Abstract
The identification and assessment of risks are a fundamental part of cybersecurity. Determining the elements that participate in this field is difficult because there is no exclusive approach to cybersecurity. This document aims to provide a framework to identify and assess cybersecurity risks. For this, a systematic review of the studies related to cybersecurity risk taxonomies was carried out. The main elements of the proposed conceptual model and framework have been determined by applying the snowball technique. To validate the implementation of the proposed framework, a case study has been implemented at the Ecuadorian Social Security Institute. The first task was to consolidate the information in a baseline. Once the baseline was obtained, the defined framework has been applied. As a result, through the use of the proposed framework, the assessment process has improved the decision-making process regarding the importance and criticality of the risks and countermeasures that must be applied.
Similar content being viewed by others
References
Mendoza, M.A.: ¿Ciberseguridad o seguridad de la información? Aclarando la diferencia. https://www.welivesecurity.com/la-es/2015/06/16/ciberseguridad-seguridad-informacion-diferencia/ (2015)
Donaldson, S.E., Siegel, S.G., Williams, C.K., Aslam, A.: Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats, pp. 24–25. Apress, New York (2015)
ESET: TENDENCIAS 2019: Privacidad e intrusión en la aldea global. www.eset.com (2019)
OEA: Ciberseguridad marco nist. http://www.oas.org/es/ (2019)
Truta, F.: The top five cybersecurity incidents of 2018. https://businessinsights.bitdefender.com/the-five-key-security-incidents-of-2018 (2018)
Rea-Guaman, A.M., Sánchez-García, I.D., San Feliu, T., Calvo-Manzano, J.A.: Maturity Models in Cybersecurity: a systematic review. In: 12th Conferencia Ibérica de Sistemas y Tecnologías de Información (CISTI’17). Lisbon (2017)
Department of Energy: Cybersecurity Capability Maturity Model (C2M2): Version 1.1. Technical report, Department of Homeland Security (2014)
US Department of Homeland Security: Cybersecurity Capability Maturity Model: Version 1.0. White paper, Department of Homeland Security (2014)
SSE Project Team: System Security Engineering Capability Maturity Model (SSE-CMM): Model Description Document Version 3.0. Technical report, SSE-CMM (2003)
White, G.B.: The community cyber security maturity model. In: IEEE International Conference on Technologies for Homeland Security, pp. 173–178. IEEE Press, Wakefield (2011)
ISO 38500: Corporate Governance of Information Technology. http://www.iso.org (2015)
Awan, M.S.K., Burnap, P., Rana, O.: Identifying cyber risk hotspots: a framework for measuring temporal variance in computer network risk. Comput. Secur. 57, 31–46 (2016). https://doi.org/10.1016/j.cose.2015.11.00
Delmee, F.: The Structure of a Cyber Risk a Scenario Based Approach in Cyber Risk. Utrecht University Repository, Utrecht (2016)
Cebula, J.J., Young, L.R.: A Taxonomy of Operational Cyber Security Risks, pp. 1–47. Software Engineering Institute, Carnegie-Mellon University, Pittsburgh (2010). https://doi.org/10.1007/978-1-4419-7133-3
NIST: Guide for conducting risk assessments. NIST Special Publication, Gaithersburg (2012). https://doi.org/10.6028/NIST.SP.800-30r1
Standard, I.: INTERNATIONAL STANDARD ISO/IEC 27005 Information security risk management (2011)
Dobson, I., Hietala, J.: Risk Management: The Open Group Guide. 118. http://books.google.com/books?id=p4f8jUT2wgUC&pgis=1 (2011)
Initiative, J.T.F.T.: Managing Information Security Risk. Nist Special Publication, Gaithersburg (2011). https://doi.org/10.1007/s10845-012-0683-0
Caralli, R., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE allegro: improving the information security risk assessment process. Young (May), pp. 1–113 (2007)
Singh, V.: Revisiting security ontologies. Int. J. Comput. Sci. Issues 11(6), 150–159 (2014)
Singhal, A., Wijesekera, D.: Ontologies for modeling enterprise level security metrics. In: Proceedings of the sixth annual workshop on cyber security and information intelligence research—CSIIRW ’10, 1. https://doi.org/10.1145/1852666.1852731 (2010)
Singhal, A., Singapogu, S.: Security Ontologies for Modeling Enterprise Level Risk Assessment. NIST Special Publication, Gaithersburg (2012)
Goodwin, C., Nicholas, J.P., Bryant, J., Ciglic, K., Kleiner, A., Kutterer, C., Sullivan, K., et al.: A framework for cybersecurity information sharing and risk reduction, pp. 1–24. http://download.microsoft.com/download/8/0/1/801358EC-2A0A-4675-A2E7-96C2E7B93E73/Framework_for_Cybersecurity_Info_Sharing.pdf (2015)
Rea-Guaman, A.M., San, Feliu T., Calvo-Manzano, J.A., Sanchez-Garcia, I.D.: Systematic review: cybersecurity risk taxonomy. In: Mejia, J., Muñoz, M., Rocha, Á., Quiñonez, Y., Calvo-Manzano, J. (eds.) Trends and Applications in Software Engineering. CIMPS 2017. Advances in Intelligent Systems and Computing, vol. 688. Springer, Cham (2018)
Baltar, F., Brunet, I.: Social research 2.0: virtual snowball sampling method using Facebook. Internet Res. 22(1), 57–74 (2012)
Buchanan, L., Larkin, M., D’Amico, A.: Mission assurance proof-of-concept: mapping dependencies among cyber assets, missions, and users. In: 2012 IEEE International Conference on Technologies for Homeland Security, HST 2012, pp. 298–304. https://doi.org/10.1109/THS.2012.6459865 (2012)
Shamala, P., Ahmad, R.: A proposed taxonomy of assets for information security risk assessment (ISRA). In: 2014 4th World Congress on Information and Communication Technologies, WICT 2014, pp. 29–33. https://doi.org/10.1109/WICT.2014.7077297 (2014)
Wielki, J.: A Framework of the Impact of Cyberspace on Contemporary Organizations. IEEE, Piscataway (2006)
Yazid, A.I.S., Faizal, M.A., Rabiah, A., Shahrin, S., Solahuddin, S.: Enhancement of asset value classification for mobile devices. In: Proceedings 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic, CyberSec 2012, pp. 106–110. https://doi.org/10.1109/CyberSec.2012.6246097 (2012)
Farooq, A., Kakakhel, S.R.U., Virtanen, S., Isoaho, J.: A taxonomy of perceived information security and privacy threats among IT security students. In: 2015 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, pp. 280–286. https://doi.org/10.1109/ICITST.2015.7412106 (2016)
Yu, Z., Thomborson, C., Wang, C., Fu, J., Wang, J.: A security model for VoIP steganography. In: 1st International Conference on Multimedia Information Networking and Security, MINES 2009, vol. 1, pp. 35–40. https://doi.org/10.1109/MINES.2009.227 (2009)
Razzaq, A., Anwar, Z., Ahmad, H.F., Latif, K., Munir, F.: Ontology for attack detection: an intelligent approach to web application security. Comput. Secur. 45, 124–146 (2014). https://doi.org/10.1016/j.cose.2014.05.005
Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016). https://doi.org/10.1016/j.cose.2015.11.001
Bazaz, A., Arthur, J.D.: Towards a taxonomy of vulnerabilities. In: Proceedings of the Annual Hawaii International Conference on System Sciences, (c), pp. 1–10. https://doi.org/10.1109/HICSS.2007.566 (2007)
Zhao, Z., Dai, Y.:. A new method of vulnerability taxonomy based on information security attributes. In: 2012 IEEE 12th International Conference on Computer and Information Technology, pp. 739–741. https://doi.org/10.1109/CIT.2012.152 (2012)
Ahmad, N.H., Aljunid, S.A., & Manan, J.L.A.: Understanding vulnerabilities by refining taxonomy. In: Proceedings of the 2011 7th International Conference on Information Assurance and Security, IAS 2011, pp. 25–29. https://doi.org/10.1109/ISIAS.2011.6122789 (2011)
Igure, V.M., Williams, R.D.: Taxonomies of attacks and vulnerabilities in computer systems. IEEE Commun. Surv. Tutor. 10(1), 6–19 (2008). https://doi.org/10.1109/COMST.2008.4483667
Marinos, L.: Threat taxonomy: a tool for structuring threat information. Initial report. (January), pp. 1–24. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information (2016)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Rea-Guaman, A.M., Mejía, J., San Feliu, T. et al. AVARCIBER: a framework for assessing cybersecurity risks. Cluster Comput 23, 1827–1843 (2020). https://doi.org/10.1007/s10586-019-03034-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-019-03034-9