George Grispos,William Bradley Glisson,David Bourrie,Tim Storer,Stacy Miller

DOI: https://doi.org/10.48550/arXiv.1706.06818

2017-06-21

Cryptography and Security

Abstract:Reports and press releases highlight that security incidents continue to plague organizations. While researchers and practitioners' alike endeavor to identify and implement realistic security solutions to prevent incidents from occurring, the ability to initially identify a security incident is paramount when researching a security incident lifecycle. Hence, this research investigates the ability of employees in a Global Fortune 500 financial organization, through internal electronic surveys, to recognize and report security incidents to pursue a more holistic security posture. The research contribution is an initial insight into security incident perceptions by employees in the financial sector as well as serving as an initial guide for future security incident recognition and reporting initiatives.

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.48550/arXiv.1408.2431

2014-08-11

Cryptography and Security

Abstract:In today's globally networked environment, information security incidents can inflict staggering financial losses on organizations. Industry reports indicate that fundamental problems exist with the application of current linear plan-driven security incident response approaches being applied in many organizations. Researchers argue that traditional approaches value containment and eradication over incident learning. While previous security incident response research focused on best practice development, linear plan-driven approaches and the technical aspects of security incident response, very little research investigates the integration of agile principles and practices into the security incident response process. This paper proposes that the integration of disciplined agile principles and practices into the security incident response process is a practical solution to strengthening an organization's security incident response posture.

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.48550/arXiv.1901.03723

2019-01-12

Abstract:An increasing number of cybersecurity incidents prompts organizations to explore alternative security solutions, such as threat intelligence programs. For such programs to succeed, data needs to be collected, validated, and recorded in relevant datastores. One potential source supplying these datastores is an organization's security incident response team. However, researchers have argued that these teams focus more on eradication and recovery and less on providing feedback to enhance organizational security. This prompts the idea that data collected during security incident investigations may be of insufficient quality for threat intelligence analysis. While previous discussions focus on data quality issues from threat intelligence sharing perspectives, minimal research examines the data generated during incident response investigations. This paper presents the results of a case study identifying data quality challenges in a Fortune 500 organization's incident response team. Furthermore, the paper provides the foundation for future research regarding data quality concerns in security incident response.

Cryptography and Security,Computers and Society

Jonathan M. Spring,Phyllis Illari

DOI: https://doi.org/10.48550/arXiv.1903.10080

2019-03-25

Abstract:We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis.

Computers and Society,Cryptography and Security

WANG Chang-ji,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3321/j.issn:0529-6579.2005.z1.014

2005-01-01

Abstract:Security incidents are becoming more common and more serious with the flying development of Internet. There is an increasing need for taxonomy of incident to facilitate for incident reporting, incident handling, incident statistic, incident analysis and collaboration among Computer Security Incident Response Teams (CSIRT). The previous researches on the taxonomy of computer security incident are summarized firstly, the description method and taxonomy of security incident are then presented based on the formal model of network security and security incident.And two examples using the proposed taxonomy of security incident are given in the end.

Abdulaziz Gulay,Leandros Maglaras

2024-10-03

Abstract:The increasing frequency and sophistication of cybersecurity incidents pose significant challenges to organisations, highlighting the critical need for robust incident response capabilities. This paper explores a possible utilisation of IR CMMs assessments to systematically prioritise incidents based on their impact, severity, and the incident response capabilities of an organisation in specific areas associated with human and organisational factors. The findings reveal common weaknesses in incident response, such as inadequate training and poor communication, and highlight best practices, including regular training programs, clear communication protocols, and well-documented response procedures. The analysis also emphasises the importance of organisational culture in enhancing incident response capabilities. By addressing the gap in understanding how the output of IRM assessments can be immediately utilised to prioritise high-risk incidents, this paper contributes valuable insights to academia and practice, offering a structured approach to enhancing organisational resilience against cybersecurity threats.

Cryptography and Security

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Sabarathinam Chockalingam,Dina Hadziosmanovic,Wolter Pieters,Andre Teixeira,Pieter van Gelder

DOI: https://doi.org/10.48550/arXiv.1707.02140

2017-07-07

Abstract:Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.

Cryptography and Security

Sumanth Rao

2024-06-13

Abstract:Enterprises are constantly under attack from sophisticated adversaries. These adversaries use a variety of techniques to first gain access to the enterprise, then spread laterally inside its networks, establish persistence, and finally exfiltrate sensitive data, or hold it for ransom. While historically, enterprises have used different Incident Response systems that monitor hosts, servers, or network devices to detect and report threats, these systems often need many analysts to triage and respond to alerts. However, the immense quantity of alerts to sift through, combined with the potential risk of missing a valid threat makes the task of the analyst challenging. To ease this manual and laborious process, researchers have proposed a variety of systems that perform automated attack investigations. These systems collect data, track causally related events, and present the analyst with an interpretable summary of the attack. In this paper, we present a survey of systems that perform automated attack investigation, and compare them based on their designs, goals, and heuristics. We discuss the challenges faced by these systems, and present a comparison in terms of their effectiveness, practicality, and ability to address these challenges. We conclude by discussing the future of these systems, and the open problems in this area.

Cryptography and Security,Systems and Control

Pushpinder Kaur Chouhan,Alfie Beard,Liming Chen

DOI: https://doi.org/10.48550/arXiv.2303.03070

2023-03-06

Abstract:The rapid expansion of the Internet of Things and the emergence of edge computing-based applications has led to a new wave of cyber-attacks, with intensity and complexity that has never been seen before. Historically most research has focused on Intrusion Detection Systems (IDS), however due to the volume and speed of this new generation of cyber-attacks it is no longer sufficient to solely detect attacks and leave the response to security analysts. Consequently, research into Intrusion Response Systems (IRS) is accelerating rapidly. As such, new intrusion response approaches, methods and systems have been investigated, prototyped, and deployed. This paper is intended to provide a comprehensive review of the state of the art of IRSs. Specifically, a taxonomy to characterize the lifecycle of IRSs ranging from response selection to response deployment and response implementation is presented. A 10-phase structure to organize the core technical constituents of IRSs is also presented. Following this, an extensive review and analysis of the literature on IRSs published during the past decade is provided, and further classifies them into corresponding phases based on the proposed taxonomy and phase structure. This study provides a new way of classifying IRS research, thus offering in-depth insights into the latest discoveries and findings. In addition, through critical analysis and comparison, expert views, guidance and best practices on intrusion response approaches, system development and standardization are presented, upon which future research challenges and directions are postulated.

Cryptography and Security

Golnaz Elahi,Eric Yu,Tong Li,Lin Liu

DOI: https://doi.org/10.1109/compsac.2011.48

2011-01-01

Abstract:Various governmental or academic institutes survey current security trends, and report vulnerabilities, security breaches, and their costs. However, it is unclear whether (and how) practitioners analyze these vulnerabilities and attacks to arrive at security requirements and decide on security solutions. What modeling methods are used for eliciting, analyzing, and documenting security requirements in real-world practice? This paper intends to answer such questions through a survey of security requirements engineering practices. 374 software professionals from 237 International and Chinese firms participated in the survey. The results show businesses often try to consider security from early stages of the development life cycle, however, ultimately, security is left to be built into the system at the implementation phase. We observed that practitioners favour qualitative risk assessment rather than quantitative approaches, and this helps them consider more varieties of factors when comparing alternative security design solutions.

Joseph H. Schuessler

DOI: https://doi.org/10.1080/15536548.2013.10845676

2013-04-01

Journal of Information Privacy and Security

Abstract:Information Systems Security (ISS) is of major concern to not only network administrators, but also for managers of organizations for a variety of reasons including: the need for organizations to comply with various regulatory agencies, the reliance on information systems to provide the organizational backbone to the organization, and rising operational dependence on ecommerce to conduct daily business activities. These aspects create challenges for network managers who are tasked with balancing the needs of stakeholders with protection of sensitive information and valuable hardware. Despite ISS being largely a managerial issue, managerial concern for ISS is inadequate, evidenced by its consistently low ranking as a key issue in information systems management surveys. This research seeks to examine the current state of threats faced by organizations and the countermeasures they employ by examining prior research on the subject and comparing the results of that research to interview responses from “experts” in positions that required both a technical and managerial understanding of the threats and countermeasures faced and used respectively. Results suggest that, based on interview responses from experts, both threats and countermeasure responses have changed over time. Interpretation of the results will help systems administrators and network managers better understand modern threats and point towards potential remedies to mitigate the risk generated by such threats.

Mohammed Asiri,Neetesh Saxena,Rigel Gjomemo,Pete Burnap

DOI: https://doi.org/10.1145/3587255

2023-03-15

ACM Transactions on Cyber-Physical Systems

Abstract:Numerous sophisticated and nation-state attacks on Industrial Control Systems (ICSs) have increased in recent years, exemplified by Stuxnet and Ukrainian Power Grid. Measures to be taken post-incident are crucial to reduce damage, restore control, and identify attack actors involved. By monitoring Indicators of Compromise (IOCs), the incident responder can detect malicious activity triggers and respond quickly to a similar intrusion at an earlier stage. However, in order to implement IOCs in critical infrastructures, we need to understand their contexts and requirements. Unfortunately, there is no survey paper in the literature on IOC in the ICS environment and only limited information is provided in research articles. In this paper, we describe different standards for IOC representation and discuss the associated challenges that restrict security investigators from developing IOCs in the industrial sectors. We also discuss the potential IOCs against cyber-attacks in ICS systems. Furthermore, we conduct a critical analysis of existing works and available tools in this space. We evaluate the effectiveness of identified IOCs' by mapping these indicators to the most frequently targeted attacks in the ICS environment. Finally we highlight the lessons to be learnt from the literature and the future problems in the domain along with the approaches that might be taken.

Allan Cook,Helge Janicke,Richard Smith,Leandros Maglaras

DOI: https://doi.org/10.1016/j.cose.2017.07.009

2017-09-01

Abstract:The threat to Industrial Control Systems (ICS) from cyber attacks is widely acknowledged by governments and literature. Operators of ICS are looking to address these threats in an effective and cost-sensitive manner that does not expose their operations to additional risks through invasive testing. Whilst existing standards and guidelines offer comprehensive advice for reviewing the security of ICS infrastructure, resource and time limitations can lead to incomplete assessments or undesirably long countermeasure implementation schedules.In this paper we consider the problem of undertaking efficient cyber security risk assessments and implementing mitigations in large, established ICS operations for which a full security review cannot be implemented on a constrained timescale. The contribution is the Industrial Control System Cyber Defence Triage Process (ICS-CDTP). ICS-CDTP determines areas of priority where the impact of attacks is greatest, and where initial investment reduces the organisation's overall exposure swiftly. ICS-CDTP is designed to be a precursor to a wider, holistic review across the operation following established security management approaches. ICS-CDTP is a novel combination of the Diamond Model of Intrusion Analysis, the Mandiant Attack Lifecycle, and the CARVER Matrix, allowing for an effective triage of attack vectors and likely targets for a capable antagonist. ICS-CDTP identifies and focuses on key ICS processes and their exposure to cyber threats with the view to maintain critical operations. The article defines ICS-CDTP and exemplifies its application using a fictitious water treatment facility, and explains its evaluation as part of a large-scale serious game exercise.

computer science, information systems

Samuel Cris Ayo,Bonaventure Ngala,Olasunkanmi Amzat,Robin Lal Khoshi,Samarappulige Isuru Madusanka

DOI: https://doi.org/10.48550/arXiv.1812.04659

2018-12-12

Abstract:Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising and determining acceptable risks. From the analysis, it was deduced that human being posed the greatest Information security risk through intentional/ unintentional human error. In conclusion, effective control techniques based on defence in-depth were devised to mitigate the impact of the identified risks from risk register.

Computers and Society,Cryptography and Security

Huishan Song,Yanbin Yuan,Yuhe Wang,Jianbai Yang,Hang Luo,Shiming Li

DOI: https://doi.org/10.3390/s24227135

IF: 3.9

2024-11-07

Sensors

Abstract:With the rapid advancements in information technology and industrialization, the sustainability of industrial production has garnered significant attention. Industrial control systems (ICS), which encompass various facets of industrial production, are deeply integrated with the Internet, resulting in enhanced efficiency and quality. However, this integration also introduces challenges to the continuous operation of industrial processes. This paper presents a novel security assessment model for ICS, which is based on evidence-based reasoning and a library of belief rules. The model consolidates diverse information within ICS, enhancing the accuracy of assessments while addressing challenges such as uncertainty in ICS data. The proposed model employs evidential reasoning (ER) to fuse various influencing factors and derive security assessment values. Subsequently, a belief rule base is used to construct an assessment framework, grounded in expert-defined initial parameters. To mitigate the potential unreliability of expert knowledge, the chaotic mapping adaptive whale optimization algorithm is incorporated to enhance the model's accuracy in assessing the security posture of industrial control networks. Finally, the model's effectiveness in security assessment was validated through experimental results. Comparative analysis with other assessment models demonstrates that the proposed model exhibits superior performance in ICS security assessment.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Arthur-Jozsef Molnar,Jürgen Großmann

DOI: https://doi.org/10.48550/arXiv.1702.08006

2017-02-26

Cryptography and Security

Abstract:Complex networked systems are an integral part of today's support infrastructures. Due to their importance, these systems become more and more the target for cyber-attacks, suffering a notable number of security incidents. Also, they are subject to regulation by national and international legislation. An operator of such an infrastructure or system is responsible for ensuring its security and correct functioning in order to satisfy customers. In addition, the entire process of risk and quality control needs to be efficient and manageable. This short paper introduces the Compliance, Risk Assessment and Security Testing Improvement Profiling (CRSTIP) scheme. CRSTIP is an evaluation scheme that enables assessing the maturity of security assessment processes, taking into consideration systematic use of formalisms, integration and tool-support in the areas of compliance assessment, security risk assessment and security testing. The paper describes the elements of the scheme and their application to one of the case studies of the RASEN research project.

Florence Sèdes

2024-06-17

Abstract:Major transformations related to information technologies affect InformationSystems (IS) that support the business processes of organizations and their actors. Deployment in a complex environment involving sensitive, massive and heterogeneous data generates risks with legal, social and financial impacts. This context of transition and openness makes the security of these IS central to the concerns of organizations. The digitization of all processes and the opening to IoT devices (Internet of Things) has fostered the emergence of a new formof crime, i.e. cybercrime.This generic term covers a number of malicious acts, the majority of which are now perpetrated using social engineering strategies, a phenomenon enabling a combined exploitation of ``human'' vulnerabilities and digital tools. The maliciousness of such attacks lies in the fact that they turn users into facilitators of cyber-attacks, to the point of being perceived as the ``weak link'' of <a class="link-external link-http" href="http://cybersecurity.As" rel="external noopener nofollow">this http URL</a> deployment policies prove insufficient, it is necessary to think about upstream steps: knowing how to anticipate, identifying weak signals and outliers, detect early and react quickly to computer crime are therefore priority issues requiring a prevention and cooperation <a class="link-external link-http" href="http://approach.In" rel="external noopener nofollow">this http URL</a> this overview, we propose a synthesis of literature and professional practices on this subject.

Cryptography and Security,Databases

Mazen Mohamad,Jan-Philipp Steghöfer,Riccardo Scandariato

DOI: https://doi.org/10.48550/arXiv.2003.14151

2020-03-31

Abstract:Security Assurance Cases (SAC) are a form of structured argumentation used to reason about the security properties of a system. After the successful adoption of assurance cases for safety, SACs are getting significant traction in recent years, especially in safety-critical industries (e.g., automotive), where there is an increasing pressure to be compliant with several security standards and regulations. Accordingly, research in the field of SAC has flourished in the past decade, with different approaches being investigated. In an effort to systematize this active field of research, we conducted a systematic literature review (SLR) of the existing academic studies on SAC. Our review resulted in an in-depth analysis and comparison of 51 papers. Our results indicate that, while there are numerous papers discussing the importance of security assurance cases and their usage scenarios, the literature is still immature with respect to concrete support for practitioners on how to build and maintain a SAC. More importantly, even though some methodologies are available, their validation and tool support is still lacking.

Software Engineering