Review of cybersecurity assessment methods: Applicability perspective
TL;DR: This research comprehensively identifying and analysing cybersecurity assessment methods described in the scientific literature to support researchers and practitioners in choosing the method to be applied in their assessments and to indicate the areas that can be further explored.
Abstract: Cybersecurity assessments are crucial in building the assurance that vital cyberassets are effectively protected from threats. Multiple assessment methods have been proposed during the decades of the cybersecurity field. However, a systematic literature search described in this paper reveals that their reviews are practically missing. Thus, the primary objective of this research was to fulfil this gap by comprehensively identifying and analysing cybersecurity assessment methods described in the scientific literature. A structured research method and transparent criteria were applied for this purpose. As a result, thirty-two methods are presented in this paper. Particular attention is paid to the question of the methods’ applicability in realistic contexts and environments. In that regard, the challenges and limitations associated with the methods’ application as well as potential approaches to addressing them have been indicated. Besides, the paper systematises the terminology and indicates complementary studies which can be helpful during assessments. Finally, the areas that leave space for improvement and directions for further research and development are indicated. The intention is to support researchers and practitioners in choosing the method to be applied in their assessments and to indicate the areas that can be further explored.
Citations
More filters
TL;DR: A ranking of the proposed three groups of measures, seven dimensions and twenty criteria to be implemented in companies to ensure cybersecurity in Industry 4.0 and facilitate the implementation of the sustainable production principles was indicated.
Abstract: IT technologies related to Industry 4.0 facilitate the implementation of the framework for sustainable manufacturing. At the same time, Industry 4.0 integrates IT processes and systems of production companies with IT solutions of cooperating companies that support a complete manufactured product life cycle. Thus, the implementation of sustainable manufacturing implies a rapid increase in interfaces between IT solutions of cooperating companies. This, in turn, raises concerns about security among manufacturing company executives. The lack of a recognized methodology supporting the decision-making process of choosing the right methods and means of cybersecurity is, in effect, a significant barrier to the development of sustainable manufacturing. As a result, the propagation of technologies in Industry 4.0 and the implementation of the sustainable manufacturing framework in companies are slowing down significantly. The main novelty of this article, addressing the above deficiencies, is the creation, using the combined DEMATEL and ANP (DANP) and PROMETHEE II methods, of a ranking of the proposed three groups of measures, seven dimensions and twenty criteria to be implemented in companies to ensure cybersecurity in Industry 4.0 and facilitate the implementation of the sustainable production principles. The contribution of Industry 4.0 components and the proposed cybersecurity scheme to achieve the Sustainable Development goals, reducing the carbon footprint of companies and introducing circular economy elements was also indicated. Using DANP and PROMETHEE II, it can be concluded that: (i) the major criterion of cybersecurity in companies is validation and maintaining electronic signatures and seals; (ii) the most crucial area of cybersecurity is network security; (iii) the most significant group of measures in this regard are technological measures.
14 citations
TL;DR: In this article , the authors proposed a hyperchaos-based reconfigurable platform for real-time securing of communicating embedded systems interconnected in networks according to the Internet of Things (IoT) standards.
Abstract: The ultimate focus of this paper is to provide a hyperchaos-based reconfigurable platform for the real-time securing of communicating embedded systems interconnected in networks according to the Internet of Things (IoT) standards. The proposed platform’s Register Transfer Level (RTL) architecture is entirely developed and designed from scratch using the VHSIC Hardware Description Language (VHDL). The original idea consists of exploiting the nonlinearity of a discretized and optimized 4D Lorenz hyperchaotic system as an encryption keystream generator in a symmetric cryptosystem to secure wireless communicating embedded systems and adapted to the UDP/IP protocol. It was necessary to go through three essential steps to achieve this goal. First, a lightweight and energy-efficient hyperchaos-based encryption IP core is designed, implemented on an FPGA circuit and dedicated to IoT device security, denoted Hyperchaotic-based IoT Device Security Core (HC-IoT-DSC). The designed encryption IP core combines three subsystems: a multiple key size hyperchaotic key generator (HC-KG), a hyperchaotic synchronization by dynamic feedback modulation technique (HCS-DFM), and an online FIPS 140-2-based built-in self-security test (BISST) module. Second, a secure UDP/IP stack is totally implemented using the VHDL language. Third, the proposed architecture was integrated into real-world and real-time secure wireless communication at a distance of 2 km between two delocalized network nodes employing the Xilinx ML605 FPGA platform and the ZigBee E800-DTU module. A panoply of online/offline investigations and experiments were carried out intensely, deeply, and thoroughly to analyze, evaluate and validate the robustness and security aspects of the proposed scheme regarding all the aspects related to embedded system security. Notably, the evaluations were conducted in two phases for all the platform components before and after integrating the proposed security core in real-time wireless communication. The investigations and implementation findings validate that the proposed architecture can attain good performances, and confirm the feasibility of the adopted approach for IoT applications. Furthermore, the timing and power efficiency results present an excellent trade-off between design performance and high-security achievement.
5 citations
TL;DR: A panoply of online/offline investigations and experiments were carried out intensely, deeply, and thoroughly to analyze, evaluate and validate the robustness and security aspects of the proposed scheme regarding all the aspects related to embedded system security.
Abstract: The ultimate focus of this paper is to provide a hyperchaos-based reconfigurable platform for the real-time securing of communicating embedded systems interconnected in networks according to the IoT (Internet of Things) standards. The proposed platform’s RTL (Register Transfer Level) architecture is entirely developed and designed from scratch using the VHSIC Hardware Description Language (VHDL). The original idea consists of exploiting the nonlinearity of a discretized and optimized 4D Lorenz hyperchaotic system as an encryption keystream generator in a symmetric cryptosystem to secure wireless communicating embedded systems and adapted to the UDP/IP protocol. It was necessary to go through three essential steps to achieve this goal. First, a lightweight and energy-efficient hyperchaos-based encryption IP core is designed, implemented on an FPGA circuit and dedicated to IoT device security, denoted Hyperchaotic-based IoT Device Security Core (HC-IoT-DSC). The designed encryption IP core combines three subsystems: a multiple key size hyperchaotic key generator (HC-KG), a hyperchaotic synchronization by dynamic feedback modulation technique (HCS-DFM), and an online FIPS 140-2-based built-in self-security test (BISST) module. Second, a secure UDP/IP stack is totally implemented using the VHDL language. Third, the proposed architecture was integrated into real-world and real-time secure wireless communication at a distance of 2 km between two delocalized network nodes employing the Xilinx ML605 FPGA platform and the ZigBee E800-DTU module. A panoply of online/offline investigations and experiments were carried out intensely, deeply, and thoroughly to analyze, evaluate and validate the robustness and security aspects of the proposed scheme regarding all the aspects related to embedded system security. Notably, the evaluations were conducted in two phases for all the platform components before and after integrating the proposed security core in real-time wireless communication. The investigations and implementation findings validate that the proposed architecture can attain good performances, and confirm the feasibility of the adopted approach for IoT applications. Furthermore, the timing and power efficiency results present an excellent trade-off between design performance and high-security achievement.
5 citations
01 Jan 2012
TL;DR: The aim is to implement Reconciliation engine for identifying the various critical vulnerabilities and a metric system for identifies the overall impact of the vulnerabilities in that network.
Abstract: Vulnerability reconciliation is the process that analyses the output produced by one or more vulnerability scanners and provides a more succinct and high-level view of vulnerabilities and its overall impact factor in the network. Here attack graphs method is used for predicting the various ways of penetrating a network to reach its critical assets. In particular, automated analysis of network configuration and attacker exploits provides an attack graph showing all possible paths to critical assets. The aim is to implement Reconciliation engine for identifying the various critical vulnerabilities and a metric system for identifying the overall impact of the vulnerabilities in that network. The reconciliation process is done by analysing the results obtained from different vulnerability scanners and combining them. As part of this, vulnerability tools from commercial off-the-shelf (COTS), Government off-the-shelf (GOTS), and research laboratory were selected. The automatic extraction of vulnerability information for attack graph prediction is analysed. Vulnerability information describes what is required for a vulnerability to be exploited and what are the after effects of that exploitation. A data structure is analysed which is able to represent pre and post conditions of each vulnerabilities. The combined risk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in the definition of an acceptable risk posture for an operational system or preliminary system design. We would be finding a metric value for denoting the overall vulnerability of the network after analysing critical vulnerabilities.
3 citations
TL;DR: In this article , the authors investigated how consumer trust in crypto-payment, a key determinant of consumer intentions and relational exchanges over the long-term, is formed based on their perceptions towards privacy and security aspects of the technology.
Abstract: The ever-increasing acceptance of cryptocurrencies has fueled applications beyond investment purposes. Crypto-payment is one such application that can bring radical changes to financial transactions in many industries, particularly e-commerce and online retail. However, characteristics of the technology such as transaction disintermediation, lack of central authority, and lack of adequate regulations may introduce new privacy and security concerns among the users. This coincides with another trend of rising individuals’ concerns pertaining to information privacy and security issues in online transactions. The current paper investigates how consumer trust in crypto-payment, a key determinant of consumer intentions and relational exchanges over the long-term, is formed based on their perceptions towards privacy and security aspects of the technology. Using data from 327 survey participants, the study found that perceived information privacy risk, perceived anonymity, and perceived traceability of transactions are significant determinants of consumer trust in crypto-payment; but their perceptions of information security fraud risk have no significant effect. It also provided support for the hypothesis that perceived trust contributes to consumers’ intention to adopt crypto-payment. The findings highlight the need to enhance consumer understanding and awareness of information privacy and potential security issues in crypto-payment as well as what needs to be done to address consumer concerns in this regard. The paper creates novel insights into the requirements of trust in crypto-payment services and the consequences of consumers’ perceptions of privacy and security in this domain.
2 citations
References
More filters
Journal Article•
TL;DR: A review of prior, relevant literature is an essential feature of any academic project that facilitates theory development, closes areas where a plethora of research exists, and uncovers areas where research is needed.
Abstract: A review of prior, relevant literature is an essential feature of any academic project. An effective review creates a firm foundation for advancing knowledge. It facilitates theory development, closes areas where a plethora of research exists, and uncovers areas where research is needed.
6,406 citations
TL;DR: The capability maturity model (CMM), developed to present sets of recommended practices in a number of key process areas that have been shown to enhance software-development and maintenance capability, is discussed.
Abstract: The capability maturity model (CMM), developed to present sets of recommended practices in a number of key process areas that have been shown to enhance software-development and maintenance capability, is discussed. The CMM was designed to help developers select process-improvement strategies by determining their current process maturity and identifying the issues most critical to improving their software quality and process. The initial release of the CMM, version 1.0, was reviewed and used by the software community during 1991 and 1992. A workshop on CMM 1.0, held in April 1992, was attended by about 200 software professionals. The current version of the CMM is the result of the feedback from that workshop and ongoing feedback from the software community. The technical report that describes version 1.1. is summarised. >
1,179 citations
TL;DR: A systematic review of papers reporting experiences of undertaking SRs and/or discussing techniques that could be used to improve the SR process recommended removing advice to use structured questions to construct search strings and including Advice to use a quasi-gold standard based on a limited manual search to assist the construction of search stings and evaluation of the search process.
Abstract: Context: Many researchers adopting systematic reviews (SRs) have also published papers discussing problems with the SR methodology and suggestions for improving it. Since guidelines for SRs in software engineering (SE) were last updated in 2007, we believe it is time to investigate whether the guidelines need to be amended in the light of recent research. Objective: To identify, evaluate and synthesize research published by software engineering researchers concerning their experiences of performing SRs and their proposals for improving the SR process. Method: We undertook a systematic review of papers reporting experiences of undertaking SRs and/or discussing techniques that could be used to improve the SR process. Studies were classified with respect to the stage in the SR process they addressed, whether they related to education or problems faced by novices and whether they proposed the use of textual analysis tools. Results: We identified 68 papers reporting 63 unique studies published in SE conferences and journals between 2005 and mid-2012. The most common criticisms of SRs were that they take a long time, that SE digital libraries are not appropriate for broad literature searches and that assessing the quality of empirical studies of different types is difficult. Conclusion: We recommend removing advice to use structured questions to construct search strings and including advice to use a quasi-gold standard based on a limited manual search to assist the construction of search stings and evaluation of the search process. Textual analysis tools are likely to be useful for inclusion/exclusion decisions and search string construction but require more stringent evaluation. SE researchers would benefit from tools to manage the SR process but existing tools need independent validation. Quality assessment of studies using a variety of empirical methods remains a major problem.
623 citations
TL;DR: Over the last 15–20 years the authors have seen a shift from rather narrow perspectives based on probabilities to ways of thinking which highlight events, consequences and uncertainties, however, some of the more narrow perspectives are still strongly influencing the risk field, although arguments can be provided against their use.
Abstract: This paper reviews the definition and meaning of the concept of risk. The review has a historical and development trend perspective, also covering recent years. It is questioned if, and to what extent, it is possible to identify some underlying patterns in the way risk has been, and is being understood today. The analysis is based on a new categorisation of risk definitions and an assessment of these categories in relation to a set of critical issues, including how these risk definitions match typical daily-life phrases about risk. The paper presents a set of constructed development paths for the risk concept and concludes that over the last 15–20 years we have seen a shift from rather narrow perspectives based on probabilities to ways of thinking which highlight events, consequences and uncertainties. However, some of the more narrow perspectives (like expected values and probability-based perspectives) are still strongly influencing the risk field, although arguments can be provided against their use. The implications of this situation for risk assessment and risk management are also discussed.
479 citations
TL;DR: An extended D SR evaluation framework together with a DSR evaluation design method that can guide DSR researchers in choosing an appropriate strategy for evaluation of the design artifacts and design theories that form the output from DSR are proposed.
Abstract: Evaluation is a central and essential activity in conducting rigorous Design Science Research (DSR), yet there is surprisingly little guidance about designing the DSR evaluation activity beyond suggesting possible methods that could be used for evaluation. This paper extends the notable exception of the existing framework of Pries-Heje et al [11] to address this problem. The paper proposes an extended DSR evaluation framework together with a DSR evaluation design method that can guide DSR researchers in choosing an appropriate strategy for evaluation of the design artifacts and design theories that form the output from DSR. The extended DSR evaluation framework asks the DSR researcher to consider (as input to the choice of the DSR evaluation strategy) contextual factors of goals, conditions, and constraints on the DSR evaluation, e.g. the type and level of desired rigor, the type of artifact, the need to support formative development of the designed artifacts, the properties of the artifact to be evaluated, and the constraints on resources available, such as time, labor, facilities, expertise, and access to research subjects. The framework and method support matching these in the first instance to one or more DSR evaluation strategies, including the choice of ex ante (prior to artifact construction) versus ex post evaluation (after artifact construction) and naturalistic (e.g., field setting) versus artificial evaluation (e.g., laboratory setting). Based on the recommended evaluation strategy(ies), guidance is provided concerning what methodologies might be appropriate within the chosen strategy(ies).
462 citations