Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced prioritized gap analysis

Abstract Existing cybersecurity vulnerability assessment tools were designed based on the policies and standards defined by organizations such as the U.S. Department of Energy and the National Institute of Standards and Technology (NIST). Frameworks such as the cybersecurity capability maturity model (C2M2) and the NIST Cybersecurity Framework (CSF) are often used by the critical infrastructure owners and operators to determine the cybersecurity maturity of their facility. Although these frameworks are exceptional at performing qualitative cybersecurity analysis and identifying vulnerabilities, they do not provide a means to perform prioritized mitigation of those vulnerabilities in order to achieve a desired cybersecurity maturity. To address that challenge, we developed a framework and software application called the cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr). This paper presents the detailed architecture of CyFEr’s enhanced prioritized gap analysis (EPGA) methodology and its application to CSF. The efficacy of the presented framework is demonstrated by comparing against existing similar models and testing against the cyber injects from a real-world cyber-attack that targeted industrial control systems (ICS) in critical infrastructures.

[1]  Henry H. Willis,et al.  Deliberative Risk Ranking to Inform Homeland Security Strategic Planning , 2016 .

[2]  Issa Atoum,et al.  A holistic cyber security implementation framework , 2014, Inf. Manag. Comput. Secur..

[3]  E. Roszkowska Rank Ordering Criteria Weighting Methods – a Comparative Overview , 2013 .

[4]  D. A. Seaver,et al.  A comparison of weight approximation techniques in multiattribute utility decision making , 1981 .

[5]  Marjan Keramati New Vulnerability Scoring System for dynamic security evaluation , 2016, 2016 8th International Symposium on Telecommunications (IST).

[6]  David C. Yen,et al.  National information security policy and its implementation: A case study in Taiwan , 2009 .

[7]  T. Saaty,et al.  The Analytic Hierarchy Process , 1985 .

[8]  Jin B. Hong,et al.  What Vulnerability Do We Need to Patch First? , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[9]  G. Manimaran,et al.  Cybersecurity for Critical Infrastructures: Attack and Defense Modeling , 2010, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[10]  B. Fischhoff,et al.  Judged frequency of lethal events , 1978 .

[11]  B Fischhoff,et al.  A Deliberative Method for Ranking Risks (I): Overview and Test Bed Development , 2001, Risk analysis : an official publication of the Society for Risk Analysis.

[12]  F. H. Barron,et al.  Selecting a best multiattribute alternative with partial information about attribute weights , 1992 .

[13]  P. Goodwin,et al.  Weight approximations in multi-attribute decision models , 2002 .

[14]  Henry H. Willis,et al.  Prioritizing Environmental Health Risks in the UAE , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[15]  Byeong Seok Ahn,et al.  Compatible weighting method with rank order centroid: Maximum entropy ordered weighted averaging approach , 2011, Eur. J. Oper. Res..

[16]  Issa Atoum,et al.  An implementation framework (IF) for the national information assurance and cyber security strategy (NIACSS) of jordan , 2013, Int. Arab J. Inf. Technol..

[17]  Walter Miron,et al.  Cybersecurity Capability Maturity Models for Providers of Critical Infrastructure , 2014 .

[18]  Albin Zuccato,et al.  Holistic security management framework applied in electronic commerce , 2007, Comput. Secur..

[19]  Steen Leleur,et al.  Multi-criteria decision analysis for use in transport decision making , 2014 .

[20]  Louis Anthony Tony Cox,et al.  Some Limitations of “Risk = Threat × Vulnerability × Consequence” for Risk Analysis of Terrorist Attacks , 2008 .

[21]  T. Saaty Fundamentals of Decision Making and Priority Theory With the Analytic Hierarchy Process , 2000 .

[22]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[23]  Ge Xiao-yan,et al.  An Information Security Maturity Evaluation Mode , 2011 .

[24]  Dongho Won,et al.  Advanced Information Security Management Evaluation System , 2011, KSII Trans. Internet Inf. Syst..

[25]  H. Florig,et al.  A Deliberative Method for Ranking Risks (II): Evaluation of Validity and Agreement among Risk Managers , 2001, Risk analysis : an official publication of the Society for Risk Analysis.

[26]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[27]  Luo Huai,et al.  System Security Engineering Capability Maturity Model , 2003 .

[28]  Bruce E. Barrett,et al.  The efficacy of SMARTER — Simple Multi-Attribute Rating Technique Extended to Ranking , 1996 .

[29]  Gregory A. Witte,et al.  Framework for Improving Critical Infrastructure Cybersecurity | NIST , 2014 .

[30]  Anene L. Nnolim A framework and methodology for information security management , 2007 .

[31]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[32]  M. Morgan,et al.  Categorizing Risks for Risk Ranking , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[33]  Bilge Karabacak,et al.  A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness , 2016, Int. J. Crit. Infrastructure Prot..

[34]  Rolf H. Weber,et al.  Internet of Things - New security and privacy challenges , 2010, Comput. Law Secur. Rev..

[35]  John A. Sokolowski,et al.  Probabilistic Risk Analysis and Terrorism Risk , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[36]  Vincent F. Yu,et al.  Ranking generalized fuzzy numbers based on centroid and rank index , 2018, Appl. Soft Comput..

[37]  Zachary A. Collier,et al.  Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management , 2020, Risk analysis : an official publication of the Society for Risk Analysis.

[38]  Adiel Teixeira de Almeida,et al.  Preference modeling experiments with surrogate weighting procedures for the PROMETHEE method , 2018, Eur. J. Oper. Res..

[39]  Marimuthu Palaniswami,et al.  Internet of Things (IoT): A vision, architectural elements, and future directions , 2012, Future Gener. Comput. Syst..

[40]  Louis Anthony Cox Improving risk-based decision making for terrorism applications. , 2009, Risk analysis : an official publication of the Society for Risk Analysis.

[41]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[42]  Gunnar Björkman,et al.  An Enhanced Risk-Assessment Methodology for Smart Grids , 2017, Computer.

[43]  Gerald G. Brown,et al.  How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts , 2011, Risk analysis : an official publication of the Society for Risk Analysis.

[44]  Ward Edwards,et al.  How to Use Multiattribute Utility Measurement for Social Decisionmaking , 1977, IEEE Transactions on Systems, Man, and Cybernetics.

[45]  A. Tversky,et al.  On the study of statistical intuitions , 1982, Cognition.

[46]  P. Slovic Perception of risk. , 1987, Science.

[47]  G. White,et al.  The Community Cyber Security Maturity Model , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[48]  Neeraj Suri,et al.  Quantitative assessment of software vulnerabilities based on economic-driven security metrics , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[49]  Rossouw von Solms,et al.  Information Security Governance control through comprehensive policy architectures , 2011, 2011 Information Security for South Africa.