Abstract
The second part of the book focuses on approaches to assessment and analysis of cyber resilience. Having discussed, in the previous two chapters, perspectives on quantifying cyber resilience, we now present several chapters that assemble qualitative and quantitative inputs for a broad range of metrics that might apply to cyber resilience. Some of these approaches (e.g., most of this chapter and the next one) are largely qualitative and based on human review and judgment of pertinent aspects of systems, organization, and processes. Other is based on quantitative and often theoretically rigorous modeling and simulation of systems, networks, and processes.
The purpose of this chapter is to outline best practices in an array of areas related to cyber resilience. While by no means offering an exhaustive list of best practices, the chapter provides an organization with means to “see what works” at other organizations. It offers these best practices within existing frameworks related to dimensions of cyber resilience. The chapter begins with a discussion of several existing frameworks and guidelines that can be utilized to think about cyber resilience. Then, the chapter describes a set of “best practices” based on a selection of metrics from these frameworks. These best practices can help an organization as a guide to implementing specific policies that would improve their cyber resilience.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Linkov, I., Eisenberg, D. A., Plourde, K., Seager, T. P, Allen, J., & Kott, A. (2013). Resilience Metrics for Cyber Systems. Environment Systems and Decisions, 33(4), 471.
- 2.
National Research Council. (2012). Disaster Resilience: A National Imperative. The National Academies Press. Retrieved from http://nap.edu/13457
- 3.
Alberts, D. (2002). Information age transformation, getting to a twenty-first century military. DOD Command and Control Research Program. Retrieved from http://www.dtic.mil/get-tr-doc/pdf?AD=ADA457904
- 4.
National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
- 5.
Ibid.
- 6.
Pfeiffer, M. (2015). Managing Technology Risks Through Technological Proficiency. Retrieved from http://blousteinlocal.rutgers.edu/managing-technology-risk/
- 7.
Ibid.
- 8.
We used our best judgment to place the NIST metrics in the appropriate cell.
- 9.
Wind River. (2015). Security in the Internet of Things: Lessons from the Past for the Connected Future. Page 4. Retrieved from http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
- 10.
Ibid.
- 11.
Ibid.
- 12.
U.S. Department of Homeland Security. Cybersecurity & Privacy. Retrieved from https://www.dhs.gov/sites/default/files/publications/privacy_cyber_0.pdf
- 13.
Contos, B. (2015). Cyber Security Culture Is A Collective Effort. Retrieved from http://www.csoonline.com/article/2977014/security-awareness/cyber-security-culture-is-a-collective-effort.html
- 14.
Ibid.
- 15.
How to Create A Cyber Security Culture + Employee Security Awareness. Retrieved from http://www.hedgeco.net/blogs/2016/03/11/cybersecurity-plans/
- 16.
The Financial Industry Regulatory Authority. (2015). Report on Cybersecurity Practices. Retrieved from https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf
- 17.
Ibid.
- 18.
Ibid.
- 19.
Ibid.
- 20.
Ibid.
- 21.
Ibid.
- 22.
FitzGerald, B., & Sander, A. (2015). Opinion: Cybersecurity Collaboration Needs A Toolkit. So We Built A Prototype. Retrieved from http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/1204/Opinion-Cybersecurity-collaboration-needs-a-toolkit.-So-we-built-a-prototype
- 23.
Pielocik, M. (2004). Social Engineering: The Friendly Hacker. Page 12. SANS Institute. Retrieved from https://www.giac.org/paper/gsec/3792/social-engineering-the-friendly-hacker/106104
- 24.
Proffitt, T. (2007). Creating and Managing an Incident Response Team for a Large Company. Page 15. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821
- 25.
Brown, M. J., Stikvoort, D., Kossakowski, K., Killcrece, G., Ruefle, R., & Zajicek, M. (2003). Handbook for Computer Security Incident Response Teams (CSIRTs). Retrieved from http://repository.cmu.edu/cgi/viewcontent.cgi?article=1570&context=sei
- 26.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- 27.
Helms, M. M. Best Practices for Protecting Employee Data in the Age of Cybersecurity Issues. Retrieved from http://hrprofessionalsmagazine.com/best-practices-for-protecting-employee-data-in-the-age-of-cybersecurity-issues/
- 28.
SANS Institute. (2015). SANS Securing The Human 2015 Security Awareness Report. Retrieved from https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessReport-2015.pdf
- 29.
NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf?n=44819
- 30.
PricewaterhouseCoopers. The Global State of Information Security Survey 2016. Retrieved from http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
- 31.
Faughnder, R., & Hamedy, S. (2014). Sony insider – not North Korea – likely involved in hack, experts say. Retrieved from http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html
- 32.
Linkov, I., Poinsatte-Jones, K., Trump, B., Ganin, A., & Kepner, J. (2017) Cyber Risk and Resilience: Rules and Regulations to Minimize Cyber Threats. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 198–217). Springer.
- 33.
Krocker, G. W. (2002). Disaster Recovery Plan Testing: Cycle the Plan, Plan the Cycle. SANS Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-testing-cycle-plan-plan-cycle-56
- 34.
Ibid. Page 4.
- 35.
Ibid.
- 36.
There are several chapters in this book that address narrower aspects of structures and components. For more information about analysis of cyber-physical systems, see Karsai, G., Koutsoukos, X., Neema, H., Volgyesi, P., and Sztipanovits, J. Simulation-Based Analysis of Cyber Resilience in Cyber-Physical Systems. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 130–148). Springer. For more information on assessing cyber dependencies, see Evans, N. Assessing Cyber Resilience: Cyber Dependencies. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 130–148). Springer.
- 37.
Rush, G. D. (2015). Cyber Security Research Frameworks for Coevolutionary Networks Defense. Retrieved from http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-15-29293
- 38.
Paquet, C. (2013). Network Security Concepts and Policies. Cisco. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1998559
- 39.
Ibid.
- 40.
CISCO. (2015). Network Security Policy: Best Practices White Paper. Retrieved from http://www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html
- 41.
Security Magazine. (2016). Majority of Businesses Lack Resources to Manage External Cyber Attacks. Retrieved from http://www.securitymagazine.com/articles/87267-majority-of-businesses-lack-resources-to-manage-external-cyber-attacks
- 42.
SANS Institute. (2016). Data Breach Response Policy. Retrieved from https://www.sans.org/security-resources/policies/general/pdf/data-breach-response
- 43.
Bromiley, Matt. (2016). Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
- 44.
SANS Institute. Incident Detection FAQs: What are the steps to handle an incident? Retrieved from https://www.sans.org/security-resources/idfaq/what-are-the-steps-to-handle-an-incident/5/1
- 45.
CISCO. (2015). Network Security Policy: Best Practices White Paper. Retrieved from http://www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html
- 46.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- 47.
Ibid.
- 48.
Ibid.
- 49.
Ibid.
- 50.
Ibid.
- 51.
Cybenko, George. (2017) Metrics of Cyber Resilience. In A. Kott and I. Linkov (Eds). Cyber Resilience (pp. 26–38). Springer.
- 52.
Bankrate. 11 data breaches that stung US consumers. http://www.bankrate.com/finance/banking/us-data-breaches-1.aspx
- 53.
SANS Institute. (2015). Cleaning Up After a Breach, Post-Breach Impact: A Cost Compendium. https://www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517
- 54.
Federal Financial Institutions Examination Council. Reputation Risk. IT Examination Handbook Infobase. http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-payment-systems-risk-management/reputation-risk.aspx
- 55.
Office of Personnel Management. (2015). Cyber Security Resource Center. https://www.opm.gov/cybersecurity/
- 56.
See (https://www.dhs.gov/ciscp) for more details.
- 57.
Cyber Threat Intelligence Network. Resources for Information Sharing and Analysis Organizations. Retrieved from http://ctin.us/site/isaos/
- 58.
The Nextware Sessions. Retrieved from http://www.nextwaresessions.org
- 59.
Ponemon Institute. (2016). 2016 Cost of Cyber Crime Study & the Risk of Business Innovation. Retrieved from http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/
References
Alberts, D. (2002). Information age transformation, getting to a 21st century military. DOD Command and Control Research Program. Retrieved from http://www.dtic.mil/get-tr-doc/pdf?AD=ADA457904
Bankrate. 11 data breaches that stung US consumers. http://www.bankrate.com/finance/banking/us-data-breaches-1.aspx
Bromiley, M. (2016). Incident response capabilities in 2016: The 2016 SANS Incident Response Survey. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
Brown, M. J., Stikvoort, D., Kossakowski, K., Killcrece, G., Ruefle, R., & Zajicek, M. (2003). Handbook for Computer Security Incident Response Teams (CSIRTs). Retrieved from http://repository.cmu.edu/cgi/viewcontent.cgi?article=1570&context=sei
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
CISCO. (2015). Network security policy: Best practices white paper. Retrieved from http://www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html
Contos, B. (2015). Cyber security culture is a collective effort. Retrieved from http://www.csoonline.com/article/2977014/security-awareness/cyber-security-culture-is-a-collective-effort.html
Cybenko, G. (2017). Metrics of cyber resilience. In A. Kott & I. Linkov (Eds.), Cyber resilience (pp. 26–38). Cham: Springer.
Cyber Threat Intelligence Network. Resources for information sharing and analysis organizations. Retrieved from http://ctin.us/site/isaos/
Evans, N. (2018). Assessing cyber resilience: Cyber dependencies. In A. Kott & I. Linkov (Eds.), Cyber resilience (pp. 130–148). Cham: Springer.
Faughnder, R., & Hamedy, S. (2014). Sony insider – not North Korea – likely involved in hack, experts say. Retrieved from http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html
Federal Financial Institutions Examination Council. Reputation risk. IT Examination Handbook Infobase. http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-payment-systems-risk-management/reputation-risk.aspx
Financial Industry Regulatory Authority. (2015). Report on cyber security practices. Retrieved from https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf
FitzGerald, B., & Sander, A. (2015). Opinion: Cybersecurity collaboration needs a toolkit. So we built a prototype. Retrieved from http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/1204/Opinion-Cybersecurity-collaboration-needs-a-toolkit.-So-we-built-a-prototype.
Helms, M. M. Best practices for protecting employee data in the age of cybersecurity issues. Retrieved from http://hrprofessionalsmagazine.com/best-practices-for-protecting-employee-data-in-the-age-of-cybersecurity-issues/http://hrprofessionalsmagazine.com/best-practices-for-protecting-employee-data-in-the-age-of-cybersecurity-issues/
How to create a cyber security culture + employee security awareness. Retrieved from http://www.hedgeco.net/blogs/2016/03/11/cybersecurity-plans/
Karsai, G., Koutsoukos, X., Neema, H., Volgyesi, P., & Sztipanovits, J. (2018). Simulation-based analysis of cyber resilience in cyber-physical systems. In A. Kott & I. Linkov (Eds.), Cyber resilience (pp. 130–148). Evans: Springer.
Krocker, G. W. (2002). Disaster recovery plan testing: Cycle the plan, plan the cycle. SANS Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-testing-cycle-plan-plan-cycle-56
Linkov, I., Eisenberg, D. A., Plourde, K., Seager, T. P., Allen, J., & Kott, A. (2013). Resilience metrics for cyber systems. Environment Systems and Decisions, 33(4), 471.
Linkov, I., Poinsatte-Jones, K., Trump, B., Ganin, A., & Kepner, J. (2017). Cyber risk and resilience: Rules and regulations to minimize cyber threats. In A. Kott & I. Linkov (Eds.), Cyber resilience (pp. 198–217). Cham: Springer.
National Institute of Standards and Technology. (2013). Security and privacy controls for federal information systems and organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf?n=44819
National Institute of Standards and Technology. (2014). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
National Research Council. (2012). Disaster resilience: A national imperative. The National Academies Press. Retrieved from http://nap.edu/13457
Nextware Sessions. Retrieved from http://www.nextwaresessions.org
Office of Personnel Management. (2015). Cyber security resource center. https://www.opm.gov/cybersecurity/
Paquet, C. (2013). Network security concepts and policies. Cisco. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1998559
Pfeiffer, M. (2015). Managing technology risks through technological proficiency. Retrieved from http://blousteinlocal.rutgers.edu/managing-technology-risk/
Pielocik, M. (2004). Social engineering: The friendly hacker. Page 12. SANS Institute. Retrieved from https://www.giac.org/paper/gsec/3792/social-engineering-the-friendly-hacker/106104
Ponemon Institute. (2016). 2016 cost of cyber crime study & the risk of business innovation. Retrieved from http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/
PricewaterhouseCoopers. The Global State of Information Security Survey 2016. Retrieved from http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
Proffitt, T. (2007). Creating and managing an incident response team for a large company. Page 15. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821
Rush, G. D. (2015). Cyber Security Research Frameworks for Coevolutionary Networks Defense. Retrieved from http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-15-29293
SANS Institute. (2015a). Cleaning up after a breach, post-breach impact: A cost compendium. https://www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517
SANS Institute. (2015b). SANS securing the human 2015 security awareness report. Retrieved from https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessReport-2015.pdf
SANS Institute. (2016). Data breach response policy. Retrieved from https://www.sans.org/security-resources/policies/general/pdf/data-breach-response
SANS Institute. Incident detection FAQs: What are the steps to handle an incident? Retrieved from https://www.sans.org/security-resources/idfaq/what-are-the-steps-to-handle-an-incident/5/1
Security Magazine. (2016). Majority of businesses lack resources to manage external cyber attacks. Retrieved from http://www.securitymagazine.com/articles/87267-majority-of-businesses-lack-resources-to-manage-external-cyber-attacks
U.S. Department of Homeland Security. (2016). Cyber information sharing and collaboration program. Retrieved from https://www.dhs.gov/ciscp
U.S. Department of Homeland Security. Cybersecurity & privacy. Retrieved from https://www.dhs.gov/sites/default/files/publications/privacy_cyber_0.pdf
Wind River. (2015). Security in the internet of things: Lessons from the past for the connected future. Page 4. Retrieved from http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
Acknowledgments
This work was derived from a project that originated with a partnership between the Edward J. Bloustein School for Planning and Public Policy and the World Economic Forum (WEF). We would like to thank the WEF. We would also like to thank Daniel Horner and Zilong Liu who contributed research to this report. We also want to thank the editors of this volume for their support in writing this chapter and their helpful suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Keys, B., Shapiro, S. (2019). Frameworks and Best Practices. In: Kott, A., Linkov, I. (eds) Cyber Resilience of Systems and Networks. Risk, Systems and Decisions. Springer, Cham. https://doi.org/10.1007/978-3-319-77492-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-77492-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-77491-6
Online ISBN: 978-3-319-77492-3
eBook Packages: EngineeringEngineering (R0)