Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management.
Cybersecurity
MCDA
risk management
vulnerability assessment
Journal
Risk analysis : an official publication of the Society for Risk Analysis
ISSN: 1539-6924
Titre abrégé: Risk Anal
Pays: United States
ID NLM: 8109978
Informations de publication
Date de publication:
01 2020
01 2020
Historique:
received:
09
08
2016
revised:
11
02
2017
accepted:
15
07
2017
pubmed:
6
9
2017
medline:
6
9
2017
entrez:
6
9
2017
Statut:
ppublish
Résumé
Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.
Types de publication
Journal Article
Research Support, U.S. Gov't, Non-P.H.S.
Langues
eng
Sous-ensembles de citation
IM
Pagination
183-199Informations de copyright
Published 2017. This article is a U.S. Government work and is in the public domain in the U.S.A.
Références
Identity Theft Resource Center. Data Breach Report. San Diego, CA, March 8, 2016. 55 p. Available at: http://www.idtheftcenter.org/images/breach/DataBreachReports_2016.pdf, Accessed March 11, 2016.
Purba N. US Hospital Hit with “Random” Ransomware Attack. San Diego, CA: ESET North America, February 15, 2016. Available at: http://www.welivesecurity.com/2016/02/15/us-hospital-hit-random-ransomware-attack, Accessed March 11, 2016.
McAfee Center for Strategic and International Studies. Net Losses: Estimating the Global Cost of Cybercrime. Santa Clara, CA, June 2014. Available at: http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf, Accessed March 11, 2016.
Andrijcic E, Horowitz B. A macro-economic framework for evaluation of cyber security risks related to protection of intellectual property. Risk Analysis, 2006; 26(4):907-923.
Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I. Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environment Systems and Decisions, 2013; 33(4):544-560.
Rinaldi SM, Peerenboom JP, Kelly TK. Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, 2001; 21(6):11-25.
Santos JR, Haimes YY, Lian C. A framework for linking cybersecurity metrics to the modeling of macroeconomic interdependencies: Linking cybersecurity metrics to the modeling of macroeconomic interdependencies. Risk Analysis, 2007; 27(5):1283-1297.
Shakarian P, Hansheng L, Lindelauf R. Power grid defense against malicious cascading failure. Pp. 813-820 in Proceedings of the 13th International Conference on Autonomous Agents and Multiagent Systems, May 2014, Paris, France.
Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A. Resilience metrics for cyber systems. Environment Systems and Decisions, 2013; 33(4):471-476.
Executive Order 13636-Improving Critical Infrastructure Cybersecurity. U.S. Office of the Press Secretary, February 12, 2013. Available at: https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity, Accessed August 10, 2017.
Presidential Policy Directive 21-Critical Infrastructure Security and Resilience [Internet]. U.S. Office of the Press Secretary, 2013 Feb 12. Available at: https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil, Accessed August 10, 2017.
U.S. Department of Homeland Security. National Infrastructure Protection Plan, 2013. 57 p. Available at: https://www.dhs.gov/sites/default/files/publications/National-Infrastructure-Protection-Plan-2013-508.pdf, Accessed March 11, 2015.
Executive Order 13800-Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. U.S. Office of the Press Secretary, May 11, 2017. Available at: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal, Accessed August 10, 2017.
Keller W, Modarres M. A historical overview of probabilistic risk assessment development and its use in the nuclear power industry: A tribute to the late Professor Norman Carl Rasmussen. Reliability Engineering & System Safety, 2005; 89(3):271-285.
Kaplan S, Garrick BJ. On the quantitative definition of risk. Risk Analysis, 1981; 1(1):11-27.
Linkov I, Moberg E. Multi-Criteria Decision Analysis: Environmental Applications and Case Studies. Boca Raton, FL: CRC Press, 2012.
Downs B. The maritime security risk analysis model. Coast Guard Journal of Safety & Security at Sea, 2007; 64(1):36-39.
Federal Emergency Management Agency (FEMA) Grant Programs Directorate (GPD) Overview, 2014.
Manap N, Voulvoulis N. Risk-based decision-making framework for the selection of sediment dredging option. Science of The Total Environment, 2014; 496:607-623.
Kurth MH, Larkin S, Keisler JM, Linkov I. Trends and applications of multi-criteria decision analysis: Use in government agencies. Environment Systems and Decisions, 2017; 37(2):134-143.
Cegan JC, Filion AM, Keisler JM, Linkov I. Trends and applications of multi-criteria decision analysis in environmental sciences: Literature review. Environment Systems and Decisions, 2017; 37(2):123-133.
Garcia A, Horowitz B. The potential for underinvestment in Internet security: Implications for regulatory policy. Journal of Regulatory Economics, 2007; 31(1):37-55.
Collier ZA, DiMase D, Walters S, Tehranipoor MM, Lambert JH, Linkov I. Cybersecurity standards: Managing risk and creating resilience. Computer, 2014; 47(9):70-76.
Bayuk JL, Horowitz BM. An architectural systems engineering methodology for addressing cyber security. Systems Engineering, 2011; 14(3):294-304.
Pfleeger SL, Cunningham RK. Why measuring security is hard. IEEE Security & Privacy Magazine, 2010; 8(4):46-54.
Welch LD. Cyberspace-The Fifth Operational Domain. Alexandria, VA: Institute for Defense Analyses, 2011. Available at: https://www.ida.org/~/media/Corporate/Files/Publications/ResearchNotes/RN2011/2011%20Cyberspace%20-%20The%20Fifth%20Operational%20Domain.pdf, Accessed March 11, 2016.
Karabacak B, Sogukpinar I. ISRAM: Information security risk analysis method. Computers & Security, 2005; 24(2):147-159.
Microsoft Corporation. The STRIDE Threat Model, 2005. Available at: https://msdn.microsoft.com/en-US/library/ee823878%28v=cs.20%29.aspx, Accessed January 17, 2016.
Meier JD, Mackman A, Dunner M, Vasireddy S, Escamilla R, Murukan A. Improving Web Application Security: Threats and Countermeasures Roadmap. Microsoft Corporation, 2003. Available at: https://msdn.microsoft.com/en-us/library/ff649874.aspx, Accessed August 10, 2017.
Sommestad T, Ekstedt M, Johnson P. A probabilistic relational model for security risk analysis. Computers & Security, 2010; 29(6):659-679.
ISO/IEC. Evaluation Criteria for IT Security-Part 1. Introduction and General Model. Switzerland, January 2014. Report No.: ISO/IEC 15408-1. Available at: http://www.iso.org/iso/catalogue_detail.htm?csnumber=50341, Accessed January 17, 2016.
Farahmand F, Navathe SB, Enslow PH, Sharp GP. Managing vulnerabilities of information systems to security incidents. Pp. 348-354 in Proceedings of the 5th International Conference on Electronic Commerce. New York, NY: ACM Press, 2003.
Dondossola G, Garrone F, Szanto J. Cyber risk assessment of power control systems-A metrics weighed by attack experiments. Pp. 1-9 in Power and Energy Society General Meeting. San Diego, CA: IEEE, 2011.
Mateski M, Trevino CM, Veitch CK, Michalski J, Harris JM, Maruoka S, Frye J. Cyber Threat Metrics. Albuquerque, NM: Sandia National Laboratories, 2012. Report No.: SAND2012-2427. Available at: http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-065.pdf, Accessed December 15, 2015.
Nai Fovino I, Guidi L, Masera M, Stefanini A. Cyber security assessment of a power plant. Electric Power Systems Research. 2011; 81(2):518-526.
Government Accountability Office. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, 2004. Report No.: GAO-04-354. Available at: http://www.gao.gov/new.items/d04354.pdf, Accessed January 17, 2016.
Henry MH, Haimes YY. A comprehensive network security risk model for process control networks. Risk Analysis, 2009; 29(2):223-248.
Hartmann K, Steup C. The vulnerability of UAVs to cyber attacks-An approach to the risk assessment. Pp. 1-23 in Proceedings of the 5th International Conference on Cyber Conflict. Tallinn, Estonia: IEEE, 2013.
Liu N, Zhang J, Zhang H, Liu W. Security assessment for communication networks of power control systems using attack graph and MCDM. IEEE Transactions on Power Delivery, 2010; 25(3):1492-1500.
Haimes YY. Hierarchical holographic modeling. IEEE Transactions on Systems, Man, and Cybernetics, 1981; 11(9):606-617.
Haimes YY. Risk Modeling, Assessment, and Management. Hoboken, NJ: John Wiley & Sons, 2004.
Salinas MH. Combining multiple perspectives in the specification of a security assessment methodology. PhD Thesis, University of Virginia, Charlottesville, VA, 2004.
Stamatelatos M, Vesely W, Dugan J, Fragola J, Minarick JI, Railsback J. Fault Tree Handbook with Aerospace Applications. Washington, DC: National Aeronautics and Space Administration, 2002. Available at: http://www.hq.nasa.gov/office/codeq/doctree/fthb.pdf, Accessed January 17, 2016.
Kotenko I, Doynikova E. The CAPEC based generator of attack scenarios for network security evaluation. Pp. 436-441 in Proceedings of the 8th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications. Warsaw, Poland: IEEE, 2015.
Forum of Incident Response and Security Teams (FIRST.org). Common Vulnerability Scoring System v. 3.0: Specification Document, 2015. Available at: https://www.first.org/cvss/cvss-v30-specification-v1.7.pdf, Accessed December 15, 2015.
Patel S, Zaveri J. A risk-assessment model for cyber attacks on information systems. Journal of Computers, 2010; 5(3):352-359.
Caralli RA, Stevens JF, Young LR, Wilson WR. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2015. Report No.: CMU/SEI-2007-TR-012. Available at: ftp://ftp.sei.cmu.edu/pub/documents/07.reports/07tr012.pdf, Accessed December 15, 2015.
National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity, 2014. 41 p. Available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf, Accessed December 15, 2015.
Software Engineering Institute, Carnegie Mellon University. Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide. Pittsburgh, PA, 2014. Available at: https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf, Accessed December 15, 2015.
Bodeau D, Graubart R, Heinbockel W, Laderman E. Cyber Resiliency Engineering Aid-The Updated Cyber Resilience Engineering Framework and Guidance on Applying Cyber Resiliency Techniques. Bedford, MA: MITRE Corporation, 2015. Report No.: MTR140499R1. Available at: http://www.defenseinnovationmarketplace.mil/resources/20150527_Cyber_Resiliency_Engineering_Aid-Cyber_Resiliency_Techniques.pdf, Accessed December 15, 2015.
The Center for Internet Security. The CIS Security Metrics, 2010. Available at: https://benchmarks.cisecurity.org/tools2/metrics/CIS_Security_Metrics_v1.1.0.pdf, Accessed December 15, 2015.
Ashok A, Govindarasu M. Cyber-physical risk modeling and mitigation for the smart grid using a game-theoretic approach. Pp. 1-5 in Proceedings of the Innovative Smart Grid Technologies Conference. Washington, DC: IEEE, 2015.
DiMase D, Collier ZA, Heffner K, Linkov I. Systems engineering framework for cyber physical security and resilience. Environment Systems and Decisions, 2015; 35(2):291-300.
Alberts DS, Hayes RE. Understanding Command and Control. Washington, DC: CCRP Publications, 2006.
Weingart SH. Physical security devices for computer subsystems: a survey of attacks and defenses. Pp. 302-317 in Koç ÇK, Paar C (eds). Cryptographic Hardware and Embedded Systems-CHES 2000. Berlin, Germany: Springer Berlin Heidelberg, 2000.
Ransom J, Somerville I, Warren I. A method for assessing legacy systems for evolution. Pp. 128-134 in 15th European Conference on Software Maintenance and Reengineering. Palazzo degli Affari, Italy: IEEE Computer Society, 1998.
U.S. Department of Commerce. Defense Industrial Base Assessment: Counterfeit Electronics. Washington, DC, 2010. Available at: https://www.bis.doc.gov/index.php/forms-documents/doc_view/37-defense-industrial-base-assessment-of-counterfeit-electronics-2010, Accessed April 4, 2016.
DiMase D, Collier ZA, Carlson J, Gray RB, Linkov I. Traceability and risk analysis strategies for addressing counterfeit electronics in supply chains for complex systems: Traceability and risk analysis strategies. Risk Analysis, 2016; 36(10): 1834-1843.
McDowell M. Using Caution with USB Drives. Washington, DC: U.S. Department of Homeland Security, 2013. Available at: https://www.us-cert.gov/ncas/tips/ST08-001, Accessed March 24, 2016.
U.S. Department of Homeland Security. Top 30 Targeted High Risk Vulnerabilities. Washington, DC, 2015. Report No.: TA15-119A. Available at: https://www.us-cert.gov/ncas/alerts/TA15-119A, Accessed March 24, 2016.
Symantec Corporation. The Dangers of Counterfeit Software. Mountain View, CA, 2016. Available at: http://us.norton.com/how-to-be-pirate-free/article, Accessed March 25, 2016.
Mell P, Kent K, Nusbaum J. Guide to Malware Incident Prevention and Handling. Washington, DC: National Institute of Standards and Technology, 2005. Report No.: 800-83. Available at: http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf, Accessed March 24, 2016.
ISO/IEC. Information Security Management Systems-Overview and Vocabulary, 3rd ed. Geneva, Switzerland, 2014. Report No.: ISO/IEC 27000:2014(E).
Connelly K, Chien AA. Breaking the Barriers: High Performance Security for High Performance Computing. Pp. 36-42 in Proceedings of New Security Paradigms Workshop 2002. Virginia Beach, VA: ACM Press, 2002.
Solanki J, Shah A, Das ML. Secure patrol: Patrolling against buffer overflow exploits. Information Security Journal: A Global Perspective, 2014; 23(3):107-117.
Lee I, Jeong S, Yeo S, Moon J. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 2012; 55(1-2):58-68.
Hong J. The state of phishing attacks. Communications of the ACM, 2012; 55(1):74.
Khosrow-Pour M (ed). Managing Information Resources and Technology: Emerging Applications and Theories. Hershey, PA: Information Science Reference, 2013.
Moore T. The economics of cybersecurity: Principles and policy options. International Journal of Critical Infrastructure Protection, 2010; 3(3-4):103-117.
Shackelford SJ. Should your firm invest in cyber risk insurance? Business Horizons, 2012; 55(4):349-356.
Buede DM. The Engineering Design of Systems: Models and Methods. Hoboken, NJ: John Wiley & Sons, 2009.
McFadden D. Conditional logit analysis of qualitative choice behavior. Pp. 105-142 in Zarembka, P (ed.), Frontiers in Econometrics. New York, NY: Academic Press, 1973.
Bradley N, Alvarez M, McMillen D, Craig S. Reviewing a Year of Serious Data Breaches, Major Attacks and New Vulnerabilities. Somers, NY: IBM Security, 2016. Report No.: SEW03133-USEN-01. Available at: https://www.techdata.com/techsolutions/security/files/Reports/2016_Cyber_Security_Intelligence_Index.PDF, Accessed August 3, 2016.
Thonnard O, Bilge L, Kashyap A, Lee M. Are you at risk? Profiling organizations and individuals subject to targeted attacks. Pp. 13-31 in Böhme R, Okamoto T (eds). Financial Cryptography and Data Security. Berlin, Heidelberg: Springer, 2015.
Pipyros K, Mitrou L, Gritzalis D, Apostolopoulos T. A cyber attack evaluation methodology. Pp. 264-270 in Proceedings of the 13th European Conference on Cyber Warfare and Security ECCWS-2014. Piraeus, Greece: University of Piraeus, 2014.
Barbier J, Buckalew L, Loucks J, Moriarty R, O'Connell K, Rieger M. Cybersecurity as a Growth Advantage. San Jose, CA: Cisco, April 2016. Report No.: C45-BCI0416-0. Available at: https://www.cisco.com/c/dam/assets/offers/pdfs/cybersecurity-growth-advantage.pdf, Accessed August 3, 2016.
Symantec Corporation. Internet Security Threat Report. Mountain View, CA, April 2016. Report No.: 21365088. Available at: https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf, Accessed August 3, 2016.
SC Magazine. Analyze This. New York, NY, 2016. Available at: https://www.sas.com/content/dam/SAS/en_us/doc/whitepaper2/analyze-this-108217.pdf, Accessed August 3, 2016.
Fernandes D. More Firms Buying Insurance for Data Breaches. Boston Globe, February 17, 2014. Available at: https://www.bostonglobe.com/business/2014/02/17/more-companies-buying-insurance-against-hackers-and-privacy-breaches/9qYrvlhskcoPEs5b4ch3PP/story.html, Accessed January 21, 2017.
Eckerson WW. Performance Management Strategies: How to Create and Deploy Effective Metrics. Renton, WA: Data Warehousing Institute, 2009. Available at: http://businessfinancemag.com/site-files/businessfinancemag.com/files/archive/businessfinancemag.com/files/misc_file/IBM-effective-metrics.pdf, Accessed August 3, 2016.
Neely A, Richards H, Mills J, Platts K, Bourne M. Designing performance measures: A structured approach. International Journal of Operations & Production Management, 1997; 17(11):1131-1152.
Collier ZA, Panwar M, Ganin AA, Kott A, Linkov I. Security metrics in industrial control systems. Pp 167-185 in Colbert EJM, Kott A, (eds). Cyber-Security of SCADA and Other Industrial Control Systems. New York, NY: Springer, 2016.
Gisladottir V, Ganin AA, Keisler JM, Kepner J, Linkov I. Resilience of cyber systems with over- and underregulation. Risk Analysis, 2016; Early view. https://doi.org/10.1111/risa.12729