This paper examines how cybersecurity is developing and how it relates to more conventional information security. Although information security and cyber security are sometimes used synonymously, this study contends t...This paper examines how cybersecurity is developing and how it relates to more conventional information security. Although information security and cyber security are sometimes used synonymously, this study contends that they are not the same. The concept of cyber security is explored, which goes beyond protecting information resources to include a wider variety of assets, including people [1]. Protecting information assets is the main goal of traditional information security, with consideration to the human element and how people fit into the security process. On the other hand, cyber security adds a new level of complexity, as people might unintentionally contribute to or become targets of cyberattacks. This aspect presents moral questions since it is becoming more widely accepted that society has a duty to protect weaker members of society, including children [1]. The study emphasizes how important cyber security is on a larger scale, with many countries creating plans and laws to counteract cyberattacks. Nevertheless, a lot of these sources frequently neglect to define the differences or the relationship between information security and cyber security [1]. The paper focus on differentiating between cybersecurity and information security on a larger scale. The study also highlights other areas of cybersecurity which includes defending people, social norms, and vital infrastructure from threats that arise from online in addition to information and technology protection. It contends that ethical issues and the human factor are becoming more and more important in protecting assets in the digital age, and that cyber security is a paradigm shift in this regard [1].展开更多
In order to understand the security conditions of the incomplete interval-valued information system (IllS) and acquire the corresponding solution of security problems, this paper proposes a multi-attribute group dec...In order to understand the security conditions of the incomplete interval-valued information system (IllS) and acquire the corresponding solution of security problems, this paper proposes a multi-attribute group decision- making (MAGDM) security assessment method based on the technique for order performance by similarity to ideal solution (TOPSIS). For IllS with preference information, combining with dominance-based rough set approach (DRSA), the effect of incomplete interval-valued information on decision results is discussed. For the imprecise judgment matrices, the security attribute weight can be obtained using Gibbs sampling. A numerical example shows that the proposed method can acquire some valuable knowledge hidden in the incomplete interval-valued information. The effectiveness of the proposed method in the synthetic security assessment for IIIS is verified.展开更多
Our dependability on software in every aspect of our lives has exceeded the level that was expected in the past. We have now reached a point where we are currently stuck with technology, and it made life much easier t...Our dependability on software in every aspect of our lives has exceeded the level that was expected in the past. We have now reached a point where we are currently stuck with technology, and it made life much easier than before. The rapid increase of technology adoption in the different aspects of life has made technology affordable and has led to an even stronger adoption in the society. As technology advances, almost every kind of technology is now connected to the network like infrastructure, automobiles, airplanes, chemical factories, power stations, and many other systems that are business and mission critical. Because of our high dependency on technology in most, if not all, aspects of life, a system failure is considered to be very critical and might result in harming the surrounding environment or put human life at risk. We apply our conceptual framework to integration between security and safety by creating a SaS (Safety and Security) domain model. Furthermore, it demonstrates that it is possible to use goal-oriented KAOS (Knowledge Acquisition in automated Specification) language in threat and hazard analysis to cover both safety and security domains making their outputs, or artifacts, well-structured and comprehensive, which results in dependability due to the comprehensiveness of the analysis. The conceptual framework can thereby act as an interface for active interactions in risk and hazard management in terms of universal coverage, finding solutions for differences and contradictions which can be overcome by integrating the safety and security domains and using a unified system analysis technique (KAOS) that will result in analysis centrality. For validation we chose the Systems-Theoretic Accident Model and Processes (STAMP) approach and its modelling language, namely System-Theoretic Process Analysis for safety (STPA), on the safety side and System-Theoretic Process Analysis for Security (STPA-sec) on the security side in order to be the base of the experiment in comparison to what was done in SaS. The concepts of SaS domain model were applied on STAMP approach using the same example @RemoteSurgery.展开更多
The purpose of this research is to investigate the decision-making process for cybersecurity investments in organizations through development and utilization of a digital cybersecurity risk management framework. The i...The purpose of this research is to investigate the decision-making process for cybersecurity investments in organizations through development and utilization of a digital cybersecurity risk management framework. The initial article, Optimum Spending on Cybersecurity Measures is published on Emerald Insight at: </span><a href="https://www.emerald.com/insight/1750-6166.htm"><span style="font-size:12px;font-family:Verdana;">https://www.emerald.com/insight/1750-6166.htm</span></a><span style="font-size:12px;font-family:Verdana;">, contains the detailed literature review, and the data results from Phase I and Phase II of this research </span><span times="" new="" roman","serif";"="" style="font-size: 10pt;"> <span style="font-family:Verdana;font-size:12px;">REF _Ref61862658 \r \h</span> <span style="font-family:Verdana;font-size:12px;">\* MERGEFORMAT </span></span><span style="font-size:12px;font-family:Verdana;">[1]</span><span style="font-size:10pt;font-family:""></span><span times="" new="" roman","serif";"="" style="font-size: 10pt;"></span><span style="font-size:12px;font-family:Verdana;">. This article will highlight the research completed in the area of organizational decision-making on cybersecurity spend. In leveraging the review of additional studies, this research utilizes a regression framework and case study methodology to demonstrate that effective risk-based decisions are necessary when implementing cybersecurity controls. Through regression analysis, the effectiveness of current implemented cybersecurity measures in organizations </span><span style="font-size:12px;font-family:Verdana;">is</span><span style="font-size:12px;font-family:Verdana;"> explored when connecting a dependent variable with several independent variables. The focus of this article is on the strategic decisions made by organizations when implementing cybersecurity measures. This research belongs to the area of risk management, and various models within the field of 1) information security</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 2) strategic management</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> and 3) organizational decision-making to determine optimum spending on cybersecurity measures for risk taking organizations. This research resulted in the develop</span><span style="font-size:12px;font-family:Verdana;">ment</span><span style="font-size:10pt;font-family:""><span style="font-family:Verdana;font-size:12px;"> of a cyber risk investment model and a digital cybersecurity risk man</span><span style="font-family:Verdana;font-size:12px;">agement framework. Using a case study methodology, this model an</span><span style="font-family:Verdana;font-size:12px;">d framework w</span></span><span style="font-size:12px;font-family:Verdana;">ere</span><span style="font-size:12px;font-family:Verdana;"> leveraged to evaluate and implement cybersecurity measures. The case study methodology provides an in-depth view of a risk-taking organization’s risk mitigation strategy within the bounds of the educational environment focusing on five areas identified within a digital cyber risk model: 1) technology landscape and application portfolio</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 2) data centric focus</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 3) risk management practices</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 4) cost-benefit analysis for cybersecurity measures</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> and 5) strategic development. The outcome of this research provides greater insight into how an organization makes decisions when implementing cybersecurity controls. This research shows that most organizations are diligently implementing security measures to effectively monitor and detect cyber security attacks</span><span style="font-size:12px;font-family:Verdana;">,</span><span style="font-size:12px;font-family:Verdana;"> specifically showing that risk taking organizations implemented cybersecurity measures to meet compliance and audit obligations with an annual spend of $3.18 million. It also indicated that 23.6% of risk-taking organizations incurred more than 6 cybersecurity breaches with an average dollar loss of $3.5 million. In addition, the impact of a cybersecurity breach on risk taking organizations is as follows: 1) data loss</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 2) brand/reputational impact</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 3) financial loss fines</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 4) increase oversight by regulators/internal audit</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> and 5) customer/client impact. The implication this research has on practice is extensive, as it focuses on a broad range of areas to include risk, funding and type and impact of cyber security breaches encountered. The survey study clearly demonstrated the need to develop and utilize a digital cybersecurity risk management framework to integrate current industry frameworks within the risk management practice to include continuous compliance management. This type of framework would provide a balanced approach to managing the gap between a risk-taking organization and a risk averse organization when implementing cybersecurity measures.展开更多
The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets.The availability of these systems is now vital for the protection and ev...The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets.The availability of these systems is now vital for the protection and evolution of companies.However,several factors have led to an increasing need for more accurate risk analysis approaches.These are:the speed at which technologies evolve,their global impact and the growing requirement for companies to collaborate.Risk analysis processes must consequently adapt to these new circumstances and new technological paradigms.The objective of this paper is,therefore,to present the results of an exhaustive analysis of the techniques and methods offered by the scientific community with the aim of identifying their main weaknesses and providing a new risk assessment and management process.This analysis was carried out using the systematic review protocol and found that these proposals do not fully meet these new needs.The paper also presents a summary of MARISMA,the risk analysis and management framework designed by our research group.The basis of our framework is the main existing risk standards and proposals,and it seeks to address the weaknesses found in these proposals.MARISMA is in a process of continuous improvement,as is being applied by customers in several European and American countries.It consists of a risk data management module,a methodology for its systematic application and a tool that automates the process.展开更多
文摘This paper examines how cybersecurity is developing and how it relates to more conventional information security. Although information security and cyber security are sometimes used synonymously, this study contends that they are not the same. The concept of cyber security is explored, which goes beyond protecting information resources to include a wider variety of assets, including people [1]. Protecting information assets is the main goal of traditional information security, with consideration to the human element and how people fit into the security process. On the other hand, cyber security adds a new level of complexity, as people might unintentionally contribute to or become targets of cyberattacks. This aspect presents moral questions since it is becoming more widely accepted that society has a duty to protect weaker members of society, including children [1]. The study emphasizes how important cyber security is on a larger scale, with many countries creating plans and laws to counteract cyberattacks. Nevertheless, a lot of these sources frequently neglect to define the differences or the relationship between information security and cyber security [1]. The paper focus on differentiating between cybersecurity and information security on a larger scale. The study also highlights other areas of cybersecurity which includes defending people, social norms, and vital infrastructure from threats that arise from online in addition to information and technology protection. It contends that ethical issues and the human factor are becoming more and more important in protecting assets in the digital age, and that cyber security is a paradigm shift in this regard [1].
基金Supported by the National Natural Science Foundation of China(No.60605019)
文摘In order to understand the security conditions of the incomplete interval-valued information system (IllS) and acquire the corresponding solution of security problems, this paper proposes a multi-attribute group decision- making (MAGDM) security assessment method based on the technique for order performance by similarity to ideal solution (TOPSIS). For IllS with preference information, combining with dominance-based rough set approach (DRSA), the effect of incomplete interval-valued information on decision results is discussed. For the imprecise judgment matrices, the security attribute weight can be obtained using Gibbs sampling. A numerical example shows that the proposed method can acquire some valuable knowledge hidden in the incomplete interval-valued information. The effectiveness of the proposed method in the synthetic security assessment for IIIS is verified.
文摘Our dependability on software in every aspect of our lives has exceeded the level that was expected in the past. We have now reached a point where we are currently stuck with technology, and it made life much easier than before. The rapid increase of technology adoption in the different aspects of life has made technology affordable and has led to an even stronger adoption in the society. As technology advances, almost every kind of technology is now connected to the network like infrastructure, automobiles, airplanes, chemical factories, power stations, and many other systems that are business and mission critical. Because of our high dependency on technology in most, if not all, aspects of life, a system failure is considered to be very critical and might result in harming the surrounding environment or put human life at risk. We apply our conceptual framework to integration between security and safety by creating a SaS (Safety and Security) domain model. Furthermore, it demonstrates that it is possible to use goal-oriented KAOS (Knowledge Acquisition in automated Specification) language in threat and hazard analysis to cover both safety and security domains making their outputs, or artifacts, well-structured and comprehensive, which results in dependability due to the comprehensiveness of the analysis. The conceptual framework can thereby act as an interface for active interactions in risk and hazard management in terms of universal coverage, finding solutions for differences and contradictions which can be overcome by integrating the safety and security domains and using a unified system analysis technique (KAOS) that will result in analysis centrality. For validation we chose the Systems-Theoretic Accident Model and Processes (STAMP) approach and its modelling language, namely System-Theoretic Process Analysis for safety (STPA), on the safety side and System-Theoretic Process Analysis for Security (STPA-sec) on the security side in order to be the base of the experiment in comparison to what was done in SaS. The concepts of SaS domain model were applied on STAMP approach using the same example @RemoteSurgery.
文摘The purpose of this research is to investigate the decision-making process for cybersecurity investments in organizations through development and utilization of a digital cybersecurity risk management framework. The initial article, Optimum Spending on Cybersecurity Measures is published on Emerald Insight at: </span><a href="https://www.emerald.com/insight/1750-6166.htm"><span style="font-size:12px;font-family:Verdana;">https://www.emerald.com/insight/1750-6166.htm</span></a><span style="font-size:12px;font-family:Verdana;">, contains the detailed literature review, and the data results from Phase I and Phase II of this research </span><span times="" new="" roman","serif";"="" style="font-size: 10pt;"> <span style="font-family:Verdana;font-size:12px;">REF _Ref61862658 \r \h</span> <span style="font-family:Verdana;font-size:12px;">\* MERGEFORMAT </span></span><span style="font-size:12px;font-family:Verdana;">[1]</span><span style="font-size:10pt;font-family:""></span><span times="" new="" roman","serif";"="" style="font-size: 10pt;"></span><span style="font-size:12px;font-family:Verdana;">. This article will highlight the research completed in the area of organizational decision-making on cybersecurity spend. In leveraging the review of additional studies, this research utilizes a regression framework and case study methodology to demonstrate that effective risk-based decisions are necessary when implementing cybersecurity controls. Through regression analysis, the effectiveness of current implemented cybersecurity measures in organizations </span><span style="font-size:12px;font-family:Verdana;">is</span><span style="font-size:12px;font-family:Verdana;"> explored when connecting a dependent variable with several independent variables. The focus of this article is on the strategic decisions made by organizations when implementing cybersecurity measures. This research belongs to the area of risk management, and various models within the field of 1) information security</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 2) strategic management</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> and 3) organizational decision-making to determine optimum spending on cybersecurity measures for risk taking organizations. This research resulted in the develop</span><span style="font-size:12px;font-family:Verdana;">ment</span><span style="font-size:10pt;font-family:""><span style="font-family:Verdana;font-size:12px;"> of a cyber risk investment model and a digital cybersecurity risk man</span><span style="font-family:Verdana;font-size:12px;">agement framework. Using a case study methodology, this model an</span><span style="font-family:Verdana;font-size:12px;">d framework w</span></span><span style="font-size:12px;font-family:Verdana;">ere</span><span style="font-size:12px;font-family:Verdana;"> leveraged to evaluate and implement cybersecurity measures. The case study methodology provides an in-depth view of a risk-taking organization’s risk mitigation strategy within the bounds of the educational environment focusing on five areas identified within a digital cyber risk model: 1) technology landscape and application portfolio</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 2) data centric focus</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 3) risk management practices</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 4) cost-benefit analysis for cybersecurity measures</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> and 5) strategic development. The outcome of this research provides greater insight into how an organization makes decisions when implementing cybersecurity controls. This research shows that most organizations are diligently implementing security measures to effectively monitor and detect cyber security attacks</span><span style="font-size:12px;font-family:Verdana;">,</span><span style="font-size:12px;font-family:Verdana;"> specifically showing that risk taking organizations implemented cybersecurity measures to meet compliance and audit obligations with an annual spend of $3.18 million. It also indicated that 23.6% of risk-taking organizations incurred more than 6 cybersecurity breaches with an average dollar loss of $3.5 million. In addition, the impact of a cybersecurity breach on risk taking organizations is as follows: 1) data loss</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 2) brand/reputational impact</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 3) financial loss fines</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> 4) increase oversight by regulators/internal audit</span><span style="font-size:12px;font-family:Verdana;">;</span><span style="font-size:12px;font-family:Verdana;"> and 5) customer/client impact. The implication this research has on practice is extensive, as it focuses on a broad range of areas to include risk, funding and type and impact of cyber security breaches encountered. The survey study clearly demonstrated the need to develop and utilize a digital cybersecurity risk management framework to integrate current industry frameworks within the risk management practice to include continuous compliance management. This type of framework would provide a balanced approach to managing the gap between a risk-taking organization and a risk averse organization when implementing cybersecurity measures.
基金the AETHERUCLM(PID2020-112540RB-C42)funded by MCIN/AEI/10.13039/501100011033,SpainALBA-UCLM(TED2021-130355B-C31,id.4809130355-130355-28-521)+1 种基金ALBA-UC(TED2021-130355B-C33,id.3611130630-130630-28-521)funded by the“Ministerio de Ciencia e Innovacion”,Spainsupported by the European Union’s Horizon 2020 Project“CyberSANE”under Grant Agreement No.833683.
文摘The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets.The availability of these systems is now vital for the protection and evolution of companies.However,several factors have led to an increasing need for more accurate risk analysis approaches.These are:the speed at which technologies evolve,their global impact and the growing requirement for companies to collaborate.Risk analysis processes must consequently adapt to these new circumstances and new technological paradigms.The objective of this paper is,therefore,to present the results of an exhaustive analysis of the techniques and methods offered by the scientific community with the aim of identifying their main weaknesses and providing a new risk assessment and management process.This analysis was carried out using the systematic review protocol and found that these proposals do not fully meet these new needs.The paper also presents a summary of MARISMA,the risk analysis and management framework designed by our research group.The basis of our framework is the main existing risk standards and proposals,and it seeks to address the weaknesses found in these proposals.MARISMA is in a process of continuous improvement,as is being applied by customers in several European and American countries.It consists of a risk data management module,a methodology for its systematic application and a tool that automates the process.