Skip to main content
SpringerLink
Log in

Toward a Context-Aware Methodology for Information Security Governance Assessment Validation

  • Conference paper
  • First Online:
Cyber-Physical Security for Critical Infrastructures Protection (CPS4CIP 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12618))

Abstract

Conducting a cybersecurity assessment is a central activity in protecting a generic organization from cyber-attacks. Several methods exist in research and industry to assess the security level of an organization, from manual activities to automated attack graphs. Unfortunately, automated approaches fail in taking into account the governance aspect that still need to be evaluated manually by the assessor, introducing possible biases or problems deriving from the level of expertise. In this paper, we provide a methodology to support the assessor in the task of evaluating the coverage of cybersecurity controls coming from technical standards, regulations, internal practices. This is done by providing him/her with a multi-layer model that takes into account several organizational layers, a mapping procedure to tie the security controls to the multi-layer model, and the definition of a validation factor that can be used to possibly refine the level of coverage and to suggest possible layers where evidences should be collected to verify and assess the coverage of a security control. A usage scenario provides an initial validation of our approach based on ISO 27001. Developments of this methodology are on-going toward its application to the support of broader cyber-risk assessment activities through discounting risk factors.

This work has been partially supported by the EU H2020 PANACEA project under the Grant Agreement n. 826293.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.panacearesearch.eu.

  2. 2.

    The complete mapping can be found at the following link: https://drive.google.com/file/d/1PHEbU38H4NtyzLiqHrZ-YczN-4NhBe5z/view.

References

  1. Angelini, M., Blasilli, G., Catarci, T., Lenti, S., Santucci, G.: VULNUS: visual vulnerability analysis for network security. IEEE Trans. Visual Comput. Graphics 25(1), 183–192 (2019)

    Article  Google Scholar 

  2. Angelini, M., Bonomi, S., Borzi, E., Pozzo, A.D., Lenti, S., Santucci, G.: An attack graph-based on-line multi-step attack detector. In: Proceedings of the 19th International Conference on Distributed Computing and Networking. ICDCN 2018, Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3154273.3154311

  3. ANSSI: EBIOS Risk Manager. https://www.ssi.gouv.fr/en/guide/ebios-risk-manager-the-method/. Accessed 12 July 2020

  4. Beckers, K., Heisel, M., Krautsevich, L., Martinelli, F., Meis, R., Yautsiukhin, A.: Determining the probability of smart grid attacks by combining attack tree and attack graph analysis. In: Cuellar, J. (ed.) SmartGridSec 2014. LNCS, vol. 8448, pp. 30–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10329-7_3

    Chapter  Google Scholar 

  5. Bonomi, S., et al.: Understanding human impact on cyber security trough multilayer attack graphs. Technical report, Department of Computer, Control and Management Engineering, Sapienza University of Rome (2020). https://bonomi.diag.uniroma1.it/research/publications

  6. CLUSIF: MEHARI (MEthod for Harmonized Analysis of RIsk). http://meharipedia.x10host.com/wp/. Accessed 12 July 2020

  7. Gonzalez Granadillo, G., et al.: Dynamic risk management response system to handle cyber threats. Future Gener. Comput. Syst. 83, 535–552 (2018). https://doi.org/10.1016/j.future.2017.05.043

    Article  Google Scholar 

  8. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, USA, pp. 121–130. IEEE Computer Society (2006). https://doi.org/10.1109/ACSAC.2006.39

  9. Jajodia, S., Noel, S.: Topological vulnerability analysis. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness. Advances in Information Security, pp. 139–154. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-0140-8_7

    Chapter  Google Scholar 

  10. Williams, J.: OWASP Risk Rating Methodology. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology. Accessed 12 July 2020

  11. Coventry, L., et al.: D2.2 - Human Factors, Threat Models Analysis and Risk Quantification. PANACEA Project https://www.panacearesearch.eu

  12. LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: 2011 Eighth International Conference on Quantitative Evaluation of SysTems, pp. 191–200 (2011)

    Google Scholar 

  13. Nist, Aroms, E.: NIST SP 800-100 Information Security Handbook: A Guide for Managers. CreateSpace, Scotts Valley (2012)

    Google Scholar 

  14. Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: 2009 Cybersecurity Applications Technology Conference for Homeland Security, pp. 124–129 (2009)

    Google Scholar 

  15. Noel, S., Wang, L., Singhal, A., Jajodia, S.: Measuring security risk of networks using attack graphs. IJNGC 1(1), 135–147 (2010)

    Google Scholar 

  16. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, p. 336–345. Association for Computing Machinery, New York (2006). https://doi.org/10.1145/1180405.1180446

  17. Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 8. USENIX Association, Berkeley (2005)

    Google Scholar 

  18. Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP 2006, p. 31–38. Association for Computing Machinery, New York (2006). https://doi.org/10.1145/1179494.1179502

  19. Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 344–371. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30101-1_17

    Chapter  MATH  Google Scholar 

  20. Solms, S.V., Solms, R.V.: Information Security Governance. Springer, Boston (2009). https://doi.org/10.1007/978-0-387-79984-1

    Book  Google Scholar 

  21. Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11(1), 30–44 (2014)

    Article  Google Scholar 

  22. Wang, L., Albanese, M., Jajodia, S.: Network Hardening. SCS. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04612-9

    Book  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer, Control, and Management Engineering “Antonio Ruberti”, Sapienza University of Rome, Via Ariosto 25, 00185, Rome, Italy

    Marco Angelini, Silvia Bonomi, Claudio Ciccotelli & Alessandro Palma

Authors
  1. Marco Angelini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Silvia Bonomi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Claudio Ciccotelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alessandro Palma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marco Angelini .

Editor information

Editors and Affiliations

  1. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  2. University of Trento and Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  3. Università degli Studi di Genova, Genoa, Italy

    Luca Verderame

  4. IEIIT Institute, Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  5. SINTEF A.S., Oslo, Norway

    Rita Ugarelli

  6. Engineering Ingegneria Informatica S.p.A., Rome, Italy

    Gabriele Giunta

  7. Instituto Superior de Engenharia do Porto, Porto, Portugal

    Isabel Praça

  8. University of Padua, Padua, Italy

    Federica Battisti

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Angelini, M., Bonomi, S., Ciccotelli, C., Palma, A. (2021). Toward a Context-Aware Methodology for Information Security Governance Assessment Validation. In: Abie, H., et al. Cyber-Physical Security for Critical Infrastructures Protection. CPS4CIP 2020. Lecture Notes in Computer Science(), vol 12618. Springer, Cham. https://doi.org/10.1007/978-3-030-69781-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-69781-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-69780-8

  • Online ISBN: 978-3-030-69781-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation