Abstract
Mission assurance policy and risk management are essential in enabling decision makers to ensure successful completion of missions by addressing the security status of cyber assets. This paper presents a novel mission assurance policy that adapts to the dynamic security status of all mission assets to quickly and automatically determine mission assurance level and to decide what changes are needed accordingly. The novelty of this mission assurance policy stems from using a time Petri net model for determining the security status of cyber assets, and then employing binary or multi-valued logic decision diagrams to assess the mission assurance level. The ability of a mission assurance policy to successfully complete its objectives depends mainly on whether a risk management scheme is provided to reduce risk to an acceptable level. To that end, this paper also describes a risk management scheme to systematically deal with the main factors of risk management such as the temporal interdependencies of cyber assets, impact of attacks, and risk mitigation. Given that the status of cyber assets changes due to the dynamic cybersecurity environment of asset vulnerabilities, threats, and recovery, the proposed mission assurance policy and risk management scheme enable decision makers to cope with the real-time assessment of mission assurance level.
Similar content being viewed by others
References
Amico FAD, Buchanan L, Goodall J, Walczak P (2010) Mission impact of cyber events: scenarios and ontology to express the relationships between cyber assets, missions and users. In: Proceedings of the International Conference on Information Warfare and Security, Dayton, Ohio
Bryant RE (1986) Graph-based algorithms for boolean function manipulation. IEEE Trans Comput 100(8):677–691
Cam H (2012) PeerShield: determining control and resilience criticality of collaborative cyber assets in networks. In: Proceedings of Cyber sensing 2012, SPIE defense, security, and sensing, 23–27 April 2012, Baltimore, MD
Cam H, Mouallem P (2013) Mission-aware time-dependent cyber asset criticality and resilience. In: Proceedings of 8th CSIIRW, Cyber security and information intelligence research workshop, ACM, January 8–10, Oak Ridge National Lab, Oak Ridge, TN, USA
Chin S, Muccio S, Older S, Vestal T (2010). Policy-based design and verification for mission assurance. In: 5th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, St. Petersburg, Russia, September 8–10
Clarke E, Fujita M, Zhao X (1995) Applications of multi-terminal binary decision diagrams. Technical Report CMU-CS-95-160, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA
Goldman H (2010) Building secure, resilient architectures for cyber mission assurance. The MITRE Corporation
Grimaila M, Mills R, Haas M, Kelly D (2010) Mission assurance: issues and challenges. In: Proceedings of the 2010 International Conference on Security and Management (SAM10), Las Vegas, Nevada, July 12–15
Hale B (2010). Mission assurance: a review of continuity of operations guidance for application to cyber incident mission impact assessment (CIMIA). MS Thesis, Air Force Institute of Technology
Jakobson G (2011) Mission cyber security situation assessment using impact dependency graphs. Information Fusion (FUSION) 2011 Proceedings of the 14th International Conference on IEEE
Katsumata P, Hemenway J, Gavins W (2010) Cybersecurity risk management. IEEE MILCOM
Kim A, Kang MH (2011) Determining asset criticality for cyber defense. Technical Report, Naval Research Laboratory
McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: 15th Annual Computer Security Applications Conference, Arizona
National Vulnerability Database (NVD), National Institute of Standards and Technology (NIST), http://nvd.nist.gov, last visited April 2013
Shin I, Levis AH (2003a) Performance prediction of networked information systems via petri nets and queuing nets. Syst Eng 6(1):1–18
Shin I, Levis AH (2003b) Performance prediction of networked information systems via petri nets and queuing nets. Syst Eng 6(1):1–18
Sindre G (2007) Mal-activity diagrams for capturing attacks on business processes. REFSQ’07: Proceedings of the 13th international working conference on Requirements engineering, Berlin, Heidelberg: Springer-Verlag, pp. 355–366
Sindre G, Opdahl AL (2001) Eliciting security requirements with misuse cases. Science 294:2127–2130
Snort Network Intrusion Detection System (IDS), http://www.snort.org/, last visited April 2013
Wang J (1998) Timed petri nets: theory and applications. Springer, Dordrecht
Ware MS, Bowles JB, Eastman CM. (2005) Using the common criteria to elicit security requirements with use cases. In: Proceedings of the IEEE Southeast Conference, pp. 273–278. doi:10.1109/second.2006.1629363
Xing L, Dugan J (2002). Dependability analysis using multiple-valued decision diagrams. In: Proceedings Sixth International Conference Probabilistic Safety Assessment and Management
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cam, H., Mouallem, P. Mission assurance policy and risk management in cybersecurity. Environ Syst Decis 33, 500–507 (2013). https://doi.org/10.1007/s10669-013-9468-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10669-013-9468-z