Skip to main content
SpringerLink
Log in

Frameworks and Best Practices

  • Chapter
  • First Online:
Cyber Resilience of Systems and Networks

Part of the book series: Risk, Systems and Decisions ((RSD))

Abstract

The second part of the book focuses on approaches to assessment and analysis of cyber resilience. Having discussed, in the previous two chapters, perspectives on quantifying cyber resilience, we now present several chapters that assemble qualitative and quantitative inputs for a broad range of metrics that might apply to cyber resilience. Some of these approaches (e.g., most of this chapter and the next one) are largely qualitative and based on human review and judgment of pertinent aspects of systems, organization, and processes. Other is based on quantitative and often theoretically rigorous modeling and simulation of systems, networks, and processes.

The purpose of this chapter is to outline best practices in an array of areas related to cyber resilience. While by no means offering an exhaustive list of best practices, the chapter provides an organization with means to “see what works” at other organizations. It offers these best practices within existing frameworks related to dimensions of cyber resilience. The chapter begins with a discussion of several existing frameworks and guidelines that can be utilized to think about cyber resilience. Then, the chapter describes a set of “best practices” based on a selection of metrics from these frameworks. These best practices can help an organization as a guide to implementing specific policies that would improve their cyber resilience.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Linkov, I., Eisenberg, D. A., Plourde, K., Seager, T. P, Allen, J., & Kott, A. (2013). Resilience Metrics for Cyber Systems. Environment Systems and Decisions, 33(4), 471.

  2. 2.

    National Research Council. (2012). Disaster Resilience: A National Imperative. The National Academies Press. Retrieved from http://nap.edu/13457

  3. 3.

    Alberts, D. (2002). Information age transformation, getting to a twenty-first century military. DOD Command and Control Research Program. Retrieved from http://www.dtic.mil/get-tr-doc/pdf?AD=ADA457904

  4. 4.

    National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

  5. 5.

    Ibid.

  6. 6.

    Pfeiffer, M. (2015). Managing Technology Risks Through Technological Proficiency. Retrieved from http://blousteinlocal.rutgers.edu/managing-technology-risk/

  7. 7.

    Ibid.

  8. 8.

    We used our best judgment to place the NIST metrics in the appropriate cell.

  9. 9.

    Wind River. (2015). Security in the Internet of Things: Lessons from the Past for the Connected Future. Page 4. Retrieved from http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf

  10. 10.

    Ibid.

  11. 11.

    Ibid.

  12. 12.

    U.S. Department of Homeland Security. Cybersecurity & Privacy. Retrieved from https://www.dhs.gov/sites/default/files/publications/privacy_cyber_0.pdf

  13. 13.

    Contos, B. (2015). Cyber Security Culture Is A Collective Effort. Retrieved from http://www.csoonline.com/article/2977014/security-awareness/cyber-security-culture-is-a-collective-effort.html

  14. 14.

    Ibid.

  15. 15.

    How to Create A Cyber Security Culture + Employee Security Awareness. Retrieved from http://www.hedgeco.net/blogs/2016/03/11/cybersecurity-plans/

  16. 16.

    The Financial Industry Regulatory Authority. (2015). Report on Cybersecurity Practices. Retrieved from https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf

  17. 17.

    Ibid.

  18. 18.

    Ibid.

  19. 19.

    Ibid.

  20. 20.

    Ibid.

  21. 21.

    Ibid.

  22. 22.

    FitzGerald, B., & Sander, A. (2015). Opinion: Cybersecurity Collaboration Needs A Toolkit. So We Built A Prototype. Retrieved from http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/1204/Opinion-Cybersecurity-collaboration-needs-a-toolkit.-So-we-built-a-prototype

  23. 23.

    Pielocik, M. (2004). Social Engineering: The Friendly Hacker. Page 12. SANS Institute. Retrieved from https://www.giac.org/paper/gsec/3792/social-engineering-the-friendly-hacker/106104

  24. 24.

    Proffitt, T. (2007). Creating and Managing an Incident Response Team for a Large Company. Page 15. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821

  25. 25.

    Brown, M. J., Stikvoort, D., Kossakowski, K., Killcrece, G., Ruefle, R., & Zajicek, M. (2003). Handbook for Computer Security Incident Response Teams (CSIRTs). Retrieved from http://repository.cmu.edu/cgi/viewcontent.cgi?article=1570&context=sei

  26. 26.

    Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

  27. 27.

    Helms, M. M. Best Practices for Protecting Employee Data in the Age of Cybersecurity Issues. Retrieved from http://hrprofessionalsmagazine.com/best-practices-for-protecting-employee-data-in-the-age-of-cybersecurity-issues/

  28. 28.

    SANS Institute. (2015). SANS Securing The Human 2015 Security Awareness Report. Retrieved from https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessReport-2015.pdf

  29. 29.

    NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf?n=44819

  30. 30.

    PricewaterhouseCoopers. The Global State of Information Security Survey 2016. Retrieved from http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

  31. 31.

    Faughnder, R., & Hamedy, S. (2014). Sony insider – not North Korea – likely involved in hack, experts say. Retrieved from http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html

  32. 32.

    Linkov, I., Poinsatte-Jones, K., Trump, B., Ganin, A., & Kepner, J. (2017) Cyber Risk and Resilience: Rules and Regulations to Minimize Cyber Threats. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 198–217). Springer.

  33. 33.

    Krocker, G. W. (2002). Disaster Recovery Plan Testing: Cycle the Plan, Plan the Cycle. SANS Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-testing-cycle-plan-plan-cycle-56

  34. 34.

    Ibid. Page 4.

  35. 35.

    Ibid.

  36. 36.

    There are several chapters in this book that address narrower aspects of structures and components. For more information about analysis of cyber-physical systems, see Karsai, G., Koutsoukos, X., Neema, H., Volgyesi, P., and Sztipanovits, J. Simulation-Based Analysis of Cyber Resilience in Cyber-Physical Systems. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 130–148). Springer. For more information on assessing cyber dependencies, see Evans, N. Assessing Cyber Resilience: Cyber Dependencies. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 130–148). Springer.

  37. 37.

    Rush, G. D. (2015). Cyber Security Research Frameworks for Coevolutionary Networks Defense. Retrieved from http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-15-29293

  38. 38.

    Paquet, C. (2013). Network Security Concepts and Policies. Cisco. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1998559

  39. 39.

    Ibid.

  40. 40.

    CISCO. (2015). Network Security Policy: Best Practices White Paper. Retrieved from http://www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html

  41. 41.

    Security Magazine. (2016). Majority of Businesses Lack Resources to Manage External Cyber Attacks. Retrieved from http://www.securitymagazine.com/articles/87267-majority-of-businesses-lack-resources-to-manage-external-cyber-attacks

  42. 42.

    SANS Institute. (2016). Data Breach Response Policy. Retrieved from https://www.sans.org/security-resources/policies/general/pdf/data-breach-response

  43. 43.

    Bromiley, Matt. (2016). Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047

  44. 44.

    SANS Institute. Incident Detection FAQs: What are the steps to handle an incident? Retrieved from https://www.sans.org/security-resources/idfaq/what-are-the-steps-to-handle-an-incident/5/1

  45. 45.

    CISCO. (2015). Network Security Policy: Best Practices White Paper. Retrieved from http://www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html

  46. 46.

    Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

  47. 47.

    Ibid.

  48. 48.

    Ibid.

  49. 49.

    Ibid.

  50. 50.

    Ibid.

  51. 51.

    Cybenko, George. (2017) Metrics of Cyber Resilience. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 26–38). Springer.

  52. 52.

    Bankrate. 11 data breaches that stung US consumers. http://www.bankrate.com/finance/banking/us-data-breaches-1.aspx

  53. 53.

    SANS Institute. (2015). Cleaning Up After a Breach, Post-Breach Impact: A Cost Compendium. https://www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517

  54. 54.

    Federal Financial Institutions Examination Council. Reputation Risk. IT Examination Handbook Infobase. http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-payment-systems-risk-management/reputation-risk.aspx

  55. 55.

    Office of Personnel Management. (2015). Cyber Security Resource Center. https://www.opm.gov/cybersecurity/

  56. 56.

    See (https://www.dhs.gov/ciscp) for more details.

  57. 57.

    Cyber Threat Intelligence Network. Resources for Information Sharing and Analysis Organizations. Retrieved from http://ctin.us/site/isaos/

  58. 58.

    The Nextware Sessions. Retrieved from http://www.nextwaresessions.org

  59. 59.

    Ponemon Institute. (2016). 2016 Cost of Cyber Crime Study & the Risk of Business Innovation. Retrieved from http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/

References

Download references

Acknowledgments

This work was derived from a project that originated with a partnership between the Edward J. Bloustein School for Planning and Public Policy and the World Economic Forum (WEF). We would like to thank the WEF. We would also like to thank Daniel Horner and Zilong Liu who contributed research to this report. We also want to thank the editors of this volume for their support in writing this chapter and their helpful suggestions.

Author information

Authors and Affiliations

  1. Center for Research on Lifelong STEM Learning, Oregon State University, Corvallis, OR, USA

    Brianna Keys

  2. Edward J. Bloustein School of Planning and Public Policy, Rutgers, The State University of New Jersey, New Brunswick, NJ, USA

    Stuart Shapiro

Authors
  1. Brianna Keys
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stuart Shapiro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stuart Shapiro .

Editor information

Editors and Affiliations

  1. U.S. Army Research Laboratory, Adelphi, Maryland, USA

    Alexander Kott

  2. Engineer Research and Development Center, US Army Corps of Engineers, Concord, Massachusetts, USA

    Igor Linkov

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Keys, B., Shapiro, S. (2019). Frameworks and Best Practices. In: Kott, A., Linkov, I. (eds) Cyber Resilience of Systems and Networks. Risk, Systems and Decisions. Springer, Cham. https://doi.org/10.1007/978-3-319-77492-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-77492-3_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-77491-6

  • Online ISBN: 978-3-319-77492-3

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation