into account the security requirements; the cyber risks; the possible attacks; and the possibly already existing controls, to select from the list of controls provided in the Industrial Control Systems (ICS) overlay of the NIST Guide to ICS Security. The results are expected to support the decision-making and the design of a security architecture for the cyber-enabled ship.

show abstract

Section: Related Workmentioning

confidence: 99%

Managing Cyber Security Risks of the Cyber-Enabled Ship

Kavallieratos

Katsikas

2020

JMSE

View full text Add to dashboard Cite

show abstract

“…On the other hand, the systematic selection of cybersecurity controls has been mostly examined in the literature in attempting to identify the optimal set of controls for IT systems within a specified budget; examples of such approaches are those in References [ 33 , 34 , 35 ]. The outline of a programming tool that supports the selection of countermeasures to secure an infrastructure represented as a hierarchy of components was provided in Reference [ 36 ].…”

Section: Related Workmentioning

confidence: 99%

Cyber Risk Propagation and Optimal Selection of Cybersecurity Controls for Complex Cyberphysical Systems

Kavallieratos

Σπαθούλας

Katsikas

2021

Sensors

View full text Add to dashboard Cite

The increasingly witnessed integration of information technology with operational technology leads to the formation of Cyber-Physical Systems (CPSs) that intertwine physical and cyber components and connect to each other to form systems-of-systems. This interconnection enables the offering of functionality beyond the combined offering of each individual component, but at the same time increases the cyber risk of the overall system, as such risk propagates between and aggregates at component systems. The complexity of the resulting systems-of-systems in many cases leads to difficulty in analyzing cyber risk. Additionally, the selection of cybersecurity controls that will effectively and efficiently treat the cyber risk is commonly performed manually, or at best with limited automated decision support. In this work, we propose a method for analyzing risk propagation and aggregation in complex CPSs utilizing the results of risk assessments of their individual constituents. Additionally, we propose a method employing evolutionary programming for automating the selection of an optimal set of cybersecurity controls out of a list of available controls, that will minimize the residual risk and the cost associated with the implementation of these measures. We illustrate the workings of the proposed methods by applying them to the navigational systems of two variants of the Cyber-Enabled Ship (C-ES), namely the autonomous ship and the remotely controlled ship. The results are sets of cybersecurity controls applied to those components of the overall system that have been identified in previous studies as the most vulnerable ones; such controls minimize the residual risk, while also minimizing the cost of implementation.

show abstract

“… Business impact/disruption, anticipated loss, profit reduction, fines, reputation, decline in stock price, damage [17]- [23]  Risk tolerance [12], [19], [24]; Budget [19]  Legal and regulatory [22]  Self-imposed constraints [22] Asset  Importance/value [13], [24]- [27]  Assessed risk [12], [24]  Probability of breach, event, or successful attack [13], [24], [26], [28], [29] Threat  Anticipated [25], [27], [30], [31]  Most significant [25]  Residual risk [23], [32]; Incident data [17] Control  Cost, general [12], [13], [30], [32], [18], [20]- [23], [26]- [28]  Purchase/setup [17], [24], [25], [33]- [35]  Number of controls as a proxy for cost [36]  Difficulty of implementation [25]  Operation, training, and maintenance cost [17], [24], [25],…”

Section: Organizationalmentioning

confidence: 99%

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Llansó¹,

McNeil²,

Noteboom³

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Given the increasing frequency and severity of cyber attacks on information systems of all kinds, there is interest in rationalized approaches for selecting the "best" set of cybersecurity mitigations. However, what is best for one target environment is not necessarily best for another. This paper examines an approach to selection that uses a set of weighted criteria, where the security engineer sets the weights based on organizational priorities and constraints. The approach is based on a capability-based representation for cybersecurity mitigations. The paper discusses a group of artifacts that compose the approach through the lens of Design Science research and reports performance results of an instantiation artifact.

show abstract

Optimal selection of IT security safeguards from an existing knowledge base

Cited by 33 publications

References 19 publications

Managing Cyber Security Risks of the Cyber-Enabled Ship

Managing Cyber Security Risks of the Cyber-Enabled Ship

Cyber Risk Propagation and Optimal Selection of Cybersecurity Controls for Complex Cyberphysical Systems

Multi-Criteria Selection of Capability-Based Cybersecurity Solutions

Contact Info

Product

Resources

About