Design Considerations for a Cyber Incident Mission Impact Assessment (CIMIA) Process

Abstract : Virtually all modern organizations have embedded information systems and networking technologies into their core business processes as a means to increase operational efficiency, improve decision making quality, reduce delays, and/or maximize profit. Unfortunately, this dependence can place the organization's mission at risk when the loss or degradation of the confidentiality, integrity, availability, non-repudiation, or authenticity of a critical information resource or flow occurs. In this paper, we motivate design considerations for an information asset-based, Cyber Incident Mission Impact Assessment (CIMIA) process whose goal is to provide decision makers with timely notification and relevant impact assessment, in terms of mission objectives, from the time an information incident is declared, until the incident is fully remediated.

[1]  James G Diehl,et al.  Battle Damage Assessment: The Ground Truth , 2005 .

[2]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[3]  Marshall W. van Alstyne,et al.  Valuing Information & Instrumental Goods , 1998, ICIS.

[4]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[5]  Thomas H. Davenport,et al.  Book review:Working knowledge: How organizations manage what they know. Thomas H. Davenport and Laurence Prusak. Harvard Business School Press, 1998. $29.95US. ISBN 0‐87584‐655‐6 , 1998 .

[6]  A Min Tjoa,et al.  System Integration and Unified Information Access using Question based Knowledge Management Strategies , 2003, iiWAS.

[7]  Bill Owens,et al.  Lifting the Fog of War , 2000 .

[8]  Sushil Jajodia,et al.  Surviving Information Warfare Attacks , 1999, Computer.

[9]  George W. Bush Executive Order 13292: Further Amendment to Executive Order 12958, as Amended, Classified National Security Information , 2003 .

[10]  Tom Petrocelli,et al.  Data Protection and Information Lifecycle Management , 2005 .

[11]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[12]  M Steinarsson Jökull,et al.  Approaching Information ValuationFor clinical research information , 2003 .

[13]  Donald L. Pipkin Information Security: Protecting the Global Enterprise , 2000 .

[14]  Christopher J. Alberts,et al.  Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments , 2005 .

[15]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[16]  Israel Spiegler,et al.  Knowledge Management: A New Idea Or a Recycled Concept? , 2000, Commun. Assoc. Inf. Syst..

[17]  Michael R. Grimaila,et al.  An Enterprise Level Security Requirements Specification Model , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[18]  Willis H Ware,et al.  Security Controls for Computer Systems , 1970 .

[19]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[20]  John J. Salerno,et al.  Realizing situation awareness within a cyber environment , 2006, SPIE Defense + Commercial Sensing.

[21]  Michael R. Grimaila,et al.  Towards an Information Asset-Based Defensive Cyber Damage Assessment Process , 2007, 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications.

[22]  Thomas Finne,et al.  Information Systems Risk Management: Key Concepts and Business Processes , 2000, Comput. Secur..

[23]  James Stevens,et al.  Information Asset Profiling , 2005 .

[24]  Robert F. Mills,et al.  An Automated Information Asset Tracking Methodology to Enable Timely Cyber Incident Mission Impact Assessment , 2008 .

[25]  Gilles Van Nederveen Dominant Battlespace Knowledge: The Winning Edge , 1997 .

[26]  K. Clark,et al.  Security risk metrics: fusing enterprise objectives and vulnerabilities , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[27]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[28]  Clayton T. Morrison,et al.  Noisy information value in utility-based decision making , 2005, UBDM '05.

[29]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .