Abstract
Conducting a cybersecurity assessment is a central activity in protecting a generic organization from cyber-attacks. Several methods exist in research and industry to assess the security level of an organization, from manual activities to automated attack graphs. Unfortunately, automated approaches fail in taking into account the governance aspect that still need to be evaluated manually by the assessor, introducing possible biases or problems deriving from the level of expertise. In this paper, we provide a methodology to support the assessor in the task of evaluating the coverage of cybersecurity controls coming from technical standards, regulations, internal practices. This is done by providing him/her with a multi-layer model that takes into account several organizational layers, a mapping procedure to tie the security controls to the multi-layer model, and the definition of a validation factor that can be used to possibly refine the level of coverage and to suggest possible layers where evidences should be collected to verify and assess the coverage of a security control. A usage scenario provides an initial validation of our approach based on ISO 27001. Developments of this methodology are on-going toward its application to the support of broader cyber-risk assessment activities through discounting risk factors.
This work has been partially supported by the EU H2020 PANACEA project under the Grant Agreement n. 826293.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The complete mapping can be found at the following link: https://drive.google.com/file/d/1PHEbU38H4NtyzLiqHrZ-YczN-4NhBe5z/view.
References
Angelini, M., Blasilli, G., Catarci, T., Lenti, S., Santucci, G.: VULNUS: visual vulnerability analysis for network security. IEEE Trans. Visual Comput. Graphics 25(1), 183–192 (2019)
Angelini, M., Bonomi, S., Borzi, E., Pozzo, A.D., Lenti, S., Santucci, G.: An attack graph-based on-line multi-step attack detector. In: Proceedings of the 19th International Conference on Distributed Computing and Networking. ICDCN 2018, Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3154273.3154311
ANSSI: EBIOS Risk Manager. https://www.ssi.gouv.fr/en/guide/ebios-risk-manager-the-method/. Accessed 12 July 2020
Beckers, K., Heisel, M., Krautsevich, L., Martinelli, F., Meis, R., Yautsiukhin, A.: Determining the probability of smart grid attacks by combining attack tree and attack graph analysis. In: Cuellar, J. (ed.) SmartGridSec 2014. LNCS, vol. 8448, pp. 30–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10329-7_3
Bonomi, S., et al.: Understanding human impact on cyber security trough multilayer attack graphs. Technical report, Department of Computer, Control and Management Engineering, Sapienza University of Rome (2020). https://bonomi.diag.uniroma1.it/research/publications
CLUSIF: MEHARI (MEthod for Harmonized Analysis of RIsk). http://meharipedia.x10host.com/wp/. Accessed 12 July 2020
Gonzalez Granadillo, G., et al.: Dynamic risk management response system to handle cyber threats. Future Gener. Comput. Syst. 83, 535–552 (2018). https://doi.org/10.1016/j.future.2017.05.043
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, USA, pp. 121–130. IEEE Computer Society (2006). https://doi.org/10.1109/ACSAC.2006.39
Jajodia, S., Noel, S.: Topological vulnerability analysis. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness. Advances in Information Security, pp. 139–154. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-0140-8_7
Williams, J.: OWASP Risk Rating Methodology. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology. Accessed 12 July 2020
Coventry, L., et al.: D2.2 - Human Factors, Threat Models Analysis and Risk Quantification. PANACEA Project https://www.panacearesearch.eu
LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: 2011 Eighth International Conference on Quantitative Evaluation of SysTems, pp. 191–200 (2011)
Nist, Aroms, E.: NIST SP 800-100 Information Security Handbook: A Guide for Managers. CreateSpace, Scotts Valley (2012)
Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: 2009 Cybersecurity Applications Technology Conference for Homeland Security, pp. 124–129 (2009)
Noel, S., Wang, L., Singhal, A., Jajodia, S.: Measuring security risk of networks using attack graphs. IJNGC 1(1), 135–147 (2010)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, p. 336–345. Association for Computing Machinery, New York (2006). https://doi.org/10.1145/1180405.1180446
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 8. USENIX Association, Berkeley (2005)
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP 2006, p. 31–38. Association for Computing Machinery, New York (2006). https://doi.org/10.1145/1179494.1179502
Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 344–371. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30101-1_17
Solms, S.V., Solms, R.V.: Information Security Governance. Springer, Boston (2009). https://doi.org/10.1007/978-0-387-79984-1
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11(1), 30–44 (2014)
Wang, L., Albanese, M., Jajodia, S.: Network Hardening. SCS. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04612-9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Angelini, M., Bonomi, S., Ciccotelli, C., Palma, A. (2021). Toward a Context-Aware Methodology for Information Security Governance Assessment Validation. In: Abie, H., et al. Cyber-Physical Security for Critical Infrastructures Protection. CPS4CIP 2020. Lecture Notes in Computer Science(), vol 12618. Springer, Cham. https://doi.org/10.1007/978-3-030-69781-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-69781-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-69780-8
Online ISBN: 978-3-030-69781-5
eBook Packages: Computer ScienceComputer Science (R0)