Nothing Special   »   [go: up one dir, main page]
Skip to main content

Advertisement

SpringerLink
Log in

An integrated cyber security risk management framework and risk predication for the critical infrastructure protection

  • S.I. : LSNC & OUAI
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Cyber security risk management plays an important role for today’s businesses due to the rapidly changing threat landscape and the existence of evolving sophisticated cyber attacks. It is necessary for organisations, of any size, but in particular those that are associated with a critical infrastructure, to understand the risks, so that suitable controls can be taken for the overall business continuity and critical service delivery. There are a number of works that aim to develop systematic processes for risk assessment and management. However, the existing works have limited input from threat intelligence properties and evolving attack trends, resulting in limited contextual information related to cyber security risks. This creates a challenge, especially in the context of critical infrastructures, since attacks have evolved from technical to socio-technical and protecting against them requires such contextual information. This research proposes a novel integrated cyber security risk management (i-CSRM) framework that responds to that challenge by supporting systematic identification of critical assets through the use of a decision support mechanism built on fuzzy set theory, by predicting risk types through machine learning techniques, and by assessing the effectiveness of existing controls. The framework is composed of a language, a process, and it is supported by an automated tool. The paper also reports on the evaluation of our work to a real case study of a critical infrastructure. The results reveal that using the fuzzy set theory in assessing assets' criticality, our work supports stakeholders towards an effective risk management by assessing each asset's criticality. Furthermore, the results have demonstrated the machine learning classifiers’ exemplary performance to predict different risk types including denial of service, cyber espionage and crimeware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. Abu MS et al (2018) Cyber threat intelligence–issue and challenges. Indones J Electr Eng Comput Sci 10(1):371–379

    Google Scholar 

  2. Baldoni R (2014) Critical infrastructure protection: threats, attacks, and counter-measures. Technical Report. Available online: http://www.dis.uniroma1.it/~tenace

  3. Barnum S (2008) ‘Common attack pattern enumeration and classification (capec) schema description’, Cigital Inc, http://capec.mitre.org/documents/documentation/CAPEC_Schema_Description_v1.3.

  4. Bialas A (2016) Risk management in critical infrastructure—foundation for its sustainable work. Sustainability. https://doi.org/10.3390/su8030240

    Article  Google Scholar 

  5. Boudreau M-C, Gefen D, Straub DW (2001) ‘Validation in information systems research: A state-of-the-art assessment’, MIS quarterly, pp 1–16

  6. Castro J, Kolp M, Mylopoulos J (2002) Towards requirements-driven information systems engineering: the Tropos project. Inf Syst 27(6):365–389

    Article  Google Scholar 

  7. Chen PP-S (1976) The entity-relationship model—toward a unified view of data. ACM Trans Datab Syst (TODS) 1(1):9–36

    Article  Google Scholar 

  8. Cherdantseva Y et al (2016) A review of cyber security risk assessment methods for SCADA systems. Comput Secur 56:1–27

    Article  Google Scholar 

  9. Consortium WAS (2009) ‘Web application security consortium threat classification’

  10. Conti M, Dargahi T, Dehghantanha A (2018) Cyber threat intelligence: challenges and opportunities. Cyber threat intelligence. Springer, Berlin, pp 1–6

    Google Scholar 

  11. Cord O (2001) Genetic fuzzy systems: evolutionary tuning and learning of fuzzy knowledge bases. World Scientific

    Book  Google Scholar 

  12. Cordón O (2011) A historical review of evolutionary learning methods for Mamdani-type fuzzy rule-based systems: designing interpretable genetic fuzzy systems. Int J Approx Reason 52(6):894–913

    Article  Google Scholar 

  13. Enache MC (2015) Web application frameworks. Annals of the University Dunarea de Jos of Galati: Fascicle: XVII, Medicine, 21(3)

  14. Evans E (2004) Domain-driven design: tackling complexity in the heart of software. Addison-Wesley Professional

  15. Gandhi R et al (2011) Dimensions of cyber-attacks: Cultural, social, economic, and political. IEEE Technol Soc Mag 30(1):28–38

    Article  Google Scholar 

  16. Goodpaster KE (1991) ‘Business ethics and stakeholder analysis’, Business ethics quarterly, pp 53–73

  17. GOST R (2009) ‘ISO/IEC 31010-2011 Risk management. Risk assessment methods

  18. Gupta R et al (2020) Machine learning models for secure data analytics: A taxonomy and threat model. Comput Commun 153:406–440

    Article  Google Scholar 

  19. Husák M et al (2018) Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun Surv Tutor 21(1):640–660

    Article  Google Scholar 

  20. Islam S et al (2017) A risk management framework for cloud migration decision support. J Risk Financ Manage 10(2):10

    Article  Google Scholar 

  21. Izuakor C, White R (2016) Critical infrastructure asset identification: policy, methodology and gap analysis. In: Critical infrastructure protection X: 10th IFIP WG 11.10 international conference, ICCIP 2016, Arlington, VA, USA, March 14–16, 2016, Revised Selected Papers 10. pp 27–41. Springer, Berlin

  22. Kemabonta T, Kabalan M (2018) Using what you have, to get what you want–a different approach to electricity market design for local distribution companies (DISCOs) in Nigeria. In: 2018 IEEE global humanitarian technology conference (GHTC). IEEE, pp 1–2

  23. Knight S, Burn J (2005) Developing a framework for assessing information quality on the World Wide Web. Inf Sci 8

  24. Kure H, Islam S (2019) Cyber threat intelligence for improving cybersecurity and risk management in critical infrastructure. J Univ Comput Sci 25(11):1478–1502

    Google Scholar 

  25. Leroux N, de Kaper S (2014) Play for Java: Covers Play 2. Manning Publications Co

  26. Lilly B et al (2019) Applying indications and warning frameworks to cyber incidents. In: 2019 11th international conference on cyber conflict (CyCon). IEEE, pp 1–21

  27. Machado L, Filho O, Ribeiro J (2009) UWE-R: an extension to a web engineering methodology for rich internet applications. WSEAS Trans Inf Sci Appl 6(4):601–610

    Google Scholar 

  28. Markowski AS, Mannan MS (2009) Fuzzy logic for piping risk assessment (pfLOPA). J Loss Prev Process Ind 22(6):921–927

    Article  Google Scholar 

  29. Martin RA (2007) Common weakness enumeration. Mitre Corporation

  30. Mbanaso UM, Abrahams L, Apene OZ (2019) Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. Afr J Inf Commun 23:1–26

    Google Scholar 

  31. Onochie UP, Egware HO, Eyakwanor TO (2015) The Nigeria electric power sector (opportunities and challenges). J Multidiscip Eng Sci Technol 2(4):494–502

    Google Scholar 

  32. Rød B et al (2020) From risk management to resilience management in critical infrastructure. J Manag Eng 36(4):4020039

    Article  Google Scholar 

  33. Sapori E, Sciutto M, Sciutto G (2014) ScienceDirect a quantitative approach to risk management in critical infrastructures. Transp Res Proc 3(3):740–749. https://doi.org/10.1016/j.trpro.2014.10.053

    Article  Google Scholar 

  34. Singh SK et al (2020) Machine learning-based network sub-slicing framework in a sustainable 5G environment. Sustainability 12(15):6250

    Article  Google Scholar 

  35. Straub D, Boudreau M-C, Gefen D (2004) Validation guidelines for IS positivist research. Commun Assoc Inf Syst 13(1):24

    Google Scholar 

  36. Strom BE et al (2017) Finding cyber threats with ATT&CK-based analytics. The MITRE Corporation, Bedford, MA, Technical Report No. MTR170202

  37. Tactic A (2017) Techniques and Common Knowledge (ATT&CK)

  38. Tanwar S et al (2019) Machine learning adoption in blockchain-based smart applications: The challenges, and a way forward. IEEE Access 8:474–488

    Article  Google Scholar 

  39. Tounsi W, Rais H (2018) A survey on technical threat intelligence in the age of sophisticated cyber attacks. Comput Secur 72:212–233

    Article  Google Scholar 

  40. Workman M, Bommer WH, Straub D (2008) Security lapses and the omission of information security measures: A threat control model and empirical test. Comput Hum Behav 24(6):2799–2816

    Article  Google Scholar 

  41. Zadeh LA (1988) Fuzzy logic. Computer 21(4):83–93

    Article  Google Scholar 

  42. Abouzakhar N (2013) Critical infrastructure cybersecurity: a review of recent threats and violations. In: European conference on information warfare and security, ECCWS, pp 1–10

  43. Hokstad P, Utne IB, Vatn J (2012) Risk and vulnerability analysis of critical infrastructures. Springer Ser Reliab Eng 64:23–33. https://doi.org/10.1007/978-1-4471-4661-2_3

    Article  Google Scholar 

  44. Gai K et al (2016) Dynamic energy-aware cloudlet-based mobile cloud computing model for green computing. J Netw Comput Appl 59:46–54

    Article  Google Scholar 

  45. ISO 27005:2018 (ISO 27005) Information technology—Security techniques—Information security risk management, https://www.iso.org/standard/75281.html

  46. ISO 31000: 2018 (ISO 31000) Risk management—Guidelines, https://www.iso.org/standard/65694.html

  47. ISO/IEC 27001 (ISO 27001) Information technology - Security techniques - Information security management systems - Requirements, https://www.iso.org/isoiec-27001-information-security.html

  48. NIST Special Publication 800-39 , (NIST 800-39)Managing Information Security Risk, Organization, Mission, and Information System View, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

  49. NIST(NIST CSF), Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 , 2018, https://www.nist.gov/cyberframework

  50. Centre of Internet Security (CIS) (2020) https://www.cisecurity.org/

Download references

Acknowledgements

This work was partially supported by the AI4HEALTHSEC EU project, funded from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 883273 and Cybersane project with grant agreement No 833683.

Author information

Authors and Affiliations

  1. School of Architecture, Computing and Engineering, University of East London, London, UK

    Halima Ibrahim Kure

  2. School of Computing and Information Science, Anglia Ruskin University, Cambridge, UK

    Shareeful Islam

  3. Institute for Analytics and Data Science, University of Essex, Colchester, UK

    Haralambos Mouratidis

Authors
  1. Halima Ibrahim Kure
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shareeful Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Haralambos Mouratidis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shareeful Islam.

Ethics declarations

Conflict of interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kure, H.I., Islam, S. & Mouratidis, H. An integrated cyber security risk management framework and risk predication for the critical infrastructure protection. Neural Comput & Applic 34, 15241–15271 (2022). https://doi.org/10.1007/s00521-022-06959-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-022-06959-2

Keywords

Search

Navigation