Issam Taqafi,Yassine Maleh,Karim Ouazzane

DOI: https://doi.org/10.1080/07366981.2023.2159047

2022-12-30

EDPACS

Abstract:Owning a Security Operation Center (SOC) is becoming increasingly common for organizations as part of their cybersecurity strategy to ensure near-real-time detection and adequately respond to cyber-attack engaging the SOC's humans, technology, and processes. However, SOC investments only sometimes achieve the best possible outcomes and only provide an acceptable protection level in some cases due to the challenges related to the technologies, processes and especially the human factor. This paper proposes a new practical maturity framework for Security Operation Center. This will serve as a roadmap for IT auditors and security experts when they evaluate the maturity of a security operation center in terms of safeguarding the assets of the company, its partners, and its clients.

WU Chao,LIN Jiajun,TANG Siliang,YU Ling,LIU Peitao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.11.027

2005-01-01

Abstract:The capable maturity model of military communication software (MCS-CMM) is studied and developed, to overcome the use of CMM for the software engineering management of the military communication equipments for the purpose of dealing with the three key basic problems necessary to be solved. The three key problems include: (1) the application of CMM in a system of quality management built on the basis of ISO9001; (2) the use of combination of CMM in the practical use of military communication equipments; (3) the use of CMM in the small or medium enterprises and in the small or short period projects.

Cyril Onwubiko,Karim Ouazzane

DOI: https://doi.org/10.22619/IJCSA.2019.100124

2022-02-08

Abstract:The increasing dependency of modern society on IT systems and infrastructures for essential services (e.g. internet banking, vehicular network, health-IT, etc.) coupled with the growing number of cyber incidents and security vulnerabilities have made Cyber Security Operations Centre (CSOC) undoubtedly vital. As such security operations monitoring is now an integral part of most business operations. SOCs (used interchangeably as CSOCs) are responsible for continuously and protectively monitoring business services, IT systems and infrastructures to identify vulnerabilities, detect cyber-attacks, security breaches, policy violations, and to respond to cyber incidents swiftly. They must also ensure that security events and alerts are triaged and analysed, while coordinating and managing cyber incidents to resolution. Because SOCs are vital, it is also necessary that SOCs are effective. But unfortunately, the effectiveness of SOCs are a widespread concern and a focus of boundless debate. In this paper, we identify and discuss some of the pertinent challenges to building an effective SOC. We investigate some of the factors contributing to the inefficiencies in SOCs and explain some of the challenges they face. Further, we provide and prioritise recommendations to addressing the identified issues.

Cryptography and Security,Social and Information Networks

Bilge Yigit Ozkan,Marco Spruit

DOI: https://doi.org/10.48550/arXiv.2007.01751

2020-07-03

Cryptography and Security

Abstract:SMEs constitute a very large part of the economy in every country and they play an important role in economic growth and social development. SMEs are frequent targets of cybersecurity attacks similar to large enterprises. However, unlike large enterprises, SMEs mostly have limited capabilities regarding cybersecurity practices. Given the increasing cybersecurity risks and the large impact that the risks may bring to the SMEs, assessing and improving the cybersecurity capabilities is crucial for SMEs for sustainability. This research aims to provide an approach for SMEs for assessing and improving their cybersecurity capabilities by integrating key elements from existing industry standards.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Vahid Garousi,Seyfettin Arkan,Gökhan Urul,Çağrı Murat Karapıçak,Michael Felderer

DOI: https://doi.org/10.48550/arXiv.2005.12570

2020-05-26

Software Engineering

Abstract:Context: While many companies conduct their software testing activities in-house, many other companies outsource their software testing needs to other firms who act as software testing service providers. As a result, Testing as a Service (TaaS) has emerged as a strong service industry in the last several decades. In the context of software testing services, there could be various challenges (e.g., during the planning and service delivery phases) and, as a result, the quality of testing services is not always as expected. Objective: It is important, for both providers and also customers of testing services, to assess the quality and maturity of test services and subsequently improve them. Method: Motivated by a real industrial need in the context of several testing service providers, to assess the maturity of their software testing services, we chose the existing CMMI for Services maturity model (CMMI-SVC), and conducted a case study using it in the context of two Turkish testing service providers. Results: The case-study results show that maturity appraisal of testing services using CMMI-SVC was helpful for both companies and their test management teams by enabling them objectively assess the maturity of their testing services and also by pinpointing potential improvement areas. Conclusion: We empirically observed that, after some minor customization, CMMI-SVC is indeed a suitable model for maturity appraisal of testing services.

Souradeep Bhattacharya,Burhan Hyder,Manimaran Govindarasu

DOI: https://doi.org/10.48550/arXiv.2211.15842

2022-11-29

Abstract:Industrial Control System (ICS) testbeds serve as a platform for evaluating and validating control system performances, cybersecurity tools and technologies. In order to build or enhance an ICS testbed, it is vital to have a deeper understanding of its design specifications and characteristic attributes. Satisfying this prerequisite involves examination and assessment of these attributes for existing testbeds. To further increase confidence in a testbed's functionality, it is important to perform a comparative analysis of its specifications with other ICS testbeds. However, at present, there is no standardized methodology available to provide a comparative assessment of different testbeds. In this paper, we propose a methodology for analyzing ICS testbeds, inspired by the Cybersecurity Capability Maturity Model (C2M2). In particular, we then define a ICS Cybersecurity Testbed Maturity Model, its domains, and the associated maturity indicator levels. To demonstrate the benefit of the model, we have conducted a case study analysis for several ICS testbeds, representing different industrial sectors. Our analysis provides deeper insights into the relative strengths and limitations of these testbeds, together with scope for future enhancements, with respect to the domains defined by the model.

Systems and Control

Ricardo M. Czekster

2024-09-05

Abstract:DevOps (development and operations), has significantly changed the way to overcome deficiencies for delivering high-quality software to production environments. Past years witnessed an increased interest in embedding DevOps with cybersecurity in an approach dubbed secure DevOps. However, as the practices and guidance mature, teams must consider them within a broader risk context. We argue here how secure DevOps could profit from engaging with risk related activities within organisations. We focus on combining Risk Assessment (RA), particularly Threat Modelling (TM) and apply security considerations early in the software life-cycle. Our contribution provides a roadmap for enacting secure DevOps alongside risk objectives, devising informed ways to improve TM and establishing effective security underpinnings in organisations focusing on software products and services. We aim to outline proven methods over the literature on the subject discussing case studies, technologies, and tools. It presents a case study for a real-world inspired organisation employing the proposed approach with a discussion. Enforcing these novel mechanisms centred on security requires investment, training, and stakeholder engagement. It requires understanding the actual benefits of automation in light of Continuous Integration/Continuous Delivery settings that improve the overall quality of software solutions reaching the market.

Software Engineering,Cryptography and Security

Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Alexander Kott,Curtis Arnold

DOI: https://doi.org/10.48550/arXiv.1512.07937

2015-12-25

Abstract:We review the current status and research challenges in the area of cyber security often called continuous monitoring and risk scoring (CMRS). We focus on two most salient aspects of CMRS. First, continuous collection of data through automated feeds; hence the term continuous monitoring. Typical data collected for continuous monitoring purposes include network traffic information as well as host information from host-based agents. Second, analysis of the collected data in order to assess the risks - the risk scoring. This assessment may include flagging especially egregious vulnerabilities and exposures, or computing metrics that provide an overall characterization of the network's risk level. Currently used risk metrics are often simple sums or counts of vulnerabilities and missing patches. The research challenges pertaining to CMRS fall mainly into two categories. The first centers on the problem of integrating and fusing highly heterogeneous information. The second group of challenges is the lack of rigorous approaches to computing risk. Existing risk scoring algorithms remain limited to ad hoc heuristics such as simple sums of vulnerability scores or counts of things like missing patches or open ports, etc. Weaknesses and potentially misleading nature of such metrics are well recognized. For example, the individual vulnerability scores are dangerously reliant on subjective, human, qualitative input, potentially inaccurate and expensive to obtain. Further, the total number of vulnerabilities may matters far less than how vulnerabilities are distributed over hosts, or over time. Similarly, neither topology of the network nor the roles and dynamics of inter-host interactions are considered by simple sums of vulnerabilities or missing patches.

Cryptography and Security

İlgi Keskin Kaynak,Evren Çilden,Selin Aydin

DOI: https://doi.org/10.1007/978-3-030-28005-5_39

2019-01-01

Abstract:CI (Continuous Integration) is a development practice that provides an efficient and effective basis for the whole SDLC (Software Development Life Cycle) [1]. We intended to improve quality of the software by means of process automation throughout CI infrastructure. Process automation let the improvement team to quantify the data that was collected automatically. By means of the autonomous SDLC via CI practices, we realized the benefits of the CI based process automation from quality assurance perspective. This paper is prepared to share the results of those quality improvement practices on SPI Manifesto basis. Main objective of this study is to improve the quality of the software. DDE (Defect Detection Effectiveness) and DD (Defect Density) metrics are collected for this purpose. These metrics are collected to evaluate the benefits of process automation till the end of the CSCI (Computer Software Configuration Item) tests. Benefits of the improvement study is emphasized quantitatively to enlighten the planned future work on software quality improvement.

Stoiber, Christoph

DOI: https://doi.org/10.1007/s12599-023-00805-y

2023-04-01

Business & Information Systems Engineering

Abstract:Maturity models are valuable management tools for assessing and managing capabilities and therefore creating a basis for their identification, prioritization, and further development. Numerous maturity assessment methods have been developed to support organizations in applying maturity models. However, these methods are mostly used for unique assessments and only provide a snapshot of the current state of capabilities and their maturity. Certainly, this does not reflect the continuous change of capabilities within dynamic organizational environments. Moreover, the systematic selection of suitable maturity models and the identification of the actions that should be targeted following the maturity assessment require more attention. To fill these research gaps, this study proposes the generally applicable Continuous Maturity Assessment Method (CMAM) that enables comprehensive and continuous maturity assessments. The CMAM comprises five steps that extend and advance existing principles of maturity assessment and can be implemented as an organizational routine. The rigorous development of the CMAM followed basic principles of the design science research methodology, including an evaluation of six organizations in different industry sectors and an extensive industrial case study.

computer science, information systems

Jack Tilbury,Stephen Flowerday

DOI: https://doi.org/10.3390/jcp4030020

2024-07-01

Journal of Cybersecurity and Privacy

Abstract:The continuous integration of automated tools into security operation centers (SOCs) increases the volume of alerts for security analysts. This amplifies the risk of automation bias and complacency to the point that security analysts have reported missing, ignoring, and not acting upon critical alerts. Enhancing the SOC environment has predominantly been researched from a technical standpoint, failing to consider the socio-technical elements adequately. However, our research fills this gap and provides practical insights for optimizing processes in SOCs. The synergy between security analysts and automation can potentially augment threat detection and response capabilities, ensuring a more robust defense if effective human-automation collaboration is established. A scoping review of 599 articles from four databases led to a final selection of 49 articles. Thematic analysis resulted in 609 coding references generated across four main themes: SOC automation challenges, automation application areas, implications on analysts, and human factor sentiment. Our findings emphasize the extent to which automation can be implemented across the incident response lifecycle. The SOC Automation Matrix represents our primary contribution to achieving a mutually beneficial relationship between analyst and machine. This matrix describes the properties of four distinct human-automation combinations. This is of practical value to SOCs striving to optimize their processes, as our matrix mentions socio-technical system characteristics for automated tools.

computer science, information systems, interdisciplinary applications, software engineering

Håvard Jakobsen Ofte

DOI: https://doi.org/10.1007/s10207-024-00872-6

2024-07-19

International Journal of Information Security

Abstract:Abstract Security operation centers (SOCs) are increasingly established to meet the growing threat against cyber security. The operators of SOCs respond to complex incidents under time constraints. Within critical infrastructure, the consequences of human error or low performance in SOCs may be detrimental. In other domains, situation awareness (SA) has proven useful to understand and measure how operators use information and decide the correct actions. Until now, SA research in SOCs has been restricted by a lack of in-depth studies of SA mechanisms. Therefore, this study is the first to conduct a goal-directed task analysis in a SOC for critical infrastructure. The study was conducted through a targeted series of unstructured and semi-structured interviews with SOC operators and their leaders complemented by a review of documents, incident reports, and in situ observation of work within the SOC and real incidents. Among the presented findings is a goal hierarchy alongside a complete overview of the decisions the operators make during escalated incidents. How the operators gain and use SA in these decisions is presented as a complete set of SA requirements. The findings are accompanied by an analysis of contextual differences in how the operators prioritize goals and use information in network incidents and security incidents. This enables a discussion of what SA processes might be automated and which would benefit from different SA models. The study provides a unique insight into the SA of SOC operators and is thus a steppingstone for bridging the knowledge gap of Cyber SA.

computer science, information systems, theory & methods, software engineering

Alireza Shojaifar,Samuel A. Fricker,Martin Gwerder

DOI: https://doi.org/10.48550/arXiv.2007.07602

2020-07-15

Computers and Society

Abstract:Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company's capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB's hands-on skills, tools adaptedness, and the users' willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB's motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB's business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption. The final publication is available at Springer via https://link.springer.com/chapter/10.1007%2F978-3-030-59291-2_8

Fatih Bildirici,Keziban Seckin Codal

DOI: https://doi.org/10.48550/arXiv.2306.13964

2023-06-24

Abstract:The advancements in the software industry, along with the changing technologies, methods, and conditions, have particularly brought forth a perspective that prioritizes the improvement of all stages of the software development lifecycle by approaching the process through automation. In particular, methods such as agile methodologies and DevOps, which focus on collaboration, automation, and efficient software production, have become crucial for the software industry. In particular, the understanding of utilizing principles such as distribution management, collaboration, parallel development, and end-to-end automation in agile software development, and DevOps techniques has emerged. In this study, one of these areas, software configuration management, and the integration of modern software development practices such as agile and DevOps are addressed. The aim of this study is to examine the differences and benefits that innovative methods bring to the software configuration management field when compared to traditional methods. To this end, a project is taken as a basis, and with the integration of DevOps and agile methodologies, improvements are made and the results are compared with the previous state. As a result of monitoring software configuration management with the integration of DevOps and agile methodologies, improvements are seen in the build and deployment time, automated report generation, more accurate and fault-free version management, completely controlling the software system, working time and workforce efficiency.

Software Engineering

Marco Angelini,Silvia Bonomi,Alessandro Palma

DOI: https://doi.org/10.48550/arXiv.2207.03269

2022-07-07

Abstract:Cyber risk assessment is a fundamental activity for enhancing the protection of an organization, identifying and evaluating the exposure to cyber threats. Currently, this activity is carried out mainly manually and the identification and correct quantification of risks deeply depend on the experience and confidence of the human assessor. As a consequence, the process is not completely objective and two parallel assessments of the same situation may lead to different results. This paper takes a step in the direction of reducing the degree of subjectivity by proposing a methodology to support risk assessors with an automatic review of the produced assessment. Our methodology starts from a controls-based assessment performed using well-known cybersecurity frameworks (e.g., ISO 27001, NIST) and maps security controls over infrastructural aspects that can be assessed automatically (e.g., ICT devices, organization policies). Exploiting this mapping, the methodology suggests how to identify controls needing revision. The approach has been validated through a case study from the healthcare domain and a set of statistical analyses.

Cryptography and Security

Karri Naveen,Rohan Senanayake,Chithirai Pon Selvan

DOI: https://doi.org/10.1088/1757-899X/1104/1/012038

2021-04-08

IOP Conference Series: Materials Science and Engineering

Abstract:Continual improvement is the most significant element of ISO 9001. Inadequate research studies are found to make the assessment of Continual Improvement of certified organizations through an onsite audit. Researcher has spent 386 mandays onsite conducting audit of 200 organization to determine the conformance to the criteria laid in ISO 9001:2015. This research study is based on primary data obtained through process observation, reviewing documented information and interviewing concern professionals including the top management. The key factors determined for continual improvement were analyzed to confirm effectiveness, adequacy and suitability of the quality management system. The outcome of the audit was measured against the conformity assessment variable influencing the continual improvement of the quality management system. Research data was analyzed by using the simplest statistical software "Jamovi". The compliance with the criteria for outcome of the management review, non conformity and corrective action were mapped against the five point Likert scale.

Florian Angermeir,Jannik Fischbach,Fabiola Moyón,Daniel Mendez

2024-08-01

Abstract:Context: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations -- a major concern in highly regulated domains -- renders Continuous Security Compliance of high relevance to industry and research. Problem: One key barrier to adopting continuous software engineering in the industry is the resource-intensive and error-prone nature of traditional manual security compliance activities. Automation promises to be advantageous. However, continuous security compliance is under-researched, precluding an effective adoption. Contribution: We have initiated a long-term research project with our industry partner to address these issues. In this manuscript, we make three contributions: (1) We provide a precise definition of the term continuous security compliance aligning with the state-of-art, (2) elaborate a preliminary overview of challenges in the field of automated continuous security compliance through a tertiary literature study, and (3) present a research roadmap to address those challenges via automated continuous security compliance.

Software Engineering

Mazen Mohamad

DOI: https://doi.org/10.48550/arXiv.2409.04474

2024-09-05

Abstract:Security Assurance Cases (SAC) are structured bodies of arguments and evidence used to reason about security properties of a certain artefact. SAC are gaining focus in the automotive domain as the need for security assurance is growing due to software becoming a main part of vehicles. Market demands for new services and products in the domain require connectivity, and hence, raise security concerns. Regulators and standardisation bodies started recently to require a structured for security assurance of products in the automotive domain, and automotive companies started, hence, to study ways to create and maintain these cases, as well as adopting them in their current way of working. In order to facilitate the adoption of SAC in the automotive domain, we created CASCADE, an approach for creating SAC which have integrated quality assurance and are compliant with the requirements of ISO/SAE-21434, the upcoming cybersecurity standard for automotive systems. CASCADE was created by conducting design science research study in two iterative cycles. The design decisions of CASCADE are based on insights from a qualitative research study which includes a workshop, a survey, and one-to-one interviews, done in collaboration with our industrial partners about the needs and drivers of work in SAC in industry, and a systematic literature review in which we identified gaps between the industrial needs and the state of the art. The evaluation of CASCADE was done with help of security experts from a large automotive OEM. It showed that CASCADE is suitable for integration in industrial product development processes. Additionally, our results show that the elements of CASCADE align well with respect to the way of working at the company, and has the potential to scale to cover the requirements and needs of the company with its large organization and complex products

Cryptography and Security,Software Engineering